Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0547
Vulnerability from certfr_avis - Published: 2026-05-07 - Updated: 2026-05-07
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian 11 bullseye versions ant\u00e9rieures \u00e0 6.1.170-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
},
{
"description": "Debian 11 bullseye versions ant\u00e9rieures \u00e0 5.10.251-3",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31483"
},
{
"name": "CVE-2026-31409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31409"
},
{
"name": "CVE-2026-31522",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31522"
},
{
"name": "CVE-2026-31770",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31770"
},
{
"name": "CVE-2026-31658",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31658"
},
{
"name": "CVE-2025-21682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21682"
},
{
"name": "CVE-2026-31756",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31756"
},
{
"name": "CVE-2026-31467",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31467"
},
{
"name": "CVE-2026-23318",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23318"
},
{
"name": "CVE-2026-23368",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23368"
},
{
"name": "CVE-2026-31485",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31485"
},
{
"name": "CVE-2026-23475",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23475"
},
{
"name": "CVE-2026-31754",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31754"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2026-23426",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23426"
},
{
"name": "CVE-2026-31758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31758"
},
{
"name": "CVE-2025-71265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71265"
},
{
"name": "CVE-2026-23450",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23450"
},
{
"name": "CVE-2026-23281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23281"
},
{
"name": "CVE-2025-71221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71221"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-31656",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31656"
},
{
"name": "CVE-2025-39764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39764"
},
{
"name": "CVE-2026-31453",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31453"
},
{
"name": "CVE-2026-23438",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23438"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2026-23463",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23463"
},
{
"name": "CVE-2026-23227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23227"
},
{
"name": "CVE-2026-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23454"
},
{
"name": "CVE-2026-31405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31405"
},
{
"name": "CVE-2026-43054",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43054"
},
{
"name": "CVE-2026-31664",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31664"
},
{
"name": "CVE-2026-31473",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31473"
},
{
"name": "CVE-2026-31448",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31448"
},
{
"name": "CVE-2026-31550",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31550"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-31549",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31549"
},
{
"name": "CVE-2026-31752",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31752"
},
{
"name": "CVE-2025-40016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40016"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2025-38626",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38626"
},
{
"name": "CVE-2026-23303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23303"
},
{
"name": "CVE-2026-43011",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43011"
},
{
"name": "CVE-2026-31396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31396"
},
{
"name": "CVE-2026-31680",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31680"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-43046",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43046"
},
{
"name": "CVE-2026-31738",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31738"
},
{
"name": "CVE-2025-40005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40005"
},
{
"name": "CVE-2026-31751",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31751"
},
{
"name": "CVE-2026-23439",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23439"
},
{
"name": "CVE-2026-23253",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23253"
},
{
"name": "CVE-2026-43025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43025"
},
{
"name": "CVE-2026-31721",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31721"
},
{
"name": "CVE-2026-23271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23271"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2026-23434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23434"
},
{
"name": "CVE-2026-43018",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43018"
},
{
"name": "CVE-2026-43014",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43014"
},
{
"name": "CVE-2026-31447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31447"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2026-43028",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43028"
},
{
"name": "CVE-2026-23422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23422"
},
{
"name": "CVE-2026-31548",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31548"
},
{
"name": "CVE-2026-23304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23304"
},
{
"name": "CVE-2026-31683",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31683"
},
{
"name": "CVE-2026-23357",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23357"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2025-38105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38105"
},
{
"name": "CVE-2026-31524",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31524"
},
{
"name": "CVE-2026-31668",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31668"
},
{
"name": "CVE-2026-31478",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31478"
},
{
"name": "CVE-2026-31546",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31546"
},
{
"name": "CVE-2025-38436",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38436"
},
{
"name": "CVE-2026-23324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23324"
},
{
"name": "CVE-2024-50298",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50298"
},
{
"name": "CVE-2026-23317",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23317"
},
{
"name": "CVE-2026-43047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43047"
},
{
"name": "CVE-2026-31389",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31389"
},
{
"name": "CVE-2026-31786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31786"
},
{
"name": "CVE-2026-31545",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31545"
},
{
"name": "CVE-2026-23456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23456"
},
{
"name": "CVE-2026-43033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
},
{
"name": "CVE-2026-43023",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43023"
},
{
"name": "CVE-2026-23287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23287"
},
{
"name": "CVE-2026-31510",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31510"
},
{
"name": "CVE-2026-23457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23457"
},
{
"name": "CVE-2026-31496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31496"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2026-31659",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31659"
},
{
"name": "CVE-2026-23401",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23401"
},
{
"name": "CVE-2026-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43057"
},
{
"name": "CVE-2026-43030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43030"
},
{
"name": "CVE-2025-38250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38250"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-31415",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31415"
},
{
"name": "CVE-2024-47809",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47809"
},
{
"name": "CVE-2026-23204",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
},
{
"name": "CVE-2026-23462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23462"
},
{
"name": "CVE-2026-31563",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31563"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2026-23372",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23372"
},
{
"name": "CVE-2026-31689",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31689"
},
{
"name": "CVE-2026-23319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23319"
},
{
"name": "CVE-2024-56719",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56719"
},
{
"name": "CVE-2026-31566",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31566"
},
{
"name": "CVE-2026-31494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31494"
},
{
"name": "CVE-2026-31565",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31565"
},
{
"name": "CVE-2026-23270",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23270"
},
{
"name": "CVE-2026-31763",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31763"
},
{
"name": "CVE-2026-23279",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23279"
},
{
"name": "CVE-2026-31670",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31670"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2026-23286",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23286"
},
{
"name": "CVE-2026-23359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23359"
},
{
"name": "CVE-2026-31533",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
},
{
"name": "CVE-2026-23298",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23298"
},
{
"name": "CVE-2026-31469",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31469"
},
{
"name": "CVE-2026-31498",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31498"
},
{
"name": "CVE-2026-31520",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31520"
},
{
"name": "CVE-2026-31418",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31418"
},
{
"name": "CVE-2026-23296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23296"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-31555",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31555"
},
{
"name": "CVE-2026-31392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31392"
},
{
"name": "CVE-2026-31515",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31515"
},
{
"name": "CVE-2026-31661",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31661"
},
{
"name": "CVE-2026-31737",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31737"
},
{
"name": "CVE-2026-43017",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43017"
},
{
"name": "CVE-2025-71267",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71267"
},
{
"name": "CVE-2026-43043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43043"
},
{
"name": "CVE-2025-37945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37945"
},
{
"name": "CVE-2026-23396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23396"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-43051",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43051"
},
{
"name": "CVE-2026-31759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31759"
},
{
"name": "CVE-2026-23370",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23370"
},
{
"name": "CVE-2025-38303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38303"
},
{
"name": "CVE-2026-23414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23414"
},
{
"name": "CVE-2026-31781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31781"
},
{
"name": "CVE-2026-23315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23315"
},
{
"name": "CVE-2026-31523",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31523"
},
{
"name": "CVE-2026-31669",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
},
{
"name": "CVE-2026-31450",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31450"
},
{
"name": "CVE-2026-31671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
},
{
"name": "CVE-2026-31749",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31749"
},
{
"name": "CVE-2026-43024",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43024"
},
{
"name": "CVE-2026-23352",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23352"
},
{
"name": "CVE-2026-31720",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31720"
},
{
"name": "CVE-2026-31748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31748"
},
{
"name": "CVE-2026-23367",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23367"
},
{
"name": "CVE-2026-31628",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31628"
},
{
"name": "CVE-2026-31662",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31662"
},
{
"name": "CVE-2025-71067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71067"
},
{
"name": "CVE-2026-31768",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31768"
},
{
"name": "CVE-2026-43026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43026"
},
{
"name": "CVE-2026-31480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31480"
},
{
"name": "CVE-2026-23446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23446"
},
{
"name": "CVE-2026-43035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43035"
},
{
"name": "CVE-2025-71269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71269"
},
{
"name": "CVE-2026-31665",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31665"
},
{
"name": "CVE-2025-40358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40358"
},
{
"name": "CVE-2026-23300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23300"
},
{
"name": "CVE-2026-31391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31391"
},
{
"name": "CVE-2026-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31672"
},
{
"name": "CVE-2026-31780",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31780"
},
{
"name": "CVE-2026-23243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23243"
},
{
"name": "CVE-2023-53510",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53510"
},
{
"name": "CVE-2026-31521",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31521"
},
{
"name": "CVE-2026-31634",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31634"
},
{
"name": "CVE-2024-47736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47736"
},
{
"name": "CVE-2026-31412",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31412"
},
{
"name": "CVE-2026-43032",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43032"
},
{
"name": "CVE-2026-23362",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23362"
},
{
"name": "CVE-2026-23379",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23379"
},
{
"name": "CVE-2026-31421",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31421"
},
{
"name": "CVE-2023-53545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53545"
},
{
"name": "CVE-2026-23381",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23381"
},
{
"name": "CVE-2026-31518",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31518"
},
{
"name": "CVE-2026-31660",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31660"
},
{
"name": "CVE-2026-23392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23392"
},
{
"name": "CVE-2026-23245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23245"
},
{
"name": "CVE-2026-31728",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31728"
},
{
"name": "CVE-2024-49998",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49998"
},
{
"name": "CVE-2026-31403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31403"
},
{
"name": "CVE-2026-31400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31400"
},
{
"name": "CVE-2026-31512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31512"
},
{
"name": "CVE-2026-31726",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31726"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2026-31773",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31773"
},
{
"name": "CVE-2026-23364",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23364"
},
{
"name": "CVE-2026-23242",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23242"
},
{
"name": "CVE-2026-43015",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43015"
},
{
"name": "CVE-2026-31509",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31509"
},
{
"name": "CVE-2026-31679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31679"
},
{
"name": "CVE-2025-40135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40135"
},
{
"name": "CVE-2026-31779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31779"
},
{
"name": "CVE-2026-23428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23428"
},
{
"name": "CVE-2026-23274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23274"
},
{
"name": "CVE-2025-38192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38192"
},
{
"name": "CVE-2026-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43020"
},
{
"name": "CVE-2026-31417",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31417"
},
{
"name": "CVE-2026-43041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43041"
},
{
"name": "CVE-2026-31761",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31761"
},
{
"name": "CVE-2026-31466",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31466"
},
{
"name": "CVE-2026-31414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31414"
},
{
"name": "CVE-2026-31778",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31778"
},
{
"name": "CVE-2025-38704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38704"
},
{
"name": "CVE-2026-31426",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31426"
},
{
"name": "CVE-2025-21676",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21676"
},
{
"name": "CVE-2026-43040",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43040"
},
{
"name": "CVE-2026-31552",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31552"
},
{
"name": "CVE-2026-23284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23284"
},
{
"name": "CVE-2026-23397",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23397"
},
{
"name": "CVE-2026-23452",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23452"
},
{
"name": "CVE-2026-23474",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23474"
},
{
"name": "CVE-2026-31434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31434"
},
{
"name": "CVE-2026-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23343"
},
{
"name": "CVE-2026-23336",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23336"
},
{
"name": "CVE-2026-31497",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31497"
},
{
"name": "CVE-2026-31682",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31682"
},
{
"name": "CVE-2026-31570",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31570"
},
{
"name": "CVE-2026-23289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23289"
},
{
"name": "CVE-2026-31755",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31755"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2026-23141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23141"
},
{
"name": "CVE-2026-23277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23277"
},
{
"name": "CVE-2026-31399",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31399"
},
{
"name": "CVE-2026-31441",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31441"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2026-23335",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23335"
},
{
"name": "CVE-2026-31551",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31551"
},
{
"name": "CVE-2026-31495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31495"
},
{
"name": "CVE-2026-31507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31507"
},
{
"name": "CVE-2026-31762",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31762"
},
{
"name": "CVE-2026-31788",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31788"
},
{
"name": "CVE-2026-31411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31411"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-23420",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23420"
},
{
"name": "CVE-2026-23388",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23388"
},
{
"name": "CVE-2025-39748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39748"
},
{
"name": "CVE-2026-23449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23449"
},
{
"name": "CVE-2025-39863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39863"
},
{
"name": "CVE-2025-71266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71266"
},
{
"name": "CVE-2026-31492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31492"
},
{
"name": "CVE-2026-43037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43037"
},
{
"name": "CVE-2026-31476",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31476"
},
{
"name": "CVE-2026-23458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23458"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31674",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31674"
},
{
"name": "CVE-2026-31393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31393"
},
{
"name": "CVE-2026-43027",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43027"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2026-23339",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23339"
},
{
"name": "CVE-2026-31433",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31433"
},
{
"name": "CVE-2026-31776",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31776"
},
{
"name": "CVE-2026-23321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23321"
},
{
"name": "CVE-2026-23460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23460"
},
{
"name": "CVE-2026-31678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31678"
},
{
"name": "CVE-2025-71161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71161"
},
{
"name": "CVE-2026-31540",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31540"
},
{
"name": "CVE-2026-23395",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23395"
},
{
"name": "CVE-2026-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31651"
},
{
"name": "CVE-2023-53228",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53228"
},
{
"name": "CVE-2026-23100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23100"
},
{
"name": "CVE-2026-31503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31503"
},
{
"name": "CVE-2026-31657",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31657"
},
{
"name": "CVE-2026-31747",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31747"
},
{
"name": "CVE-2026-31455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31455"
},
{
"name": "CVE-2026-23306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23306"
},
{
"name": "CVE-2026-23378",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23378"
},
{
"name": "CVE-2026-31519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31519"
},
{
"name": "CVE-2026-23291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23291"
},
{
"name": "CVE-2025-68239",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68239"
},
{
"name": "CVE-2026-23382",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23382"
},
{
"name": "CVE-2026-31446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31446"
},
{
"name": "CVE-2026-23113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23113"
},
{
"name": "CVE-2026-23157",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23157"
},
{
"name": "CVE-2026-31464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31464"
},
{
"name": "CVE-2026-31695",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31695"
},
{
"name": "CVE-2025-37980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37980"
},
{
"name": "CVE-2026-23231",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23231"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-31508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31508"
},
{
"name": "CVE-2026-23365",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23365"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
},
{
"name": "CVE-2026-23356",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23356"
},
{
"name": "CVE-2026-23307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23307"
},
{
"name": "CVE-2025-38162",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38162"
},
{
"name": "CVE-2026-31477",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31477"
},
{
"name": "CVE-2026-43038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43038"
},
{
"name": "CVE-2026-43013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43013"
},
{
"name": "CVE-2026-31454",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31454"
},
{
"name": "CVE-2025-38659",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38659"
},
{
"name": "CVE-2026-31452",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31452"
},
{
"name": "CVE-2026-23398",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23398"
},
{
"name": "CVE-2026-31425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31425"
},
{
"name": "CVE-2026-23351",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23351"
},
{
"name": "CVE-2026-43050",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43050"
},
{
"name": "CVE-2026-23154",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23154"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-07T00:00:00",
"last_revision_date": "2026-05-07T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0547",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS msg00004",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00004.html"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS msg00005",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
}
]
}
CVE-2026-23273 (GCVE-0-2026-23273)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-13 06:03
VLAI?
EPSS
Title
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
valis reported that a race condition still happens after my prior patch.
macvlan_common_newlink() might have made @dev visible before
detecting an error, and its caller will directly call free_netdev(dev).
We must respect an RCU period, either in macvlan or the core networking
stack.
After adding a temporary mdelay(1000) in macvlan_forward_source_one()
to open the race window, valis repro was:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
(ip link add invalid% link p2 type macvlan mode source macaddr add
00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4
PING 1.2.3.4 (1.2.3.4): 56 data bytes
RTNETLINK answers: Invalid argument
BUG: KASAN: slab-use-after-free in macvlan_forward_source
(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
Read of size 8 at addr ffff888016bb89c0 by task e/175
CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
kasan_report (mm/kasan/report.c:597)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
? tasklet_init (kernel/softirq.c:983)
macvlan_handle_frame (drivers/net/macvlan.c:501)
Allocated by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
__kasan_kmalloc (mm/kasan/common.c:419)
__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657
mm/slub.c:7140)
alloc_netdev_mqs (net/core/dev.c:12012)
rtnl_create_link (net/core/rtnetlink.c:3648)
rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Freed by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
kasan_save_free_info (mm/kasan/generic.c:587)
__kasan_slab_free (mm/kasan/common.c:287)
kfree (mm/slub.c:6674 mm/slub.c:6882)
rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da5c6b8ae47e414be47e5e04def15b25d5c962dc , < 91e4ff8d966978901630fc29582c1a76d3c6e46c
(git)
Affected: 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a , < 3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4 (git) Affected: c43d0e787cbba569ec9d11579ed370b50fab6c9c , < 721eb342d9ba19bad5c4815ea3921465158b7362 (git) Affected: 11ba9f0dc865136174cb98834280fb21bbc950c7 , < 19c7d8ac51988d053709c1e85bd8482076af845d (git) Affected: 986967a162142710076782d5b93daab93a892980 , < a1f686d273d129b45712d95f4095843b864466bd (git) Affected: cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 , < d34f7a8aa9a25b7e64e0e46e444697c0f702374d (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < 1e58ae87ad1e6e24368dea9aec9048c758cd0e2b (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < e3f000f0dee1bfab52e2e61ca6a3835d9e187e35 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91e4ff8d966978901630fc29582c1a76d3c6e46c",
"status": "affected",
"version": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"versionType": "git"
},
{
"lessThan": "3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4",
"status": "affected",
"version": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"versionType": "git"
},
{
"lessThan": "721eb342d9ba19bad5c4815ea3921465158b7362",
"status": "affected",
"version": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"versionType": "git"
},
{
"lessThan": "19c7d8ac51988d053709c1e85bd8482076af845d",
"status": "affected",
"version": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"versionType": "git"
},
{
"lessThan": "a1f686d273d129b45712d95f4095843b864466bd",
"status": "affected",
"version": "986967a162142710076782d5b93daab93a892980",
"versionType": "git"
},
{
"lessThan": "d34f7a8aa9a25b7e64e0e46e444697c0f702374d",
"status": "affected",
"version": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"versionType": "git"
},
{
"lessThan": "1e58ae87ad1e6e24368dea9aec9048c758cd0e2b",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
},
{
"lessThan": "e3f000f0dee1bfab52e2e61ca6a3835d9e187e35",
"status": "affected",
"version": "f8db6475a83649689c087a8f52486fcc53e627e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 \u0026) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:03:22.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c"
},
{
"url": "https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4"
},
{
"url": "https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362"
},
{
"url": "https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d"
},
{
"url": "https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd"
},
{
"url": "https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d"
},
{
"url": "https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b"
},
{
"url": "https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35"
}
],
"title": "macvlan: observe an RCU grace period in macvlan_common_newlink() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23273",
"datePublished": "2026-03-20T08:08:54.111Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-13T06:03:22.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31519 (GCVE-0-2026-31519)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
We have recently observed a number of subvolumes with broken dentries.
ls-ing the parent dir looks like:
drwxrwxrwt 1 root root 16 Jan 23 16:49 .
drwxr-xr-x 1 root root 24 Jan 23 16:48 ..
d????????? ? ? ? ? ? broken_subvol
and similarly stat-ing the file fails.
In this state, deleting the subvol fails with ENOENT, but attempting to
create a new file or subvol over it errors out with EEXIST and even
aborts the fs. Which leaves us a bit stuck.
dmesg contains a single notable error message reading:
"could not do orphan cleanup -2"
2 is ENOENT and the error comes from the failure handling path of
btrfs_orphan_cleanup(), with the stack leading back up to
btrfs_lookup().
btrfs_lookup
btrfs_lookup_dentry
btrfs_orphan_cleanup // prints that message and returns -ENOENT
After some detailed inspection of the internal state, it became clear
that:
- there are no orphan items for the subvol
- the subvol is otherwise healthy looking, it is not half-deleted or
anything, there is no drop progress, etc.
- the subvol was created a while ago and does the meaningful first
btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much
later.
- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,
which results in a negative dentry for the subvolume via
d_splice_alias(NULL, dentry), leading to the observed behavior. The
bug can be mitigated by dropping the dentry cache, at which point we
can successfully delete the subvolume if we want.
i.e.,
btrfs_lookup()
btrfs_lookup_dentry()
if (!sb_rdonly(inode->vfs_inode)->vfs_inode)
btrfs_orphan_cleanup(sub_root)
test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)
btrfs_search_slot() // finds orphan item for inode N
...
prints "could not do orphan cleanup -2"
if (inode == ERR_PTR(-ENOENT))
inode = NULL;
return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume
btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)
on the root when it runs, so it cannot run more than once on a given
root, so something else must run concurrently. However, the obvious
routes to deleting an orphan when nlinks goes to 0 should not be able to
run without first doing a lookup into the subvolume, which should run
btrfs_orphan_cleanup() and set the bit.
The final important observation is that create_subvol() calls
d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if
the dentry cache gets dropped, the next lookup into the subvolume will
make a real call into btrfs_orphan_cleanup() for the first time. This
opens up the possibility of concurrently deleting the inode/orphan items
but most typical evict() paths will be holding a reference on the parent
dentry (child dentry holds parent->d_lockref.count via dget in
d_alloc(), released in __dentry_kill()) and prevent the parent from
being removed from the dentry cache.
The one exception is delayed iputs. Ordered extent creation calls
igrab() on the inode. If the file is unlinked and closed while those
refs are held, iput() in __dentry_kill() decrements i_count but does
not trigger eviction (i_count > 0). The child dentry is freed and the
subvol dentry's d_lockref.count drops to 0, making it evictable while
the inode is still alive.
Since there are two races (the race between writeback and unlink and
the race between lookup and delayed iputs), and there are too many moving
parts, the following three diagrams show the complete picture.
(Only the second and third are races)
Phase 1:
Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set
btrfs_mksubvol()
lookup_one_len()
__lookup_slow()
d_alloc_parallel()
__d_alloc() // d_lockref.count = 1
create_subvol(dentry)
// doesn't touch the bit..
d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c71bf099abddf3e0fdc27f251ba76fca1461d49a , < d43da8de0ed376abafbad8a245a1835e8f66cb0f
(git)
Affected: c71bf099abddf3e0fdc27f251ba76fca1461d49a , < c57276ced3c3207f42182dfa2f0d8e860357e111 (git) Affected: c71bf099abddf3e0fdc27f251ba76fca1461d49a , < a41a9b8d19a98b45591528c6e54d31cc66271d1e (git) Affected: c71bf099abddf3e0fdc27f251ba76fca1461d49a , < 2ec578e6452138ab76f6c9a9c18711fcd197649f (git) Affected: c71bf099abddf3e0fdc27f251ba76fca1461d49a , < 696683f214495db3cdacab9a713efaaced8660f8 (git) Affected: c71bf099abddf3e0fdc27f251ba76fca1461d49a , < 5131fa077f9bb386a1b901bf5b247041f0ec8f80 (git) Affected: c4ba0bd9db5e8fd2664be0fd4ec01335fe3268eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d43da8de0ed376abafbad8a245a1835e8f66cb0f",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"lessThan": "c57276ced3c3207f42182dfa2f0d8e860357e111",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"lessThan": "a41a9b8d19a98b45591528c6e54d31cc66271d1e",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"lessThan": "2ec578e6452138ab76f6c9a9c18711fcd197649f",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"lessThan": "696683f214495db3cdacab9a713efaaced8660f8",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"lessThan": "5131fa077f9bb386a1b901bf5b247041f0ec8f80",
"status": "affected",
"version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
"versionType": "git"
},
{
"status": "affected",
"version": "c4ba0bd9db5e8fd2664be0fd4ec01335fe3268eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create\n\nWe have recently observed a number of subvolumes with broken dentries.\nls-ing the parent dir looks like:\n\ndrwxrwxrwt 1 root root 16 Jan 23 16:49 .\ndrwxr-xr-x 1 root root 24 Jan 23 16:48 ..\nd????????? ? ? ? ? ? broken_subvol\n\nand similarly stat-ing the file fails.\n\nIn this state, deleting the subvol fails with ENOENT, but attempting to\ncreate a new file or subvol over it errors out with EEXIST and even\naborts the fs. Which leaves us a bit stuck.\n\ndmesg contains a single notable error message reading:\n\"could not do orphan cleanup -2\"\n\n2 is ENOENT and the error comes from the failure handling path of\nbtrfs_orphan_cleanup(), with the stack leading back up to\nbtrfs_lookup().\n\nbtrfs_lookup\nbtrfs_lookup_dentry\nbtrfs_orphan_cleanup // prints that message and returns -ENOENT\n\nAfter some detailed inspection of the internal state, it became clear\nthat:\n- there are no orphan items for the subvol\n- the subvol is otherwise healthy looking, it is not half-deleted or\n anything, there is no drop progress, etc.\n- the subvol was created a while ago and does the meaningful first\n btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much\n later.\n- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,\n which results in a negative dentry for the subvolume via\n d_splice_alias(NULL, dentry), leading to the observed behavior. The\n bug can be mitigated by dropping the dentry cache, at which point we\n can successfully delete the subvolume if we want.\n\ni.e.,\nbtrfs_lookup()\n btrfs_lookup_dentry()\n if (!sb_rdonly(inode-\u003evfs_inode)-\u003evfs_inode)\n btrfs_orphan_cleanup(sub_root)\n test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\n btrfs_search_slot() // finds orphan item for inode N\n ...\n prints \"could not do orphan cleanup -2\"\n if (inode == ERR_PTR(-ENOENT))\n inode = NULL;\n return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume\n\nbtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\non the root when it runs, so it cannot run more than once on a given\nroot, so something else must run concurrently. However, the obvious\nroutes to deleting an orphan when nlinks goes to 0 should not be able to\nrun without first doing a lookup into the subvolume, which should run\nbtrfs_orphan_cleanup() and set the bit.\n\nThe final important observation is that create_subvol() calls\nd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if\nthe dentry cache gets dropped, the next lookup into the subvolume will\nmake a real call into btrfs_orphan_cleanup() for the first time. This\nopens up the possibility of concurrently deleting the inode/orphan items\nbut most typical evict() paths will be holding a reference on the parent\ndentry (child dentry holds parent-\u003ed_lockref.count via dget in\nd_alloc(), released in __dentry_kill()) and prevent the parent from\nbeing removed from the dentry cache.\n\nThe one exception is delayed iputs. Ordered extent creation calls\nigrab() on the inode. If the file is unlinked and closed while those\nrefs are held, iput() in __dentry_kill() decrements i_count but does\nnot trigger eviction (i_count \u003e 0). The child dentry is freed and the\nsubvol dentry\u0027s d_lockref.count drops to 0, making it evictable while\nthe inode is still alive.\n\nSince there are two races (the race between writeback and unlink and\nthe race between lookup and delayed iputs), and there are too many moving\nparts, the following three diagrams show the complete picture.\n(Only the second and third are races)\n\nPhase 1:\nCreate Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set\n\nbtrfs_mksubvol()\n lookup_one_len()\n __lookup_slow()\n d_alloc_parallel()\n __d_alloc() // d_lockref.count = 1\n create_subvol(dentry)\n // doesn\u0027t touch the bit..\n d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:36.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d43da8de0ed376abafbad8a245a1835e8f66cb0f"
},
{
"url": "https://git.kernel.org/stable/c/c57276ced3c3207f42182dfa2f0d8e860357e111"
},
{
"url": "https://git.kernel.org/stable/c/a41a9b8d19a98b45591528c6e54d31cc66271d1e"
},
{
"url": "https://git.kernel.org/stable/c/2ec578e6452138ab76f6c9a9c18711fcd197649f"
},
{
"url": "https://git.kernel.org/stable/c/696683f214495db3cdacab9a713efaaced8660f8"
},
{
"url": "https://git.kernel.org/stable/c/5131fa077f9bb386a1b901bf5b247041f0ec8f80"
}
],
"title": "btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31519",
"datePublished": "2026-04-22T13:54:34.860Z",
"dateReserved": "2026-03-09T15:48:24.108Z",
"dateUpdated": "2026-04-23T15:18:36.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71161 (GCVE-0-2025-71161)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
dm-verity: disable recursive forward error correction
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-verity: disable recursive forward error correction
There are two problems with the recursive correction:
1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
has 253 iterations. For each iteration, we may call verity_hash_for_block
recursively. There is a limit of 4 nested recursions - that means that
there may be at most 253^4 (4 billion) iterations. Red Hat QE team
actually created an image that pushes dm-verity to this limit - and this
image just makes the udev-worker process get stuck in the 'D' state.
2. It doesn't work. In fec_read_bufs we store data into the variable
"fio->bufs", but fio bufs is shared between recursive invocations, if
"verity_hash_for_block" invoked correction recursively, it would
overwrite partially filled fio->bufs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < e227d2b229c7529bd98d348efc55262ccf24ab35
(git)
Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 897d9006e75f46f8bd7df78faa424327ae6a4bcf (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 4220cb37406915c926c0e4a3dbab77cd9cceeb1e (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 232948cf600fba69aff36b25d85ef91a73a35756 (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-fec.c",
"drivers/md/dm-verity-fec.h",
"drivers/md/dm-verity-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e227d2b229c7529bd98d348efc55262ccf24ab35",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "897d9006e75f46f8bd7df78faa424327ae6a4bcf",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "4220cb37406915c926c0e4a3dbab77cd9cceeb1e",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "232948cf600fba69aff36b25d85ef91a73a35756",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "d9f3e47d3fae0c101d9094bc956ed24e7a0ee801",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-fec.c",
"drivers/md/dm-verity-fec.h",
"drivers/md/dm-verity-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the \u0027D\u0027 state.\n\n2. It doesn\u0027t work. In fec_read_bufs we store data into the variable\n\"fio-\u003ebufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio-\u003ebufs."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:05.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e227d2b229c7529bd98d348efc55262ccf24ab35"
},
{
"url": "https://git.kernel.org/stable/c/897d9006e75f46f8bd7df78faa424327ae6a4bcf"
},
{
"url": "https://git.kernel.org/stable/c/4220cb37406915c926c0e4a3dbab77cd9cceeb1e"
},
{
"url": "https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756"
},
{
"url": "https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801"
}
],
"title": "dm-verity: disable recursive forward error correction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71161",
"datePublished": "2026-01-23T15:23:59.464Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-03-25T10:20:05.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31781 (GCVE-0-2026-31781)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
drm/ioc32: stop speculation on the drm_compat_ioctl path
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ioc32: stop speculation on the drm_compat_ioctl path
The drm compat ioctl path takes a user controlled pointer, and then
dereferences it into a table of function pointers, the signature method
of spectre problems. Fix this up by calling array_index_nospec() on the
index to the function pointer list.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
505b5240329b922f21f91d5b5d1e535c805eca6d , < 46a60ee8956ef1975f00455f614761c7ecedc09d
(git)
Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < 5bb398991f378ef74d90b14a6ea8b61ff96cc03a (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < d59c5d8539662d95887b4564f3f72ad38076a2d5 (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < 489f2ef2b908898d01df697dc4fe1476674be640 (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < 4a41c2b18fc05d30b718d2602cac339eae710b34 (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < f0e441be08a2eab10b2d06fccfa267ee599dd6b3 (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < 27ef84bba9b9d7b03418c60fbc6069ea0e87b13c (git) Affected: 505b5240329b922f21f91d5b5d1e535c805eca6d , < f8995c2df519f382525ca4bc90553ad2ec611067 (git) Affected: abc60edcfc87771ff244763d4d19c67766f5dd0f (git) Affected: a2a840d6dcae960c2dfdf3fcb1b759e1b7d90663 (git) Affected: 00279b505289f7529d9be2e78915d0483ffbd314 (git) Affected: d04e6ea0cec9e7d6cba806508f657d2d0dc6cacf (git) Affected: 7f3ebea19795eb38438cd3709fabf2afd53cf447 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioc32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46a60ee8956ef1975f00455f614761c7ecedc09d",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "5bb398991f378ef74d90b14a6ea8b61ff96cc03a",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "d59c5d8539662d95887b4564f3f72ad38076a2d5",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "489f2ef2b908898d01df697dc4fe1476674be640",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "4a41c2b18fc05d30b718d2602cac339eae710b34",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "f0e441be08a2eab10b2d06fccfa267ee599dd6b3",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "27ef84bba9b9d7b03418c60fbc6069ea0e87b13c",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"lessThan": "f8995c2df519f382525ca4bc90553ad2ec611067",
"status": "affected",
"version": "505b5240329b922f21f91d5b5d1e535c805eca6d",
"versionType": "git"
},
{
"status": "affected",
"version": "abc60edcfc87771ff244763d4d19c67766f5dd0f",
"versionType": "git"
},
{
"status": "affected",
"version": "a2a840d6dcae960c2dfdf3fcb1b759e1b7d90663",
"versionType": "git"
},
{
"status": "affected",
"version": "00279b505289f7529d9be2e78915d0483ffbd314",
"versionType": "git"
},
{
"status": "affected",
"version": "d04e6ea0cec9e7d6cba806508f657d2d0dc6cacf",
"versionType": "git"
},
{
"status": "affected",
"version": "7f3ebea19795eb38438cd3709fabf2afd53cf447",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioc32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ioc32: stop speculation on the drm_compat_ioctl path\n\nThe drm compat ioctl path takes a user controlled pointer, and then\ndereferences it into a table of function pointers, the signature method\nof spectre problems. Fix this up by calling array_index_nospec() on the\nindex to the function pointer list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:07.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46a60ee8956ef1975f00455f614761c7ecedc09d"
},
{
"url": "https://git.kernel.org/stable/c/5bb398991f378ef74d90b14a6ea8b61ff96cc03a"
},
{
"url": "https://git.kernel.org/stable/c/d59c5d8539662d95887b4564f3f72ad38076a2d5"
},
{
"url": "https://git.kernel.org/stable/c/489f2ef2b908898d01df697dc4fe1476674be640"
},
{
"url": "https://git.kernel.org/stable/c/4a41c2b18fc05d30b718d2602cac339eae710b34"
},
{
"url": "https://git.kernel.org/stable/c/f0e441be08a2eab10b2d06fccfa267ee599dd6b3"
},
{
"url": "https://git.kernel.org/stable/c/27ef84bba9b9d7b03418c60fbc6069ea0e87b13c"
},
{
"url": "https://git.kernel.org/stable/c/f8995c2df519f382525ca4bc90553ad2ec611067"
}
],
"title": "drm/ioc32: stop speculation on the drm_compat_ioctl path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31781",
"datePublished": "2026-05-01T14:15:07.933Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-05-01T14:15:07.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31391 (GCVE-0-2026-31391)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: atmel-sha204a - Fix OOM ->tfm_count leak
If memory allocation fails, decrement ->tfm_count to avoid blocking
future reads.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da001fb651b00e1deeaf24767dd691ae8152a4f5 , < c2d0c45dbb9eb272385ae919b17eef5a5318d3f8
(git)
Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < 66ee9c1c3575b5d6afc340faca00fd40ed5b7ad9 (git) Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < 2bfc83cee05f8b9604502df27d94e8e2b4a3dbf1 (git) Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < 1ab70c260cf16f931a728b2cb63fff5f38c814d8 (git) Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < 6f502049a96b368ea6646c49d9520d6f69a101fa (git) Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < fd262dc6d758232511127372eba866b7600739ba (git) Affected: da001fb651b00e1deeaf24767dd691ae8152a4f5 , < d240b079a37e90af03fd7dfec94930eb6c83936e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/atmel-sha204a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2d0c45dbb9eb272385ae919b17eef5a5318d3f8",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "66ee9c1c3575b5d6afc340faca00fd40ed5b7ad9",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "2bfc83cee05f8b9604502df27d94e8e2b4a3dbf1",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "1ab70c260cf16f931a728b2cb63fff5f38c814d8",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "6f502049a96b368ea6646c49d9520d6f69a101fa",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "fd262dc6d758232511127372eba866b7600739ba",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
},
{
"lessThan": "d240b079a37e90af03fd7dfec94930eb6c83936e",
"status": "affected",
"version": "da001fb651b00e1deeaf24767dd691ae8152a4f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/atmel-sha204a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix OOM -\u003etfm_count leak\n\nIf memory allocation fails, decrement -\u003etfm_count to avoid blocking\nfuture reads."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:14.908Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2d0c45dbb9eb272385ae919b17eef5a5318d3f8"
},
{
"url": "https://git.kernel.org/stable/c/66ee9c1c3575b5d6afc340faca00fd40ed5b7ad9"
},
{
"url": "https://git.kernel.org/stable/c/2bfc83cee05f8b9604502df27d94e8e2b4a3dbf1"
},
{
"url": "https://git.kernel.org/stable/c/1ab70c260cf16f931a728b2cb63fff5f38c814d8"
},
{
"url": "https://git.kernel.org/stable/c/6f502049a96b368ea6646c49d9520d6f69a101fa"
},
{
"url": "https://git.kernel.org/stable/c/fd262dc6d758232511127372eba866b7600739ba"
},
{
"url": "https://git.kernel.org/stable/c/d240b079a37e90af03fd7dfec94930eb6c83936e"
}
],
"title": "crypto: atmel-sha204a - Fix OOM -\u003etfm_count leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31391",
"datePublished": "2026-04-03T15:15:56.789Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-04-18T08:59:14.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23141 (GCVE-0-2026-23141)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
btrfs: send: check for inline extents in range_is_hole_in_parent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: send: check for inline extents in range_is_hole_in_parent()
Before accessing the disk_bytenr field of a file extent item we need
to check if we are dealing with an inline extent.
This is because for inline extents their data starts at the offset of
the disk_bytenr field. So accessing the disk_bytenr
means we are accessing inline data or in case the inline data is less
than 8 bytes we can actually cause an invalid
memory access if this inline extent item is the first item in the leaf
or access metadata from other items.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < d948055bd46a9c14d1d4217aed65c5c258c32903
(git)
Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < db00636643e66898d79f2530ac9c56ebd5eca369 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 39f83f10772310ba4a77f2b5256aaf36994ef7e8 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 08b096c1372cd69627f4f559fb47c9fb67a52b39 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d948055bd46a9c14d1d4217aed65c5c258c32903",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "db00636643e66898d79f2530ac9c56ebd5eca369",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "39f83f10772310ba4a77f2b5256aaf36994ef7e8",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "08b096c1372cd69627f4f559fb47c9fb67a52b39",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:25.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d948055bd46a9c14d1d4217aed65c5c258c32903"
},
{
"url": "https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9"
},
{
"url": "https://git.kernel.org/stable/c/db00636643e66898d79f2530ac9c56ebd5eca369"
},
{
"url": "https://git.kernel.org/stable/c/39f83f10772310ba4a77f2b5256aaf36994ef7e8"
},
{
"url": "https://git.kernel.org/stable/c/08b096c1372cd69627f4f559fb47c9fb67a52b39"
}
],
"title": "btrfs: send: check for inline extents in range_is_hole_in_parent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23141",
"datePublished": "2026-02-14T15:36:07.417Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-03-25T10:20:25.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31507 (GCVE-0-2026-31507)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores
the pointer in pipe_buffer.private. The pipe_buf_operations for these
buffers used .get = generic_pipe_buf_get, which only increments the page
reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv
pointer itself was not handled, so after tee() both the original and the
cloned pipe_buffer share the same smc_spd_priv *.
When both pipes are subsequently released, smc_rx_pipe_buf_release() is
called twice against the same object:
1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]
2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]
KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which
then escalates to a NULL-pointer dereference and kernel panic via
smc_rx_update_consumer() when it chases the freed priv->smc pointer:
BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0
Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xce/0x650
kasan_report+0xc6/0x100
smc_rx_pipe_buf_release+0x78/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
BUG: kernel NULL pointer dereference, address: 0000000000000020
RIP: 0010:smc_rx_update_consumer+0x8d/0x350
Call Trace:
<TASK>
smc_rx_pipe_buf_release+0x121/0x2a0
free_pipe_info+0xd4/0x130
pipe_release+0x142/0x160
__fput+0x1c6/0x490
__x64_sys_close+0x4f/0x90
do_syscall_64+0xa6/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Kernel panic - not syncing: Fatal exception
Beyond the memory-safety problem, duplicating an SMC splice buffer is
semantically questionable: smc_rx_update_cons() would advance the
consumer cursor twice for the same data, corrupting receive-window
accounting. A refcount on smc_spd_priv could fix the double-free, but
the cursor-accounting issue would still need to be addressed separately.
The .get callback is invoked by both tee(2) and splice_pipe_to_pipe()
for partial transfers; both will now return -EFAULT. Users who need
to duplicate SMC socket data must use a copy-based read path.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 7e8916f46c2f48607f907fd401590093753a6bc5
(git)
Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < ae5575e660410c8d2c5d38fb28a0f37aea945676 (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 98ba5cb274768146e25ffbfde47753652c1c20d3 (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 81acbd345d405994875d419d43b319fee0b9ad62 (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 7bcb974c771c863e8588cea0012ac204443a7126 (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 54c87a730157868543ebdfa0ecb21b4590ed23a5 (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 3cc76380fea749280c026f410af56a28aaac388a (git) Affected: 9014db202cb764b8e14c53e7bacc81f9a1a2ba7f , < 24dd586bb4cbba1889a50abe74143817a095c1c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e8916f46c2f48607f907fd401590093753a6bc5",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "ae5575e660410c8d2c5d38fb28a0f37aea945676",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "98ba5cb274768146e25ffbfde47753652c1c20d3",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "81acbd345d405994875d419d43b319fee0b9ad62",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "7bcb974c771c863e8588cea0012ac204443a7126",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "54c87a730157868543ebdfa0ecb21b4590ed23a5",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "3cc76380fea749280c026f410af56a28aaac388a",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
},
{
"lessThan": "24dd586bb4cbba1889a50abe74143817a095c1c9",
"status": "affected",
"version": "9014db202cb764b8e14c53e7bacc81f9a1a2ba7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv-\u003esmc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \u003cTASK\u003e\n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:44.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e8916f46c2f48607f907fd401590093753a6bc5"
},
{
"url": "https://git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb28a0f37aea945676"
},
{
"url": "https://git.kernel.org/stable/c/98ba5cb274768146e25ffbfde47753652c1c20d3"
},
{
"url": "https://git.kernel.org/stable/c/81acbd345d405994875d419d43b319fee0b9ad62"
},
{
"url": "https://git.kernel.org/stable/c/7bcb974c771c863e8588cea0012ac204443a7126"
},
{
"url": "https://git.kernel.org/stable/c/54c87a730157868543ebdfa0ecb21b4590ed23a5"
},
{
"url": "https://git.kernel.org/stable/c/3cc76380fea749280c026f410af56a28aaac388a"
},
{
"url": "https://git.kernel.org/stable/c/24dd586bb4cbba1889a50abe74143817a095c1c9"
}
],
"title": "net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31507",
"datePublished": "2026-04-22T13:54:25.910Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-04-27T14:03:44.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43041 (GCVE-0-2026-43041)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
__radix_tree_create() allocates and links intermediate nodes into the
tree one by one. If a subsequent allocation fails, the already-linked
nodes remain in the tree with no corresponding leaf entry. These orphaned
internal nodes are never reclaimed because radix_tree_for_each_slot()
only visits slots containing leaf values.
The radix_tree API is deprecated in favor of xarray. As suggested by
Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead
of fixing the radix_tree itself [1]. xarray properly handles cleanup of
internal nodes — xa_destroy() frees all internal xarray nodes when the
qrtr_node is released, preventing the leak.
[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < f2dd9aaf6e2861337f5835f877a5b2becaf4b015
(git)
Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < 4b75ff0aedd6ade1018ad4a3a9d8336794e36e42 (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < ff134cc43972d7ddceff8cfd36cf6b9eaafc00b3 (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < 0fda873092b541bb5a9b87d728a2429f863f8cfa (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < 69402908e277dd164bf8d7c8fd0513c0fac28e9e (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < f2664bc4f0f356f17c2094587a2b3665e3867e44 (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < 5d2249eefaca59908fe3c264b8eca526424dcfbe (git) Affected: 5fdeb0d372ab33b4175043a2a4a1730239a217f1 , < 2428083101f6883f979cceffa76cd8440751ffe6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2dd9aaf6e2861337f5835f877a5b2becaf4b015",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "4b75ff0aedd6ade1018ad4a3a9d8336794e36e42",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "ff134cc43972d7ddceff8cfd36cf6b9eaafc00b3",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "0fda873092b541bb5a9b87d728a2429f863f8cfa",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "69402908e277dd164bf8d7c8fd0513c0fac28e9e",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "f2664bc4f0f356f17c2094587a2b3665e3867e44",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "5d2249eefaca59908fe3c264b8eca526424dcfbe",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
},
{
"lessThan": "2428083101f6883f979cceffa76cd8440751ffe6",
"status": "affected",
"version": "5fdeb0d372ab33b4175043a2a4a1730239a217f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/qrtr/af_qrtr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak\n\n__radix_tree_create() allocates and links intermediate nodes into the\ntree one by one. If a subsequent allocation fails, the already-linked\nnodes remain in the tree with no corresponding leaf entry. These orphaned\ninternal nodes are never reclaimed because radix_tree_for_each_slot()\nonly visits slots containing leaf values.\n\nThe radix_tree API is deprecated in favor of xarray. As suggested by\nMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead\nof fixing the radix_tree itself [1]. xarray properly handles cleanup of\ninternal nodes \u2014 xa_destroy() frees all internal xarray nodes when the\nqrtr_node is released, preventing the leak.\n\n[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:38.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2dd9aaf6e2861337f5835f877a5b2becaf4b015"
},
{
"url": "https://git.kernel.org/stable/c/4b75ff0aedd6ade1018ad4a3a9d8336794e36e42"
},
{
"url": "https://git.kernel.org/stable/c/ff134cc43972d7ddceff8cfd36cf6b9eaafc00b3"
},
{
"url": "https://git.kernel.org/stable/c/0fda873092b541bb5a9b87d728a2429f863f8cfa"
},
{
"url": "https://git.kernel.org/stable/c/69402908e277dd164bf8d7c8fd0513c0fac28e9e"
},
{
"url": "https://git.kernel.org/stable/c/f2664bc4f0f356f17c2094587a2b3665e3867e44"
},
{
"url": "https://git.kernel.org/stable/c/5d2249eefaca59908fe3c264b8eca526424dcfbe"
},
{
"url": "https://git.kernel.org/stable/c/2428083101f6883f979cceffa76cd8440751ffe6"
}
],
"title": "net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43041",
"datePublished": "2026-05-01T14:15:38.112Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-05-01T14:15:38.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43015 (GCVE-0-2026-43015)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net: macb: fix clk handling on PCI glue driver removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix clk handling on PCI glue driver removal
platform_device_unregister() may still want to use the registered clks
during runtime resume callback.
Note that there is a commit d82d5303c4c5 ("net: macb: fix use after free
on rmmod") that addressed the similar problem of clk vs platform device
unregistration but just moved the bug to another place.
Save the pointers to clks into local variables for reuse after platform
device is unregistered.
BUG: KASAN: use-after-free in clk_prepare+0x5a/0x60
Read of size 8 at addr ffff888104f85e00 by task modprobe/597
CPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xba
print_report+0x17f/0x496
kasan_report+0xd9/0x180
clk_prepare+0x5a/0x60
macb_runtime_resume+0x13d/0x410 [macb]
pm_generic_runtime_resume+0x97/0xd0
__rpm_callback+0xc8/0x4d0
rpm_callback+0xf6/0x230
rpm_resume+0xeeb/0x1a70
__pm_runtime_resume+0xb4/0x170
bus_remove_device+0x2e3/0x4b0
device_del+0x5b3/0xdc0
platform_device_del+0x4e/0x280
platform_device_unregister+0x11/0x50
pci_device_remove+0xae/0x210
device_remove+0xcb/0x180
device_release_driver_internal+0x529/0x770
driver_detach+0xd4/0x1a0
bus_remove_driver+0x135/0x260
driver_unregister+0x72/0xb0
pci_unregister_driver+0x26/0x220
__do_sys_delete_module+0x32e/0x550
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
</TASK>
Allocated by task 519:
kasan_save_stack+0x2c/0x50
kasan_set_track+0x21/0x30
__kasan_kmalloc+0x8e/0x90
__clk_register+0x458/0x2890
clk_hw_register+0x1a/0x60
__clk_hw_register_fixed_rate+0x255/0x410
clk_register_fixed_rate+0x3c/0xa0
macb_probe+0x1d8/0x42e [macb_pci]
local_pci_probe+0xd7/0x190
pci_device_probe+0x252/0x600
really_probe+0x255/0x7f0
__driver_probe_device+0x1ee/0x330
driver_probe_device+0x4c/0x1f0
__driver_attach+0x1df/0x4e0
bus_for_each_dev+0x15d/0x1f0
bus_add_driver+0x486/0x5e0
driver_register+0x23a/0x3d0
do_one_initcall+0xfd/0x4d0
do_init_module+0x18b/0x5a0
load_module+0x5663/0x7950
__do_sys_finit_module+0x101/0x180
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 597:
kasan_save_stack+0x2c/0x50
kasan_set_track+0x21/0x30
kasan_save_free_info+0x2a/0x50
__kasan_slab_free+0x106/0x180
__kmem_cache_free+0xbc/0x320
clk_unregister+0x6de/0x8d0
macb_remove+0x73/0xc0 [macb_pci]
pci_device_remove+0xae/0x210
device_remove+0xcb/0x180
device_release_driver_internal+0x529/0x770
driver_detach+0xd4/0x1a0
bus_remove_driver+0x135/0x260
driver_unregister+0x72/0xb0
pci_unregister_driver+0x26/0x220
__do_sys_delete_module+0x32e/0x550
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7721221e87d25c9840d9ca6b986dbdc410d5ce2b , < bf64cae913cdd4821f13d5d1d68900c0891bef69
(git)
Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < 67f70841a175fa3469119f52d77a3662c07507a2 (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < 2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < b3f799cdf830df1782ae463cf15ace35015be99e (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < f310a836da90d0f0321b14d446c071af63f9ee4c (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < 16ab4c0e2b15df5d33bfcb9ea8e4441b85dd4a57 (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < 3496fb9e66f79d4def3bb7ec7563e3eaa33a688f (git) Affected: d82d5303c4c539db86588ffb5dc5b26c3f1513e8 , < ce8fe5287b87e24e225c342f3b0ec04f0b3680fe (git) Affected: a7d521cc726f30b8e679a6f36d04b18a8ab3c536 (git) Affected: 46670fb832ee80943715df618632ca13c2e96f2b (git) Affected: 1da750d1e2140ef43d64d17f301ff6f41b45541e (git) Affected: 4ad6f2d23b0f6ac0d3e5f3102a4256d1c86c90f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf64cae913cdd4821f13d5d1d68900c0891bef69",
"status": "affected",
"version": "7721221e87d25c9840d9ca6b986dbdc410d5ce2b",
"versionType": "git"
},
{
"lessThan": "67f70841a175fa3469119f52d77a3662c07507a2",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "b3f799cdf830df1782ae463cf15ace35015be99e",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "f310a836da90d0f0321b14d446c071af63f9ee4c",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "16ab4c0e2b15df5d33bfcb9ea8e4441b85dd4a57",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "3496fb9e66f79d4def3bb7ec7563e3eaa33a688f",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"lessThan": "ce8fe5287b87e24e225c342f3b0ec04f0b3680fe",
"status": "affected",
"version": "d82d5303c4c539db86588ffb5dc5b26c3f1513e8",
"versionType": "git"
},
{
"status": "affected",
"version": "a7d521cc726f30b8e679a6f36d04b18a8ab3c536",
"versionType": "git"
},
{
"status": "affected",
"version": "46670fb832ee80943715df618632ca13c2e96f2b",
"versionType": "git"
},
{
"status": "affected",
"version": "1da750d1e2140ef43d64d17f301ff6f41b45541e",
"versionType": "git"
},
{
"status": "affected",
"version": "4ad6f2d23b0f6ac0d3e5f3102a4256d1c86c90f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix clk handling on PCI glue driver removal\n\nplatform_device_unregister() may still want to use the registered clks\nduring runtime resume callback.\n\nNote that there is a commit d82d5303c4c5 (\"net: macb: fix use after free\non rmmod\") that addressed the similar problem of clk vs platform device\nunregistration but just moved the bug to another place.\n\nSave the pointers to clks into local variables for reuse after platform\ndevice is unregistered.\n\nBUG: KASAN: use-after-free in clk_prepare+0x5a/0x60\nRead of size 8 at addr ffff888104f85e00 by task modprobe/597\n\nCPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x8d/0xba\n print_report+0x17f/0x496\n kasan_report+0xd9/0x180\n clk_prepare+0x5a/0x60\n macb_runtime_resume+0x13d/0x410 [macb]\n pm_generic_runtime_resume+0x97/0xd0\n __rpm_callback+0xc8/0x4d0\n rpm_callback+0xf6/0x230\n rpm_resume+0xeeb/0x1a70\n __pm_runtime_resume+0xb4/0x170\n bus_remove_device+0x2e3/0x4b0\n device_del+0x5b3/0xdc0\n platform_device_del+0x4e/0x280\n platform_device_unregister+0x11/0x50\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \u003c/TASK\u003e\n\nAllocated by task 519:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x8e/0x90\n __clk_register+0x458/0x2890\n clk_hw_register+0x1a/0x60\n __clk_hw_register_fixed_rate+0x255/0x410\n clk_register_fixed_rate+0x3c/0xa0\n macb_probe+0x1d8/0x42e [macb_pci]\n local_pci_probe+0xd7/0x190\n pci_device_probe+0x252/0x600\n really_probe+0x255/0x7f0\n __driver_probe_device+0x1ee/0x330\n driver_probe_device+0x4c/0x1f0\n __driver_attach+0x1df/0x4e0\n bus_for_each_dev+0x15d/0x1f0\n bus_add_driver+0x486/0x5e0\n driver_register+0x23a/0x3d0\n do_one_initcall+0xfd/0x4d0\n do_init_module+0x18b/0x5a0\n load_module+0x5663/0x7950\n __do_sys_finit_module+0x101/0x180\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 597:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x180\n __kmem_cache_free+0xbc/0x320\n clk_unregister+0x6de/0x8d0\n macb_remove+0x73/0xc0 [macb_pci]\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:20.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf64cae913cdd4821f13d5d1d68900c0891bef69"
},
{
"url": "https://git.kernel.org/stable/c/67f70841a175fa3469119f52d77a3662c07507a2"
},
{
"url": "https://git.kernel.org/stable/c/2d96204e4184d6f7dd2f93c6f218fd0c1f55e9ae"
},
{
"url": "https://git.kernel.org/stable/c/b3f799cdf830df1782ae463cf15ace35015be99e"
},
{
"url": "https://git.kernel.org/stable/c/f310a836da90d0f0321b14d446c071af63f9ee4c"
},
{
"url": "https://git.kernel.org/stable/c/16ab4c0e2b15df5d33bfcb9ea8e4441b85dd4a57"
},
{
"url": "https://git.kernel.org/stable/c/3496fb9e66f79d4def3bb7ec7563e3eaa33a688f"
},
{
"url": "https://git.kernel.org/stable/c/ce8fe5287b87e24e225c342f3b0ec04f0b3680fe"
}
],
"title": "net: macb: fix clk handling on PCI glue driver removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43015",
"datePublished": "2026-05-01T14:15:20.242Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-01T14:15:20.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31431 (GCVE-0-2026-31431)
Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-05-07 06:58
VLAI?
EPSS
Title
crypto: algif_aead - Revert to operating out-of-place
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.
There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy the
AD directly.
Severity ?
7.8 (High)
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 893d22e0135fa394db81df88697fba6032747667
(git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 19d43105a97be0810edbda875f2cd03f30dc130c (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 961cfa271a918ad4ae452420e7c303149002875b (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 3115af9644c342b356f3f07a4dd1c8905cd9a6fc (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 8b88d99341f139e23bdeb1027a2a3ae10d341d82 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < ce42ee423e58dffa5ec03524054c9d8bfd4f6237 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31431",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-01",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:55:23.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/theori-io/copy-fail-CVE-2026-31431"
},
{
"tags": [
"mitigation"
],
"url": "https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"
},
{
"tags": [
"mitigation"
],
"url": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/"
},
{
"tags": [
"mitigation"
],
"url": "https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "CVE-2026-31431 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-07T06:58:58.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/23"
},
{
"url": "https://copy.fail"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/26"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/18"
},
{
"url": "https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/22"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/19"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/21"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/27"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/28"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/29"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/31"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/06/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/07/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "893d22e0135fa394db81df88697fba6032747667",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "19d43105a97be0810edbda875f2cd03f30dc130c",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "961cfa271a918ad4ae452420e7c303149002875b",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "3115af9644c342b356f3f07a4dd1c8905cd9a6fc",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "8b88d99341f139e23bdeb1027a2a3ae10d341d82",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "ce42ee423e58dffa5ec03524054c9d8bfd4f6237",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings. Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T09:32:06.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667"
},
{
"url": "https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c"
},
{
"url": "https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b"
},
{
"url": "https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc"
},
{
"url": "https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82"
},
{
"url": "https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8"
},
{
"url": "https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237"
},
{
"url": "https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"
}
],
"title": "crypto: algif_aead - Revert to operating out-of-place",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31431",
"datePublished": "2026-04-22T08:15:10.123Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-05-07T06:58:58.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43035 (GCVE-0-2026-43035)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
When building netlink messages, tc_chain_fill_node() never initializes
the tcm_info field of struct tcmsg. Since the allocation is not zeroed,
kernel heap memory is leaked to userspace through this 4-byte field.
The fix simply zeroes tcm_info alongside the other fields that are
already initialized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < 903c3405cfcc7700260e456ab66a5867586c9e69
(git)
Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < 71a3eda7e850ae844cb8993065f4e410c11a46ce (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < 4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3 (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < e35f5195cd44ff4053fbc5d71ea97681728a0099 (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < d6db08484c6cb3d4ad696246f9d288eceba2a078 (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < 906997ea3766c24fbbf9cc4bf17c047315bbd138 (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < 1091b3c174441a52fdbb92e2fe00338f9371a91c (git) Affected: 32a4f5ecd7381f30ae3bb36dea77a150ba68af2e , < e6e3eb5ee89ac4c163d46429391c889a1bb5e404 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "903c3405cfcc7700260e456ab66a5867586c9e69",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "71a3eda7e850ae844cb8993065f4e410c11a46ce",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "e35f5195cd44ff4053fbc5d71ea97681728a0099",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "d6db08484c6cb3d4ad696246f9d288eceba2a078",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "906997ea3766c24fbbf9cc4bf17c047315bbd138",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "1091b3c174441a52fdbb92e2fe00338f9371a91c",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
},
{
"lessThan": "e6e3eb5ee89ac4c163d46429391c889a1bb5e404",
"status": "affected",
"version": "32a4f5ecd7381f30ae3bb36dea77a150ba68af2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:33.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69"
},
{
"url": "https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce"
},
{
"url": "https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3"
},
{
"url": "https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099"
},
{
"url": "https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078"
},
{
"url": "https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138"
},
{
"url": "https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c"
},
{
"url": "https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404"
}
],
"title": "net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43035",
"datePublished": "2026-05-01T14:15:33.922Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-01T14:15:33.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40219 (GCVE-0-2025-40219)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when
enabling/disabling SR-IOV") tried to fix a race between the VF removal
inside sriov_del_vfs() and concurrent hot unplug by taking the PCI
rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock
was also taken in sriov_add_vfs() to protect addition of VFs.
This approach however causes deadlock on trying to remove PFs with SR-IOV
enabled because PFs disable SR-IOV during removal and this removal happens
under the PCI rescan/remove lock. So the original fix had to be reverted.
Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and
sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs
hotplug higher up in the callchain by taking the lock in
sriov_numvfs_store() before calling into the driver's sriov_configure()
callback.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18f9e9d150fccfa747875df6f0a9f606740762b3 , < 3cddde484471c602bea04e6f384819d336a1ff84
(git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 7c37920c96b85ef4255a7acc795e99e63dd38d59 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 1047ca2d816994f31e1475e63e0c0b7825599747 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 97c18f074ff1c12d016a0753072a3afdfa0b9611 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < bea1d373098b22d7142da48750ce5526096425bc (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < f3015627b6e9ddf85cfeaf42405b3c194dde2c36 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a5338e365c4559d7b4d7356116b0eb95b12e08d5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3cddde484471c602bea04e6f384819d336a1ff84",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "7c37920c96b85ef4255a7acc795e99e63dd38d59",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "1047ca2d816994f31e1475e63e0c0b7825599747",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "97c18f074ff1c12d016a0753072a3afdfa0b9611",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "bea1d373098b22d7142da48750ce5526096425bc",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "f3015627b6e9ddf85cfeaf42405b3c194dde2c36",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a5338e365c4559d7b4d7356116b0eb95b12e08d5",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Fix race between SR-IOV enable/disable and hotplug\n\nCommit 05703271c3cd (\"PCI/IOV: Add PCI rescan-remove locking when\nenabling/disabling SR-IOV\") tried to fix a race between the VF removal\ninside sriov_del_vfs() and concurrent hot unplug by taking the PCI\nrescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock\nwas also taken in sriov_add_vfs() to protect addition of VFs.\n\nThis approach however causes deadlock on trying to remove PFs with SR-IOV\nenabled because PFs disable SR-IOV during removal and this removal happens\nunder the PCI rescan/remove lock. So the original fix had to be reverted.\n\nInstead of taking the PCI rescan/remove lock in sriov_add_vfs() and\nsriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs\nhotplug higher up in the callchain by taking the lock in\nsriov_numvfs_store() before calling into the driver\u0027s sriov_configure()\ncallback."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:15.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84"
},
{
"url": "https://git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b"
},
{
"url": "https://git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59"
},
{
"url": "https://git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747"
},
{
"url": "https://git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611"
},
{
"url": "https://git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bc"
},
{
"url": "https://git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36"
},
{
"url": "https://git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5"
}
],
"title": "PCI/IOV: Fix race between SR-IOV enable/disable and hotplug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40219",
"datePublished": "2025-12-04T14:50:42.996Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-04-13T06:02:15.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23284 (GCVE-0-2026-23284)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-13 06:03
VLAI?
EPSS
Title
net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
Reset eBPF program pointer to old_prog and do not decrease its ref-count
if mtk_open routine in mtk_xdp_setup() fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7c26c20da5d420cde55618263be4aa2f6de53056 , < 8c2d76a9658a4dbfcf02f2693a97e2d5ff42197a
(git)
Affected: 7c26c20da5d420cde55618263be4aa2f6de53056 , < 29629dd7d37349e9fb605375a75de44ac8926ea9 (git) Affected: 7c26c20da5d420cde55618263be4aa2f6de53056 , < b73dfe1ea7be7a072482434643b517d7726f4c8d (git) Affected: 7c26c20da5d420cde55618263be4aa2f6de53056 , < 6f95b59520278a72df9905db791b7ea31375fbc1 (git) Affected: 7c26c20da5d420cde55618263be4aa2f6de53056 , < ff14cd44c85c20ad69479db73698185de291550c (git) Affected: 7c26c20da5d420cde55618263be4aa2f6de53056 , < 0abc73c8a40fd64ac1739c90bb4f42c418d27a5e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c2d76a9658a4dbfcf02f2693a97e2d5ff42197a",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
},
{
"lessThan": "29629dd7d37349e9fb605375a75de44ac8926ea9",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
},
{
"lessThan": "b73dfe1ea7be7a072482434643b517d7726f4c8d",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
},
{
"lessThan": "6f95b59520278a72df9905db791b7ea31375fbc1",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
},
{
"lessThan": "ff14cd44c85c20ad69479db73698185de291550c",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
},
{
"lessThan": "0abc73c8a40fd64ac1739c90bb4f42c418d27a5e",
"status": "affected",
"version": "7c26c20da5d420cde55618263be4aa2f6de53056",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()\n\nReset eBPF program pointer to old_prog and do not decrease its ref-count\nif mtk_open routine in mtk_xdp_setup() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:03:36.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c2d76a9658a4dbfcf02f2693a97e2d5ff42197a"
},
{
"url": "https://git.kernel.org/stable/c/29629dd7d37349e9fb605375a75de44ac8926ea9"
},
{
"url": "https://git.kernel.org/stable/c/b73dfe1ea7be7a072482434643b517d7726f4c8d"
},
{
"url": "https://git.kernel.org/stable/c/6f95b59520278a72df9905db791b7ea31375fbc1"
},
{
"url": "https://git.kernel.org/stable/c/ff14cd44c85c20ad69479db73698185de291550c"
},
{
"url": "https://git.kernel.org/stable/c/0abc73c8a40fd64ac1739c90bb4f42c418d27a5e"
}
],
"title": "net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23284",
"datePublished": "2026-03-25T10:26:44.036Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-13T06:03:36.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23364 (GCVE-0-2026-23364)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:05
VLAI?
EPSS
Title
ksmbd: Compare MACs in constant time
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Compare MACs in constant time
To prevent timing attacks, MAC comparisons need to be constant-time.
Replace the memcmp() with the correct function, crypto_memneq().
Severity ?
7.4 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < cd52a0e309659537048a864211abc3ea4c5caa63
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 307afccb751f542246bd5dc68a2c1ffe1a78418c (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 2cdc56ed67615ba0921383a688f24415ebe065f3 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 93c0a22fec914ec4b697e464895a0f594e29fb28 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < f4588b85efd6007d46b80aa1b9fb746628ffb3dc (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c5794709bc9105935dbedef8b9cf9c06f2b559fa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/Kconfig",
"fs/smb/server/auth.c",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd52a0e309659537048a864211abc3ea4c5caa63",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "307afccb751f542246bd5dc68a2c1ffe1a78418c",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "2cdc56ed67615ba0921383a688f24415ebe065f3",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "93c0a22fec914ec4b697e464895a0f594e29fb28",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "f4588b85efd6007d46b80aa1b9fb746628ffb3dc",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c5794709bc9105935dbedef8b9cf9c06f2b559fa",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/Kconfig",
"fs/smb/server/auth.c",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Compare MACs in constant time\n\nTo prevent timing attacks, MAC comparisons need to be constant-time.\nReplace the memcmp() with the correct function, crypto_memneq()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:05:51.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd52a0e309659537048a864211abc3ea4c5caa63"
},
{
"url": "https://git.kernel.org/stable/c/307afccb751f542246bd5dc68a2c1ffe1a78418c"
},
{
"url": "https://git.kernel.org/stable/c/2cdc56ed67615ba0921383a688f24415ebe065f3"
},
{
"url": "https://git.kernel.org/stable/c/93c0a22fec914ec4b697e464895a0f594e29fb28"
},
{
"url": "https://git.kernel.org/stable/c/f4588b85efd6007d46b80aa1b9fb746628ffb3dc"
},
{
"url": "https://git.kernel.org/stable/c/c5794709bc9105935dbedef8b9cf9c06f2b559fa"
}
],
"title": "ksmbd: Compare MACs in constant time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23364",
"datePublished": "2026-03-25T10:27:46.960Z",
"dateReserved": "2026-01-13T15:37:46.002Z",
"dateUpdated": "2026-04-13T06:05:51.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23382 (GCVE-0-2026-23382)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:28 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at
raw event handle"), we handle the fact that raw event callbacks
can happen even for a HID device that has not been "claimed" causing a
crash if a broken device were attempted to be connected to the system.
Fix up the remaining in-tree HID drivers that forgot to add this same
check to resolve the same issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < b48284d7f0f76023b215a3409cdc989b5081eadf
(git)
Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < de316c1edf15bc30ff5e0d4c7b37c70fd41cf319 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < ac83b0d91a3f4f0c012ba9c85fb99436cddb1208 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < 6e330889e6c8db99f04d4feb861d23de4e8fbb13 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < 892dbaf46bb738dacf1fa663eadb3712c85868f0 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < 20864e3e41c74cda253a9fa6b6fe093c1461a6a9 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < 575122cd6569c4c4aa13c4c9958fea506724c788 (git) Affected: d0742abaa1c396a26bb3d3ce2732988cd3faa020 , < ecfa6f34492c493a9a1dc2900f3edeb01c79946b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-cmedia.c",
"drivers/hid/hid-creative-sb0540.c",
"drivers/hid/hid-zydacron.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b48284d7f0f76023b215a3409cdc989b5081eadf",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "de316c1edf15bc30ff5e0d4c7b37c70fd41cf319",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "ac83b0d91a3f4f0c012ba9c85fb99436cddb1208",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "6e330889e6c8db99f04d4feb861d23de4e8fbb13",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "892dbaf46bb738dacf1fa663eadb3712c85868f0",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "20864e3e41c74cda253a9fa6b6fe093c1461a6a9",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "575122cd6569c4c4aa13c4c9958fea506724c788",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
},
{
"lessThan": "ecfa6f34492c493a9a1dc2900f3edeb01c79946b",
"status": "affected",
"version": "d0742abaa1c396a26bb3d3ce2732988cd3faa020",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-cmedia.c",
"drivers/hid/hid-creative-sb0540.c",
"drivers/hid/hid-zydacron.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them\n\nIn commit 2ff5baa9b527 (\"HID: appleir: Fix potential NULL dereference at\nraw event handle\"), we handle the fact that raw event callbacks\ncan happen even for a HID device that has not been \"claimed\" causing a\ncrash if a broken device were attempted to be connected to the system.\n\nFix up the remaining in-tree HID drivers that forgot to add this same\ncheck to resolve the same issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:24.172Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b48284d7f0f76023b215a3409cdc989b5081eadf"
},
{
"url": "https://git.kernel.org/stable/c/de316c1edf15bc30ff5e0d4c7b37c70fd41cf319"
},
{
"url": "https://git.kernel.org/stable/c/ac83b0d91a3f4f0c012ba9c85fb99436cddb1208"
},
{
"url": "https://git.kernel.org/stable/c/6e330889e6c8db99f04d4feb861d23de4e8fbb13"
},
{
"url": "https://git.kernel.org/stable/c/892dbaf46bb738dacf1fa663eadb3712c85868f0"
},
{
"url": "https://git.kernel.org/stable/c/20864e3e41c74cda253a9fa6b6fe093c1461a6a9"
},
{
"url": "https://git.kernel.org/stable/c/575122cd6569c4c4aa13c4c9958fea506724c788"
},
{
"url": "https://git.kernel.org/stable/c/ecfa6f34492c493a9a1dc2900f3edeb01c79946b"
}
],
"title": "HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23382",
"datePublished": "2026-03-25T10:28:01.040Z",
"dateReserved": "2026-01-13T15:37:46.007Z",
"dateUpdated": "2026-04-18T08:58:24.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23426 (GCVE-0-2026-23426)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-04-13 06:07
VLAI?
EPSS
Title
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
The logicvc_drm_config_parse() function calls of_get_child_by_name() to
find the "layers" node but fails to release the reference, leading to a
device node reference leak.
Fix this by using the __free(device_node) cleanup attribute to automatic
release the reference when the variable goes out of scope.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < b88f49910be147b7974098b9172b0d3873142d6a
(git)
Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 0bd326dffd9e103335d77d9c31275c0d5a7979eb (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 871630255ecd2d9b64ad1d75a7dfc0567d7d9989 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < f8a6eba20edb938166b26e133cc61306e1bc6de9 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 78e91e49d28e05ccaa6b445bafb5e367d57c9583 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/logicvc/logicvc_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b88f49910be147b7974098b9172b0d3873142d6a",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "0bd326dffd9e103335d77d9c31275c0d5a7979eb",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "871630255ecd2d9b64ad1d75a7dfc0567d7d9989",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "f8a6eba20edb938166b26e133cc61306e1bc6de9",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "78e91e49d28e05ccaa6b445bafb5e367d57c9583",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/logicvc/logicvc_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()\n\nThe logicvc_drm_config_parse() function calls of_get_child_by_name() to\nfind the \"layers\" node but fails to release the reference, leading to a\ndevice node reference leak.\n\nFix this by using the __free(device_node) cleanup attribute to automatic\nrelease the reference when the variable goes out of scope."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:07:13.131Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b88f49910be147b7974098b9172b0d3873142d6a"
},
{
"url": "https://git.kernel.org/stable/c/0bd326dffd9e103335d77d9c31275c0d5a7979eb"
},
{
"url": "https://git.kernel.org/stable/c/871630255ecd2d9b64ad1d75a7dfc0567d7d9989"
},
{
"url": "https://git.kernel.org/stable/c/f8a6eba20edb938166b26e133cc61306e1bc6de9"
},
{
"url": "https://git.kernel.org/stable/c/78e91e49d28e05ccaa6b445bafb5e367d57c9583"
},
{
"url": "https://git.kernel.org/stable/c/fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207"
}
],
"title": "drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23426",
"datePublished": "2026-04-03T13:24:34.276Z",
"dateReserved": "2026-01-13T15:37:46.015Z",
"dateUpdated": "2026-04-13T06:07:13.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31393 (GCVE-0-2026-31393)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:
- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).
- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).
A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.
Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4e8402a3f884427f9233ba436459c158d1f2e114 , < 187e6fe939295be36063a1d91f8bebee04399a8c
(git)
Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 5229e7d15771eac2b5886bfb1f976aea0c1eec14 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 3b646516cba2ebc4b51a72954903326e7c1e443f (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 807bd1258453c4c83f6ae9dbc1e7b44860ff40d0 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 9aeacde4da0f02d42fd968fd32f245828b230171 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < e7ff754e339e3d5ce29aa9f95352d0186df8fbd9 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < db2872d054e467810078e2b9f440a5b326a601b2 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < dd815e6e3918dc75a49aaabac36e4f024d675101 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "187e6fe939295be36063a1d91f8bebee04399a8c",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "5229e7d15771eac2b5886bfb1f976aea0c1eec14",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "3b646516cba2ebc4b51a72954903326e7c1e443f",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "807bd1258453c4c83f6ae9dbc1e7b44860ff40d0",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "9aeacde4da0f02d42fd968fd32f245828b230171",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "e7ff754e339e3d5ce29aa9f95352d0186df8fbd9",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "db2872d054e467810078e2b9f440a5b326a601b2",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "dd815e6e3918dc75a49aaabac36e4f024d675101",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp-\u003edata without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-\u003edata), which reads\n 4 bytes past the header (needs cmd_len \u003e= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp-\u003edata[0], 1 byte past the header\n (needs cmd_len \u003e= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:43.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/187e6fe939295be36063a1d91f8bebee04399a8c"
},
{
"url": "https://git.kernel.org/stable/c/5229e7d15771eac2b5886bfb1f976aea0c1eec14"
},
{
"url": "https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f"
},
{
"url": "https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0"
},
{
"url": "https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171"
},
{
"url": "https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9"
},
{
"url": "https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2"
},
{
"url": "https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101"
}
],
"title": "Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31393",
"datePublished": "2026-04-03T15:15:58.142Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-04-27T14:02:43.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31520 (GCVE-0-2026-31520)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
HID: apple: avoid memory leak in apple_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: apple: avoid memory leak in apple_report_fixup()
The apple_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.
The caller of report_fixup() does not take ownership of the returned
pointer, but it *is* permitted to return a sub-portion of the input
rdesc, whose lifetime is managed by the caller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e143293e17a73c9313f91c5ca3aaacbaef030cf , < e2f090aeb7b9930a964e151910f4d45b04c8a7e5
(git)
Affected: 6e143293e17a73c9313f91c5ca3aaacbaef030cf , < 2635d0c715f3fb177e0f80ecd5fa48feb6bf3884 (git) Affected: 6e143293e17a73c9313f91c5ca3aaacbaef030cf , < 31860c3f7ac66ab897a8c90dc4e74fa17ca0b624 (git) Affected: 6e143293e17a73c9313f91c5ca3aaacbaef030cf , < be1a341c161430282acdfe2ac99b413271575cf1 (git) Affected: 6e143293e17a73c9313f91c5ca3aaacbaef030cf , < e652ebd29928181c3e6820e303da25873e9917d4 (git) Affected: 6e143293e17a73c9313f91c5ca3aaacbaef030cf , < 239c15116d80f67d32f00acc34575f1a6b699613 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-apple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2f090aeb7b9930a964e151910f4d45b04c8a7e5",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
},
{
"lessThan": "2635d0c715f3fb177e0f80ecd5fa48feb6bf3884",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
},
{
"lessThan": "31860c3f7ac66ab897a8c90dc4e74fa17ca0b624",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
},
{
"lessThan": "be1a341c161430282acdfe2ac99b413271575cf1",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
},
{
"lessThan": "e652ebd29928181c3e6820e303da25873e9917d4",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
},
{
"lessThan": "239c15116d80f67d32f00acc34575f1a6b699613",
"status": "affected",
"version": "6e143293e17a73c9313f91c5ca3aaacbaef030cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-apple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: avoid memory leak in apple_report_fixup()\n\nThe apple_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:37.518Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2f090aeb7b9930a964e151910f4d45b04c8a7e5"
},
{
"url": "https://git.kernel.org/stable/c/2635d0c715f3fb177e0f80ecd5fa48feb6bf3884"
},
{
"url": "https://git.kernel.org/stable/c/31860c3f7ac66ab897a8c90dc4e74fa17ca0b624"
},
{
"url": "https://git.kernel.org/stable/c/be1a341c161430282acdfe2ac99b413271575cf1"
},
{
"url": "https://git.kernel.org/stable/c/e652ebd29928181c3e6820e303da25873e9917d4"
},
{
"url": "https://git.kernel.org/stable/c/239c15116d80f67d32f00acc34575f1a6b699613"
}
],
"title": "HID: apple: avoid memory leak in apple_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31520",
"datePublished": "2026-04-22T13:54:35.534Z",
"dateReserved": "2026-03-09T15:48:24.108Z",
"dateUpdated": "2026-04-23T15:18:37.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43038 (GCVE-0-2026-43038)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
Sashiko AI-review observed:
In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet
where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2
and passed to icmp6_send(), it uses IP6CB(skb2).
IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso
offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm
at offset 18.
If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao
would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called
and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).
This would scan the inner, attacker-controlled IPv6 packet starting at that
offset, potentially returning a fake TLV without checking if the remaining
packet length can hold the full 18-byte struct ipv6_destopt_hao.
Could mip6_addr_swap() then perform a 16-byte swap that extends past the end
of the packet data into skb_shared_info?
Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and
ip6ip6_err() to prevent this?
This patch implements the first suggestion.
I am not sure if ip6ip6_err() needs to be changed.
A separate patch would be better anyway.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ca15a078bd907df5fc1c009477869c5cbde3b753 , < c438ba010171b70bad22fc18b1d5bdc3627476e8
(git)
Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7 (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < a4437faf135da293d16fcc4cc607316742bd0ebb (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 3d5127d998de617b130aae96b138dba22ac6a8a7 (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < e41953e7d118e2702bcb217879c173d9d1d3cd4e (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < a2edbb6393972a02114b6003953a5cef3104fada (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 1ceeebd5bd6d855b17a5df625109bfe29129d7cf (git) Affected: ca15a078bd907df5fc1c009477869c5cbde3b753 , < 86ab3e55673a7a49a841838776f1ab18d23a67b5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c438ba010171b70bad22fc18b1d5bdc3627476e8",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "a4437faf135da293d16fcc4cc607316742bd0ebb",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "3d5127d998de617b130aae96b138dba22ac6a8a7",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "e41953e7d118e2702bcb217879c173d9d1d3cd4e",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "a2edbb6393972a02114b6003953a5cef3104fada",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "1ceeebd5bd6d855b17a5df625109bfe29129d7cf",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
},
{
"lessThan": "86ab3e55673a7a49a841838776f1ab18d23a67b5",
"status": "affected",
"version": "ca15a078bd907df5fc1c009477869c5cbde3b753",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt-\u003edsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:17.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8"
},
{
"url": "https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"
},
{
"url": "https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb"
},
{
"url": "https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7"
},
{
"url": "https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"
},
{
"url": "https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada"
},
{
"url": "https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf"
},
{
"url": "https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5"
}
],
"title": "ipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43038",
"datePublished": "2026-05-01T14:15:35.986Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-05-03T05:46:17.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43024 (GCVE-0-2026-43024)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
netfilter: nf_tables: reject immediate NF_QUEUE verdict
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject immediate NF_QUEUE verdict
nft_queue is always used from userspace nftables to deliver the NF_QUEUE
verdict. Immediately emitting an NF_QUEUE verdict is never used by the
userspace nft tools, so reject immediate NF_QUEUE verdicts.
The arp family does not provide queue support, but such an immediate
verdict is still reachable. Globally reject NF_QUEUE immediate verdicts
to address this issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55a60251fa50d4e68175e36666b536a602ce4f6c , < 2f7f825a548be55420f0f5f716f6c27b9d312d3f
(git)
Affected: 960cf4f812530f01f6acc6878ceaa5404c06af7b , < f140593901724cfbd16597c3a4fcb24a58ae44b0 (git) Affected: 8e34430e33b8a80bc014f3efe29cac76bc30a4b4 , < 68390437a998c3f2c57212b413abef5e6d657d88 (git) Affected: 6653118b176a00915125521c6572ae8e507621db , < 4b12a3cc3f075e750cc3c5e693fd25fb400af4a2 (git) Affected: f342de4e2f33e0e39165d8639387aa6c19dff660 , < f710691be163ae6b39e4bcab9e5be32d329f035b (git) Affected: f342de4e2f33e0e39165d8639387aa6c19dff660 , < 42a47f4b1b7695026ab9bc1bb35d4622b0835c95 (git) Affected: f342de4e2f33e0e39165d8639387aa6c19dff660 , < 17dc5d5a935c771338430cbc156a16a51cfd31e8 (git) Affected: f342de4e2f33e0e39165d8639387aa6c19dff660 , < da107398cbd4bbdb6bffecb2ce86d5c9384f4cec (git) Affected: 8365e9d92b85fda975a5ece7a3a139cb964018c8 (git) Affected: 4e66422f1b56149761dc76030e6345d1cca6f869 (git) Affected: f05a497e7bc8851eeeb3a58da180ba469efebb05 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f7f825a548be55420f0f5f716f6c27b9d312d3f",
"status": "affected",
"version": "55a60251fa50d4e68175e36666b536a602ce4f6c",
"versionType": "git"
},
{
"lessThan": "f140593901724cfbd16597c3a4fcb24a58ae44b0",
"status": "affected",
"version": "960cf4f812530f01f6acc6878ceaa5404c06af7b",
"versionType": "git"
},
{
"lessThan": "68390437a998c3f2c57212b413abef5e6d657d88",
"status": "affected",
"version": "8e34430e33b8a80bc014f3efe29cac76bc30a4b4",
"versionType": "git"
},
{
"lessThan": "4b12a3cc3f075e750cc3c5e693fd25fb400af4a2",
"status": "affected",
"version": "6653118b176a00915125521c6572ae8e507621db",
"versionType": "git"
},
{
"lessThan": "f710691be163ae6b39e4bcab9e5be32d329f035b",
"status": "affected",
"version": "f342de4e2f33e0e39165d8639387aa6c19dff660",
"versionType": "git"
},
{
"lessThan": "42a47f4b1b7695026ab9bc1bb35d4622b0835c95",
"status": "affected",
"version": "f342de4e2f33e0e39165d8639387aa6c19dff660",
"versionType": "git"
},
{
"lessThan": "17dc5d5a935c771338430cbc156a16a51cfd31e8",
"status": "affected",
"version": "f342de4e2f33e0e39165d8639387aa6c19dff660",
"versionType": "git"
},
{
"lessThan": "da107398cbd4bbdb6bffecb2ce86d5c9384f4cec",
"status": "affected",
"version": "f342de4e2f33e0e39165d8639387aa6c19dff660",
"versionType": "git"
},
{
"status": "affected",
"version": "8365e9d92b85fda975a5ece7a3a139cb964018c8",
"versionType": "git"
},
{
"status": "affected",
"version": "4e66422f1b56149761dc76030e6345d1cca6f869",
"versionType": "git"
},
{
"status": "affected",
"version": "f05a497e7bc8851eeeb3a58da180ba469efebb05",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.307",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject immediate NF_QUEUE verdict\n\nnft_queue is always used from userspace nftables to deliver the NF_QUEUE\nverdict. Immediately emitting an NF_QUEUE verdict is never used by the\nuserspace nft tools, so reject immediate NF_QUEUE verdicts.\n\nThe arp family does not provide queue support, but such an immediate\nverdict is still reachable. Globally reject NF_QUEUE immediate verdicts\nto address this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:26.424Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f7f825a548be55420f0f5f716f6c27b9d312d3f"
},
{
"url": "https://git.kernel.org/stable/c/f140593901724cfbd16597c3a4fcb24a58ae44b0"
},
{
"url": "https://git.kernel.org/stable/c/68390437a998c3f2c57212b413abef5e6d657d88"
},
{
"url": "https://git.kernel.org/stable/c/4b12a3cc3f075e750cc3c5e693fd25fb400af4a2"
},
{
"url": "https://git.kernel.org/stable/c/f710691be163ae6b39e4bcab9e5be32d329f035b"
},
{
"url": "https://git.kernel.org/stable/c/42a47f4b1b7695026ab9bc1bb35d4622b0835c95"
},
{
"url": "https://git.kernel.org/stable/c/17dc5d5a935c771338430cbc156a16a51cfd31e8"
},
{
"url": "https://git.kernel.org/stable/c/da107398cbd4bbdb6bffecb2ce86d5c9384f4cec"
}
],
"title": "netfilter: nf_tables: reject immediate NF_QUEUE verdict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43024",
"datePublished": "2026-05-01T14:15:26.424Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-01T14:15:26.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50298 (GCVE-0-2024-50298)
Vulnerability from cvelistv5 – Published: 2024-11-19 01:30 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
net: enetc: allocate vf_state during PF probes
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: allocate vf_state during PF probes
In the previous implementation, vf_state is allocated memory only when VF
is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before
VF is enabled to configure the MAC address of VF. If this is the case,
enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null
pointer. The simplified error log is as follows.
root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89
[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy
[ 173.641973] lr : do_setlink+0x4a8/0xec8
[ 173.732292] Call trace:
[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80
[ 173.738847] __rtnl_newlink+0x530/0x89c
[ 173.742692] rtnl_newlink+0x50/0x7c
[ 173.746189] rtnetlink_rcv_msg+0x128/0x390
[ 173.750298] netlink_rcv_skb+0x60/0x130
[ 173.754145] rtnetlink_rcv+0x18/0x24
[ 173.757731] netlink_unicast+0x318/0x380
[ 173.761665] netlink_sendmsg+0x17c/0x3c8
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d4fd0404c1c95b17880f254ebfee3485693fa8ba , < 35668e29e979b3a1927d3959cdd87327afd8e5eb
(git)
Affected: d4fd0404c1c95b17880f254ebfee3485693fa8ba , < ef0edfbe9eeed1fccad7cb705648af5222664944 (git) Affected: d4fd0404c1c95b17880f254ebfee3485693fa8ba , < 7eb923f8d4819737c07d6a8d0daef0a4d7f99e0c (git) Affected: d4fd0404c1c95b17880f254ebfee3485693fa8ba , < e15c5506dd39885cd047f811a64240e2e8ab401b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:14:01.307319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:20.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35668e29e979b3a1927d3959cdd87327afd8e5eb",
"status": "affected",
"version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba",
"versionType": "git"
},
{
"lessThan": "ef0edfbe9eeed1fccad7cb705648af5222664944",
"status": "affected",
"version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba",
"versionType": "git"
},
{
"lessThan": "7eb923f8d4819737c07d6a8d0daef0a4d7f99e0c",
"status": "affected",
"version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba",
"versionType": "git"
},
{
"lessThan": "e15c5506dd39885cd047f811a64240e2e8ab401b",
"status": "affected",
"version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc_pf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.61",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: allocate vf_state during PF probes\n\nIn the previous implementation, vf_state is allocated memory only when VF\nis enabled. However, net_device_ops::ndo_set_vf_mac() may be called before\nVF is enabled to configure the MAC address of VF. If this is the case,\nenetc_pf_set_vf_mac() will access vf_state, resulting in access to a null\npointer. The simplified error log is as follows.\n\nroot@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89\n[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy\n[ 173.641973] lr : do_setlink+0x4a8/0xec8\n[ 173.732292] Call trace:\n[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80\n[ 173.738847] __rtnl_newlink+0x530/0x89c\n[ 173.742692] rtnl_newlink+0x50/0x7c\n[ 173.746189] rtnetlink_rcv_msg+0x128/0x390\n[ 173.750298] netlink_rcv_skb+0x60/0x130\n[ 173.754145] rtnetlink_rcv+0x18/0x24\n[ 173.757731] netlink_unicast+0x318/0x380\n[ 173.761665] netlink_sendmsg+0x17c/0x3c8"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:16.125Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35668e29e979b3a1927d3959cdd87327afd8e5eb"
},
{
"url": "https://git.kernel.org/stable/c/ef0edfbe9eeed1fccad7cb705648af5222664944"
},
{
"url": "https://git.kernel.org/stable/c/7eb923f8d4819737c07d6a8d0daef0a4d7f99e0c"
},
{
"url": "https://git.kernel.org/stable/c/e15c5506dd39885cd047f811a64240e2e8ab401b"
}
],
"title": "net: enetc: allocate vf_state during PF probes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50298",
"datePublished": "2024-11-19T01:30:46.029Z",
"dateReserved": "2024-10-21T19:36:19.987Z",
"dateUpdated": "2026-03-25T10:19:16.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23474 (GCVE-0-2026-23474)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
mtd: Avoid boot crash in RedBoot partition table parser
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: Avoid boot crash in RedBoot partition table parser
Given CONFIG_FORTIFY_SOURCE=y and a recent compiler,
commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when
available") produces the warning below and an oops.
Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000
------------[ cut here ]------------
WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1
memcmp: detected buffer overflow: 15 byte read of buffer size 14
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE
As Kees said, "'names' is pointing to the final 'namelen' many bytes
of the allocation ... 'namelen' could be basically any length at all.
This fortify warning looks legit to me -- this code used to be reading
beyond the end of the allocation."
Since the size of the dynamic allocation is calculated with strlen()
we can use strcmp() instead of memcmp() and remain within bounds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca235d11fc2fd8fce1dcd9d732dc780be0cde2de
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e0065e106f798ce6862251bc4fc030ac5cead940 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b08be5aca212a99f8ba786fee4922feac08002c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d8570211a2b1ec886a462daa0be4e9983ac768bb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2025b2d1f9d5cad6ea6fe85654c6c41297c3130b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 75a4d8cfe7784f909b3bd69325abac8e04ecb385 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8e2f8020270af7777d49c2e7132260983e4fc566 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/parsers/redboot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca235d11fc2fd8fce1dcd9d732dc780be0cde2de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e0065e106f798ce6862251bc4fc030ac5cead940",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b08be5aca212a99f8ba786fee4922feac08002c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8570211a2b1ec886a462daa0be4e9983ac768bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2025b2d1f9d5cad6ea6fe85654c6c41297c3130b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75a4d8cfe7784f909b3bd69325abac8e04ecb385",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8e2f8020270af7777d49c2e7132260983e4fc566",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/parsers/redboot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Avoid boot crash in RedBoot partition table parser\n\nGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,\ncommit 439a1bcac648 (\"fortify: Use __builtin_dynamic_object_size() when\navailable\") produces the warning below and an oops.\n\n Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000\n ------------[ cut here ]------------\n WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1\n memcmp: detected buffer overflow: 15 byte read of buffer size 14\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE\n\nAs Kees said, \"\u0027names\u0027 is pointing to the final \u0027namelen\u0027 many bytes\nof the allocation ... \u0027namelen\u0027 could be basically any length at all.\nThis fortify warning looks legit to me -- this code used to be reading\nbeyond the end of the allocation.\"\n\nSince the size of the dynamic allocation is calculated with strlen()\nwe can use strcmp() instead of memcmp() and remain within bounds."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:13.577Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca235d11fc2fd8fce1dcd9d732dc780be0cde2de"
},
{
"url": "https://git.kernel.org/stable/c/e0065e106f798ce6862251bc4fc030ac5cead940"
},
{
"url": "https://git.kernel.org/stable/c/0b08be5aca212a99f8ba786fee4922feac08002c"
},
{
"url": "https://git.kernel.org/stable/c/d8570211a2b1ec886a462daa0be4e9983ac768bb"
},
{
"url": "https://git.kernel.org/stable/c/2025b2d1f9d5cad6ea6fe85654c6c41297c3130b"
},
{
"url": "https://git.kernel.org/stable/c/c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c"
},
{
"url": "https://git.kernel.org/stable/c/75a4d8cfe7784f909b3bd69325abac8e04ecb385"
},
{
"url": "https://git.kernel.org/stable/c/8e2f8020270af7777d49c2e7132260983e4fc566"
}
],
"title": "mtd: Avoid boot crash in RedBoot partition table parser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23474",
"datePublished": "2026-04-03T15:15:53.406Z",
"dateReserved": "2026-01-13T15:37:46.022Z",
"dateUpdated": "2026-04-18T08:59:13.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38436 (GCVE-0-2025-38436)
Vulnerability from cvelistv5 – Published: 2025-07-25 14:32 – Updated: 2026-04-18 08:56
VLAI?
EPSS
Title
drm/scheduler: signal scheduled fence when kill job
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/scheduler: signal scheduled fence when kill job
When an entity from application B is killed, drm_sched_entity_kill()
removes all jobs belonging to that entity through
drm_sched_entity_kill_jobs_work(). If application A's job depends on a
scheduled fence from application B's job, and that fence is not properly
signaled during the killing process, application A's dependency cannot be
cleared.
This leads to application A hanging indefinitely while waiting for a
dependency that will never be resolved. Fix this issue by ensuring that
scheduled fences are properly signaled when an entity is killed, allowing
dependent applications to continue execution.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a72ce6f84109c1dec1ab236d65979d3250668af3 , < 8342127a8a65b0673863b106ce32b79c91ae3270
(git)
Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < c5734f9bab6f0d40577ad0633af4090a5fda2407 (git) Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < aefd0a935625165a6ca36d0258d2d053901555df (git) Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < aa382a8b6ed483e9812d0e63b6d1bdcba0186f29 (git) Affected: a72ce6f84109c1dec1ab236d65979d3250668af3 , < 471db2c2d4f80ee94225a1ef246e4f5011733e50 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8342127a8a65b0673863b106ce32b79c91ae3270",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "c5734f9bab6f0d40577ad0633af4090a5fda2407",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "aefd0a935625165a6ca36d0258d2d053901555df",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "aa382a8b6ed483e9812d0e63b6d1bdcba0186f29",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
},
{
"lessThan": "471db2c2d4f80ee94225a1ef246e4f5011733e50",
"status": "affected",
"version": "a72ce6f84109c1dec1ab236d65979d3250668af3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/scheduler: signal scheduled fence when kill job\n\nWhen an entity from application B is killed, drm_sched_entity_kill()\nremoves all jobs belonging to that entity through\ndrm_sched_entity_kill_jobs_work(). If application A\u0027s job depends on a\nscheduled fence from application B\u0027s job, and that fence is not properly\nsignaled during the killing process, application A\u0027s dependency cannot be\ncleared.\n\nThis leads to application A hanging indefinitely while waiting for a\ndependency that will never be resolved. Fix this issue by ensuring that\nscheduled fences are properly signaled when an entity is killed, allowing\ndependent applications to continue execution."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:56:56.830Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8342127a8a65b0673863b106ce32b79c91ae3270"
},
{
"url": "https://git.kernel.org/stable/c/c5734f9bab6f0d40577ad0633af4090a5fda2407"
},
{
"url": "https://git.kernel.org/stable/c/aefd0a935625165a6ca36d0258d2d053901555df"
},
{
"url": "https://git.kernel.org/stable/c/aa382a8b6ed483e9812d0e63b6d1bdcba0186f29"
},
{
"url": "https://git.kernel.org/stable/c/471db2c2d4f80ee94225a1ef246e4f5011733e50"
}
],
"title": "drm/scheduler: signal scheduled fence when kill job",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38436",
"datePublished": "2025-07-25T14:32:09.945Z",
"dateReserved": "2025-04-16T04:51:24.016Z",
"dateUpdated": "2026-04-18T08:56:56.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31400 (GCVE-0-2026-31400)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
sunrpc: fix cache_request leak in cache_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix cache_request leak in cache_release
When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.
In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.
The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.
Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1dfedb293943e491379c9302b428e6f920a73d12
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f18c1f2a88ca91357916997cdb0f7adaf14fc497 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bcd5e318876ac638c8ceade7a648e76ac8c48e1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 41f6ba6c98a618043d2cd71030bf9a752dfab8b2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < be5c35960e5ead70862736161836e2d1bc7352dc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 373457de14281c1fc7cace6fc4c8a267fc176673 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17ad31b3a43b72aec3a3d83605891e1397d0d065 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dfedb293943e491379c9302b428e6f920a73d12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f18c1f2a88ca91357916997cdb0f7adaf14fc497",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bcd5e318876ac638c8ceade7a648e76ac8c48e1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41f6ba6c98a618043d2cd71030bf9a752dfab8b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "301670dcd098c1fe5c2fe90fb3c7a8f4814d2351",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be5c35960e5ead70862736161836e2d1bc7352dc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "373457de14281c1fc7cace6fc4c8a267fc176673",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ad31b3a43b72aec3a3d83605891e1397d0d065",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix cache_request leak in cache_release\n\nWhen a reader\u0027s file descriptor is closed while in the middle of reading\na cache_request (rp-\u003eoffset != 0), cache_release() decrements the\nrequest\u0027s readers count but never checks whether it should free the\nrequest.\n\nIn cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the\ncache_request is removed from the queue and freed along with its buffer\nand cache_head reference. cache_release() lacks this cleanup.\n\nThe only other path that frees requests with readers == 0 is\ncache_dequeue(), but it runs only when CACHE_PENDING transitions from\nset to clear. If that transition already happened while readers was\nstill non-zero, cache_dequeue() will have skipped the request, and no\nsubsequent call will clean it up.\n\nAdd the same cleanup logic from cache_read() to cache_release(): after\ndecrementing readers, check if it reached 0 with CACHE_PENDING clear,\nand if so, dequeue and free the cache_request."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:20.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12"
},
{
"url": "https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497"
},
{
"url": "https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1"
},
{
"url": "https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2"
},
{
"url": "https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351"
},
{
"url": "https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc"
},
{
"url": "https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673"
},
{
"url": "https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065"
}
],
"title": "sunrpc: fix cache_request leak in cache_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31400",
"datePublished": "2026-04-03T15:16:03.906Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-04-18T08:59:20.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31402 (GCVE-0-2026-31402)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9fcb4441f6c02bb20c2eb340101e27dfe23607c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9452c0797c95cf2378170df96cf4f4b3bca7eff (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f0e2a54a31a7f9ad2915db99156114872317388 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8498337dfdfda71bdd0b807c9a23a126011d76 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5133b61aaf437e5f25b1b396b14242a6bb0508e2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:49.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
},
{
"url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
},
{
"url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
},
{
"url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
},
{
"url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
},
{
"url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
},
{
"url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
}
],
"title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31402",
"datePublished": "2026-04-03T15:16:05.724Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-04-27T14:02:49.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31421 (GCVE-0-2026-31421)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
The old-method path in fw_classify() calls tcf_block_q() and
dereferences q->handle. Shared blocks leave block->q NULL, causing a
NULL deref when an empty cls_fw filter is attached to a shared block
and a packet with a nonzero major skb mark is classified.
Reject the configuration in fw_change() when the old method (no
TCA_OPTIONS) is used on a shared block, since fw_classify()'s
old-method path needs block->q which is NULL for shared blocks.
The fixed null-ptr-deref calling stack:
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:fw_classify (net/sched/cls_fw.c:81)
Call Trace:
tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)
tc_run (net/core/dev.c:4401)
__dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1abf272022cf1d18469405f47b4ec49c6a3125db , < d6d5bd62a09650856e1e2010eb09853eba0d64e1
(git)
Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < febf64ca79a2d6540ab6e5e197fa0f4f7e84473e (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 3d41f9a314afa94b1c7c7c75405920123220e8cd (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 5cf41031922c154aa5ccda8bcdb0f5e6226582ec (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 3cb055df9e8625ce699a259d8178d67b37f2b160 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 96426c348def662b06bfdc65be3002905604927a (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < faeea8bbf6e958bf3c00cb08263109661975987c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6d5bd62a09650856e1e2010eb09853eba0d64e1",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "febf64ca79a2d6540ab6e5e197fa0f4f7e84473e",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "3d41f9a314afa94b1c7c7c75405920123220e8cd",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "5cf41031922c154aa5ccda8bcdb0f5e6226582ec",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "3cb055df9e8625ce699a259d8178d67b37f2b160",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "96426c348def662b06bfdc65be3002905604927a",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "faeea8bbf6e958bf3c00cb08263109661975987c",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q-\u003ehandle. Shared blocks leave block-\u003eq NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()\u0027s\nold-method path needs block-\u003eq which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n tc_run (net/core/dev.c:4401)\n __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:33.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1"
},
{
"url": "https://git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473e"
},
{
"url": "https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd"
},
{
"url": "https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28"
},
{
"url": "https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec"
},
{
"url": "https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160"
},
{
"url": "https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a"
},
{
"url": "https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"
}
],
"title": "net/sched: cls_fw: fix NULL pointer dereference on shared blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31421",
"datePublished": "2026-04-13T13:40:25.278Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:33.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31417 (GCVE-0-2026-31417)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net/x25: Fix overflow when accumulating packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/x25: Fix overflow when accumulating packets
Add a check to ensure that `x25_sock.fraglen` does not overflow.
The `fraglen` also needs to be resetted when purging `fragment_queue` in
`x25_clear_queues()`.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 96fc16370b0bceb289c7e0479bd0540b81e257aa
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 798d613afb64b01a203f448fb0f43c37c6afe79d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6e568835ea54a3e1d08e310e34f95d434e739477 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1734bd85c5e0a7a801295b729efb56b009cb8fc3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e2d1bcef78d21247fe8fef13bc7ed95885df2b5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8c92969c197b91c134be27dc3afb64ab468853a9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f953f11ccf4afe6feb635c08145f4240d9a6b544 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1822cb524e89b4cd2cf0b82e484a2335496a6d9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/x25/x25_in.c",
"net/x25/x25_subr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96fc16370b0bceb289c7e0479bd0540b81e257aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "798d613afb64b01a203f448fb0f43c37c6afe79d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e568835ea54a3e1d08e310e34f95d434e739477",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1734bd85c5e0a7a801295b729efb56b009cb8fc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e2d1bcef78d21247fe8fef13bc7ed95885df2b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c92969c197b91c134be27dc3afb64ab468853a9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f953f11ccf4afe6feb635c08145f4240d9a6b544",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1822cb524e89b4cd2cf0b82e484a2335496a6d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/x25/x25_in.c",
"net/x25/x25_subr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:00.397Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96fc16370b0bceb289c7e0479bd0540b81e257aa"
},
{
"url": "https://git.kernel.org/stable/c/798d613afb64b01a203f448fb0f43c37c6afe79d"
},
{
"url": "https://git.kernel.org/stable/c/6e568835ea54a3e1d08e310e34f95d434e739477"
},
{
"url": "https://git.kernel.org/stable/c/1734bd85c5e0a7a801295b729efb56b009cb8fc3"
},
{
"url": "https://git.kernel.org/stable/c/4e2d1bcef78d21247fe8fef13bc7ed95885df2b5"
},
{
"url": "https://git.kernel.org/stable/c/8c92969c197b91c134be27dc3afb64ab468853a9"
},
{
"url": "https://git.kernel.org/stable/c/f953f11ccf4afe6feb635c08145f4240d9a6b544"
},
{
"url": "https://git.kernel.org/stable/c/a1822cb524e89b4cd2cf0b82e484a2335496a6d9"
}
],
"title": "net/x25: Fix overflow when accumulating packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31417",
"datePublished": "2026-04-13T13:21:04.638Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-27T14:03:00.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31455 (GCVE-0-2026-31455)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-22 13:53
VLAI?
EPSS
Title
xfs: stop reclaim before pushing AIL during unmount
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: stop reclaim before pushing AIL during unmount
The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while
background reclaim and inodegc are still running. This is broken
independently of any use-after-free issues - background reclaim and
inodegc should not be running while the AIL is being pushed during
unmount, as inodegc can dirty and insert inodes into the AIL during the
flush, and background reclaim can race to abort and free dirty inodes.
Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background
reclaim before pushing the AIL. Stop inodegc before cancelling
m_reclaim_work because the inodegc worker can re-queue m_reclaim_work
via xfs_inodegc_set_reclaimable.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90c60e16401248a4900f3f9387f563d0178dcf34 , < e6cc490048f78b009259a5f032acead9f789c34c
(git)
Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 239d734c00644072862fa833805c4471573b1445 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < bda27fc0b4eb3a425d9a18475c4cb94fbe862c60 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < d38135af04a3ad8a585c899d176efc8e97853115 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < a89434a6188d8430ea31120da96e3e4cefb58686 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 8147e304d7d32fd5c3e943babc296ce2873dc279 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 558e3275d8a3b101be18a7fe7d1634053e9d9b07 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 4f24a767e3d64a5f58c595b5c29b6063a201f1e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_mount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6cc490048f78b009259a5f032acead9f789c34c",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "239d734c00644072862fa833805c4471573b1445",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "bda27fc0b4eb3a425d9a18475c4cb94fbe862c60",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "d38135af04a3ad8a585c899d176efc8e97853115",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "a89434a6188d8430ea31120da96e3e4cefb58686",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "8147e304d7d32fd5c3e943babc296ce2873dc279",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "558e3275d8a3b101be18a7fe7d1634053e9d9b07",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "4f24a767e3d64a5f58c595b5c29b6063a201f1e3",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_mount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: stop reclaim before pushing AIL during unmount\n\nThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while\nbackground reclaim and inodegc are still running. This is broken\nindependently of any use-after-free issues - background reclaim and\ninodegc should not be running while the AIL is being pushed during\nunmount, as inodegc can dirty and insert inodes into the AIL during the\nflush, and background reclaim can race to abort and free dirty inodes.\n\nReorder xfs_unmount_flush_inodes() to stop inodegc and cancel background\nreclaim before pushing the AIL. Stop inodegc before cancelling\nm_reclaim_work because the inodegc worker can re-queue m_reclaim_work\nvia xfs_inodegc_set_reclaimable."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:53:48.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6cc490048f78b009259a5f032acead9f789c34c"
},
{
"url": "https://git.kernel.org/stable/c/239d734c00644072862fa833805c4471573b1445"
},
{
"url": "https://git.kernel.org/stable/c/bda27fc0b4eb3a425d9a18475c4cb94fbe862c60"
},
{
"url": "https://git.kernel.org/stable/c/d38135af04a3ad8a585c899d176efc8e97853115"
},
{
"url": "https://git.kernel.org/stable/c/a89434a6188d8430ea31120da96e3e4cefb58686"
},
{
"url": "https://git.kernel.org/stable/c/8147e304d7d32fd5c3e943babc296ce2873dc279"
},
{
"url": "https://git.kernel.org/stable/c/558e3275d8a3b101be18a7fe7d1634053e9d9b07"
},
{
"url": "https://git.kernel.org/stable/c/4f24a767e3d64a5f58c595b5c29b6063a201f1e3"
}
],
"title": "xfs: stop reclaim before pushing AIL during unmount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31455",
"datePublished": "2026-04-22T13:53:48.914Z",
"dateReserved": "2026-03-09T15:48:24.092Z",
"dateUpdated": "2026-04-22T13:53:48.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31504 (GCVE-0-2026-31504)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net: fix fanout UAF in packet_release() via NETDEV_UP race
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix fanout UAF in packet_release() via NETDEV_UP race
`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.
The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.
This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ee642b1962caa9aa231c01abbd58bc453ae6b66e
(git)
Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42cfd7898eeed290c9fb73f732af1f7d6b0a703e (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 1b4c03f8892d955385c202009af7485364731bb9 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 654386baef228c2992dbf604c819e4c7c35fc71b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 75fe6db23705a1d55160081f7b37db9665b1880b (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < ceccbfc6de720ad633519a226715989cfb065af1 (git) Affected: ce06b03e60fc19c680d1bf873e779bf11c2fc518 , < 42156f93d123436f2a27c468f18c966b7e5db796 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee642b1962caa9aa231c01abbd58bc453ae6b66e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42cfd7898eeed290c9fb73f732af1f7d6b0a703e",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "1b4c03f8892d955385c202009af7485364731bb9",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "654386baef228c2992dbf604c819e4c7c35fc71b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "75fe6db23705a1d55160081f7b37db9665b1880b",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "ceccbfc6de720ad633519a226715989cfb065af1",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
},
{
"lessThan": "42156f93d123436f2a27c468f18c966b7e5db796",
"status": "affected",
"version": "ce06b03e60fc19c680d1bf873e779bf11c2fc518",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:42.262Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee642b1962caa9aa231c01abbd58bc453ae6b66e"
},
{
"url": "https://git.kernel.org/stable/c/42cfd7898eeed290c9fb73f732af1f7d6b0a703e"
},
{
"url": "https://git.kernel.org/stable/c/1b4c03f8892d955385c202009af7485364731bb9"
},
{
"url": "https://git.kernel.org/stable/c/654386baef228c2992dbf604c819e4c7c35fc71b"
},
{
"url": "https://git.kernel.org/stable/c/75fe6db23705a1d55160081f7b37db9665b1880b"
},
{
"url": "https://git.kernel.org/stable/c/d0c7cdc15fdf8c4f91aca1928e52295d175b6ec6"
},
{
"url": "https://git.kernel.org/stable/c/ceccbfc6de720ad633519a226715989cfb065af1"
},
{
"url": "https://git.kernel.org/stable/c/42156f93d123436f2a27c468f18c966b7e5db796"
}
],
"title": "net: fix fanout UAF in packet_release() via NETDEV_UP race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31504",
"datePublished": "2026-04-22T13:54:23.862Z",
"dateReserved": "2026-03-09T15:48:24.105Z",
"dateUpdated": "2026-04-27T14:03:42.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31548 (GCVE-0-2026-31548)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.
Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < 28d3551f8d8cb3aec7497894d94150fe84d20e5e
(git)
Affected: 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < 37e776e2e0a523731e2470dce6d563f0e8632a40 (git) Affected: 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa (git) Affected: 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf (git) Affected: 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < 72b7ea786b8e570ae11149e9089859a4a8634a13 (git) Affected: 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 , < 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/pmsr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28d3551f8d8cb3aec7497894d94150fe84d20e5e",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
},
{
"lessThan": "37e776e2e0a523731e2470dce6d563f0e8632a40",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
},
{
"lessThan": "d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
},
{
"lessThan": "a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
},
{
"lessThan": "72b7ea786b8e570ae11149e9089859a4a8634a13",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
},
{
"lessThan": "6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09",
"status": "affected",
"version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/pmsr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down\n\nWhen the nl80211 socket that originated a PMSR request is\nclosed, cfg80211_release_pmsr() sets the request\u0027s nl_portid\nto zero and schedules pmsr_free_wk to process the abort\nasynchronously. If the interface is concurrently torn down\nbefore that work runs, cfg80211_pmsr_wdev_down() calls\ncfg80211_pmsr_process_abort() directly. However, the already-\nscheduled pmsr_free_wk work item remains pending and may run\nafter the interface has been removed from the driver. This\ncould cause the driver\u0027s abort_pmsr callback to operate on a\ntorn-down interface, leading to undefined behavior and\npotential crashes.\n\nCancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()\nbefore calling cfg80211_pmsr_process_abort(). This ensures any\npending or in-progress work is drained before interface teardown\nproceeds, preventing the work from invoking the driver abort\ncallback after the interface is gone."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:59.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28d3551f8d8cb3aec7497894d94150fe84d20e5e"
},
{
"url": "https://git.kernel.org/stable/c/37e776e2e0a523731e2470dce6d563f0e8632a40"
},
{
"url": "https://git.kernel.org/stable/c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa"
},
{
"url": "https://git.kernel.org/stable/c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf"
},
{
"url": "https://git.kernel.org/stable/c/72b7ea786b8e570ae11149e9089859a4a8634a13"
},
{
"url": "https://git.kernel.org/stable/c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09"
}
],
"title": "wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31548",
"datePublished": "2026-04-24T14:33:16.021Z",
"dateReserved": "2026-03-09T15:48:24.114Z",
"dateUpdated": "2026-04-27T14:03:59.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31674 (GCVE-0-2026-31674)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.
rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
Validate addrnr during rule installation so malformed rules are rejected
before the match logic can use an out-of-range value.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < af9b7e2b765966457f4ec23be5bd34a141f89574 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29ea965a1353bc8303877422f79c8211e9ba9c55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ded71f5684df16fa645cca5bf4fe6b0cd8a46119 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d8795fde1f78669a87c87ac29fceab2f104daa8c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a28ebf6f99de270d6338ccdc3b49f3e818f99b7b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d3f027327c2fa265f7f85ead41294792c3296ed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af9b7e2b765966457f4ec23be5bd34a141f89574",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29ea965a1353bc8303877422f79c8211e9ba9c55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ded71f5684df16fa645cca5bf4fe6b0cd8a46119",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d8795fde1f78669a87c87ac29fceab2f104daa8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a28ebf6f99de270d6338ccdc3b49f3e818f99b7b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d3f027327c2fa265f7f85ead41294792c3296ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_rt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo-\u003eaddrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:55.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13e3e30ed3b5b67cc1db2bd58a5d09b0f07debfa"
},
{
"url": "https://git.kernel.org/stable/c/af9b7e2b765966457f4ec23be5bd34a141f89574"
},
{
"url": "https://git.kernel.org/stable/c/29ea965a1353bc8303877422f79c8211e9ba9c55"
},
{
"url": "https://git.kernel.org/stable/c/c6a503a9f4debc654e3a6a7ca1f7fce6a9953c59"
},
{
"url": "https://git.kernel.org/stable/c/ded71f5684df16fa645cca5bf4fe6b0cd8a46119"
},
{
"url": "https://git.kernel.org/stable/c/d8795fde1f78669a87c87ac29fceab2f104daa8c"
},
{
"url": "https://git.kernel.org/stable/c/a28ebf6f99de270d6338ccdc3b49f3e818f99b7b"
},
{
"url": "https://git.kernel.org/stable/c/9d3f027327c2fa265f7f85ead41294792c3296ed"
}
],
"title": "netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31674",
"datePublished": "2026-04-25T08:46:50.180Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:55.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31755 (GCVE-0-2026-31755)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
When the gadget endpoint is disabled or not yet configured, the ep->desc
pointer can be NULL. This leads to a NULL pointer dereference when
__cdns3_gadget_ep_queue() is called, causing a kernel crash.
Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
standard return code for unconfigured endpoints.
This prevents potential crashes when ep_queue is called on endpoints
that are not ready.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 3d1433fe34b224b90259e207e5389e95b504ef04
(git)
Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < fb2ad0c1334a3eccfe4ed203f9eef5a4879226f6 (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 9ab9b0e5fcdac325f950fc8b6caa08a9e22a0db9 (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < d61446dfc9d387775bb1b95b081953201b9222af (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 390536cc6af4ca5566bc3bf1f8b704700380cd2c (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 14bf08ab2cdfcdfd3f13e799d06692a1b3e0745f (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 7f6f127b9bc34bed35f56faf7ecb1561d6b39000 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d1433fe34b224b90259e207e5389e95b504ef04",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "fb2ad0c1334a3eccfe4ed203f9eef5a4879226f6",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "9ab9b0e5fcdac325f950fc8b6caa08a9e22a0db9",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "d61446dfc9d387775bb1b95b081953201b9222af",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "390536cc6af4ca5566bc3bf1f8b704700380cd2c",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "14bf08ab2cdfcdfd3f13e799d06692a1b3e0745f",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "7f6f127b9bc34bed35f56faf7ecb1561d6b39000",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix NULL pointer dereference in ep_queue\n\nWhen the gadget endpoint is disabled or not yet configured, the ep-\u003edesc\npointer can be NULL. This leads to a NULL pointer dereference when\n__cdns3_gadget_ep_queue() is called, causing a kernel crash.\n\nAdd a check to return -ESHUTDOWN if ep-\u003edesc is NULL, which is the\nstandard return code for unconfigured endpoints.\n\nThis prevents potential crashes when ep_queue is called on endpoints\nthat are not ready."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:46.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d1433fe34b224b90259e207e5389e95b504ef04"
},
{
"url": "https://git.kernel.org/stable/c/fb2ad0c1334a3eccfe4ed203f9eef5a4879226f6"
},
{
"url": "https://git.kernel.org/stable/c/9ab9b0e5fcdac325f950fc8b6caa08a9e22a0db9"
},
{
"url": "https://git.kernel.org/stable/c/d61446dfc9d387775bb1b95b081953201b9222af"
},
{
"url": "https://git.kernel.org/stable/c/390536cc6af4ca5566bc3bf1f8b704700380cd2c"
},
{
"url": "https://git.kernel.org/stable/c/14bf08ab2cdfcdfd3f13e799d06692a1b3e0745f"
},
{
"url": "https://git.kernel.org/stable/c/7f6f127b9bc34bed35f56faf7ecb1561d6b39000"
}
],
"title": "usb: cdns3: gadget: fix NULL pointer dereference in ep_queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31755",
"datePublished": "2026-05-01T14:14:46.288Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:46.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68265 (GCVE-0-2025-68265)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:47 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
nvme: fix admin request_queue lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix admin request_queue lifetime
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fe60e8c534118a288cd251a59d747cbf5c03e160 , < 4896491c497226022626c3acc46044fd182f943c
(git)
Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < a505f0ba36ab24176c300d7ff56aff85c2977e6c (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e8061d02b49c5c901980f58d91e96580e9a14acf (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < e7dac681790556c131854b97551337aa8042215b (git) Affected: fe60e8c534118a288cd251a59d747cbf5c03e160 , < 03b3bcd319b3ab5182bc9aaa0421351572c78ac0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4896491c497226022626c3acc46044fd182f943c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "a505f0ba36ab24176c300d7ff56aff85c2977e6c",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e8061d02b49c5c901980f58d91e96580e9a14acf",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "e7dac681790556c131854b97551337aa8042215b",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
},
{
"lessThan": "03b3bcd319b3ab5182bc9aaa0421351572c78ac0",
"status": "affected",
"version": "fe60e8c534118a288cd251a59d747cbf5c03e160",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller\u0027s admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller\u0027s \u0027put\u0027 to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:42.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4896491c497226022626c3acc46044fd182f943c"
},
{
"url": "https://git.kernel.org/stable/c/a505f0ba36ab24176c300d7ff56aff85c2977e6c"
},
{
"url": "https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf"
},
{
"url": "https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b"
},
{
"url": "https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0"
}
],
"title": "nvme: fix admin request_queue lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68265",
"datePublished": "2025-12-16T14:47:05.303Z",
"dateReserved": "2025-12-16T13:41:40.268Z",
"dateUpdated": "2026-04-11T12:45:42.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23312 (GCVE-0-2026-23312)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net: usb: kaweth: validate USB endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: kaweth: validate USB endpoints
The kaweth driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b5075e4ce97d1a1ce82ff3fb6308761987a48bb
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6c986abd2a5033633c6e6f9dd135cf96b19c7fdf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c7ebf5e45d2504d92ea294ac3828d58586491df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 72f90f481c6a059680b9b976695d4cfb04fba1f3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f33e80d195a003b384620ee240f69092b519146b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2795fc06e7652c0ba299d936c584d5e08b6b57a1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0aae18e4638a7c1c579df92bc6edc36cedfaaa8c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b063c002ca759d1b299988ee23f564c9609c875 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kaweth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b5075e4ce97d1a1ce82ff3fb6308761987a48bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c986abd2a5033633c6e6f9dd135cf96b19c7fdf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c7ebf5e45d2504d92ea294ac3828d58586491df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72f90f481c6a059680b9b976695d4cfb04fba1f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f33e80d195a003b384620ee240f69092b519146b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2795fc06e7652c0ba299d936c584d5e08b6b57a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aae18e4638a7c1c579df92bc6edc36cedfaaa8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b063c002ca759d1b299988ee23f564c9609c875",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kaweth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: validate USB endpoints\n\nThe kaweth driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:54.585Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b5075e4ce97d1a1ce82ff3fb6308761987a48bb"
},
{
"url": "https://git.kernel.org/stable/c/6c986abd2a5033633c6e6f9dd135cf96b19c7fdf"
},
{
"url": "https://git.kernel.org/stable/c/7c7ebf5e45d2504d92ea294ac3828d58586491df"
},
{
"url": "https://git.kernel.org/stable/c/72f90f481c6a059680b9b976695d4cfb04fba1f3"
},
{
"url": "https://git.kernel.org/stable/c/f33e80d195a003b384620ee240f69092b519146b"
},
{
"url": "https://git.kernel.org/stable/c/2795fc06e7652c0ba299d936c584d5e08b6b57a1"
},
{
"url": "https://git.kernel.org/stable/c/0aae18e4638a7c1c579df92bc6edc36cedfaaa8c"
},
{
"url": "https://git.kernel.org/stable/c/4b063c002ca759d1b299988ee23f564c9609c875"
}
],
"title": "net: usb: kaweth: validate USB endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23312",
"datePublished": "2026-03-25T10:27:07.916Z",
"dateReserved": "2026-01-13T15:37:45.994Z",
"dateUpdated": "2026-04-18T08:57:54.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23401 (GCVE-0-2026-23401)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 20656cd1f243d3a154aac5dd1b823110b6906fe1
(git)
Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < ed5909992f344a7d3f4024261e9f751d9618a27d (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < fd28c5618699180cd69619801e9ae6a5266c0a22 (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 459158151a158a6703b49f3c9de0e536d8bd553f (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 695320de6eadb75aaed8be1787c4ce4c189e4c7b (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < bce7fe59d43531623f3e43779127bfb33804925d (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < aad885e774966e97b675dfe928da164214a71605 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20656cd1f243d3a154aac5dd1b823110b6906fe1",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "ed5909992f344a7d3f4024261e9f751d9618a27d",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "fd28c5618699180cd69619801e9ae6a5266c0a22",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "459158151a158a6703b49f3c9de0e536d8bd553f",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "695320de6eadb75aaed8be1787c4ce4c189e4c7b",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "bce7fe59d43531623f3e43779127bfb33804925d",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "aad885e774966e97b675dfe928da164214a71605",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it\u0027s shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n \u003cTASK\u003e\n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:35.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20656cd1f243d3a154aac5dd1b823110b6906fe1"
},
{
"url": "https://git.kernel.org/stable/c/ed5909992f344a7d3f4024261e9f751d9618a27d"
},
{
"url": "https://git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22"
},
{
"url": "https://git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553f"
},
{
"url": "https://git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7b"
},
{
"url": "https://git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925d"
},
{
"url": "https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605"
}
],
"title": "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23401",
"datePublished": "2026-04-01T08:36:32.367Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-18T08:58:35.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31664 (GCVE-0-2026-31664)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
xfrm: clear trailing padding in build_polexpire()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: clear trailing padding in build_polexpire()
build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.
The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.
Add the missing memset_after() call, matching build_expire().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ac6985903db047eaff54db929e4bf6b06782788e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c221ed63a2769a0af8bd849dfe25740048f34ef4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eda30846ea54f8ed218468e5480c8305ca645e37 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b1dfd6b27df35ef4f87825aa5f607378d23ff0f2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e1af65c669ebb1666c54576614c01a7f9ffcfff6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 71a98248c63c535eaa4d4c22f099b68d902006d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac6985903db047eaff54db929e4bf6b06782788e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c221ed63a2769a0af8bd849dfe25740048f34ef4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eda30846ea54f8ed218468e5480c8305ca645e37",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1dfd6b27df35ef4f87825aa5f607378d23ff0f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1af65c669ebb1666c54576614c01a7f9ffcfff6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71a98248c63c535eaa4d4c22f099b68d902006d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:13.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e"
},
{
"url": "https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4"
},
{
"url": "https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37"
},
{
"url": "https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2"
},
{
"url": "https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6"
},
{
"url": "https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0"
}
],
"title": "xfrm: clear trailing padding in build_polexpire()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31664",
"datePublished": "2026-04-24T14:45:13.922Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:13.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23460 (GCVE-0-2026-23460)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
syzkaller reported a bug [1], and the reproducer is available at [2].
ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
When rose_connect() is called a second time while the first connection
attempt is still in progress (TCP_SYN_SENT), it overwrites
rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
When the socket is subsequently closed, rose_release() sees
ROSE_STATE_1 and calls rose_write_internal() ->
rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
Per connect(2), a second connect() while a connection is already in
progress should return -EALREADY. Add this missing check for
TCP_SYN_SENT to complete the state validation in rose_connect().
[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c85fe6580e86947ca07907ebf4363a73c156fda7
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c9fb70a206a8734e10468ecc24d57c7596cf64e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 508f49ccbe0329641bb681f7d0052bb4e5943252 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c3e8bff808f17ad37a51d8e719eed22c7863120 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a12254050e3050f1011cd24f3b880a6882d0139d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e1f0a18c9564cdb16523c802e2c6fe5874e3d944 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c85fe6580e86947ca07907ebf4363a73c156fda7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c9fb70a206a8734e10468ecc24d57c7596cf64e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "508f49ccbe0329641bb681f7d0052bb4e5943252",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c3e8bff808f17ad37a51d8e719eed22c7863120",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a12254050e3050f1011cd24f3b880a6882d0139d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1f0a18c9564cdb16523c802e2c6fe5874e3d944",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rose: fix NULL pointer dereference in rose_transmit_link on reconnect\n\nsyzkaller reported a bug [1], and the reproducer is available at [2].\n\nROSE sockets use four sk-\u003esk_state values: TCP_CLOSE, TCP_LISTEN,\nTCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects\ncalls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING\n(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.\n\nWhen rose_connect() is called a second time while the first connection\nattempt is still in progress (TCP_SYN_SENT), it overwrites\nrose-\u003eneighbour via rose_get_neigh(). If that returns NULL, the socket\nis left with rose-\u003estate == ROSE_STATE_1 but rose-\u003eneighbour == NULL.\nWhen the socket is subsequently closed, rose_release() sees\nROSE_STATE_1 and calls rose_write_internal() -\u003e\nrose_transmit_link(skb, NULL), causing a NULL pointer dereference.\n\nPer connect(2), a second connect() while a connection is already in\nprogress should return -EALREADY. Add this missing check for\nTCP_SYN_SENT to complete the state validation in rose_connect().\n\n[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271\n[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:09.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c85fe6580e86947ca07907ebf4363a73c156fda7"
},
{
"url": "https://git.kernel.org/stable/c/a753844d2a8136f090123c8fb1ff6c7f6ee7c2b3"
},
{
"url": "https://git.kernel.org/stable/c/c2ab74c12932e52cfa1e7e4582d42b0c8bec96c7"
},
{
"url": "https://git.kernel.org/stable/c/0c9fb70a206a8734e10468ecc24d57c7596cf64e"
},
{
"url": "https://git.kernel.org/stable/c/508f49ccbe0329641bb681f7d0052bb4e5943252"
},
{
"url": "https://git.kernel.org/stable/c/0c3e8bff808f17ad37a51d8e719eed22c7863120"
},
{
"url": "https://git.kernel.org/stable/c/a12254050e3050f1011cd24f3b880a6882d0139d"
},
{
"url": "https://git.kernel.org/stable/c/e1f0a18c9564cdb16523c802e2c6fe5874e3d944"
}
],
"title": "net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23460",
"datePublished": "2026-04-03T15:15:40.364Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-04-18T08:59:09.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31424 (GCVE-0-2026-31424)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Weiming Shi says:
xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).
ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
RIP: 0010:devgroup_mt+0xff/0x350
Call Trace:
<TASK>
nft_match_eval (net/netfilter/nft_compat.c:407)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
nf_hook_slow (net/netfilter/core.c:623)
arp_xmit (net/ipv4/arp.c:666)
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Fix it by restricting arptables to NFPROTO_ARP extensions only.
Note that arptables-legacy only supports:
- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK
that provide explicit NFPROTO_ARP match/target declarations.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9291747f118d6404e509747b85ff5f6dfec368d2 , < 80e3c75f71c3ea1e62fcb032382de13e00a68f8b
(git)
Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < d9a0af9e43416aa50c0595e15fa01365a1c72c49 (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 1cd6313c8644bfebbd813a05da9daa21b09dd68c (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < f00ac65c90ea475719e08d629e2e26c8b4e6999b (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < e7e1b6bcb389c8708003d40613a59ff2496f6b1f (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < dc3e27dd7d76e21106b8f9bbdc31f5da74a89014 (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 3d5d488f11776738deab9da336038add95d342d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80e3c75f71c3ea1e62fcb032382de13e00a68f8b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "d9a0af9e43416aa50c0595e15fa01365a1c72c49",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "1cd6313c8644bfebbd813a05da9daa21b09dd68c",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "f00ac65c90ea475719e08d629e2e26c8b4e6999b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "e7e1b6bcb389c8708003d40613a59ff2496f6b1f",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "dc3e27dd7d76e21106b8f9bbdc31f5da74a89014",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3d5d488f11776738deab9da336038add95d342d1",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state-\u003ein being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n \u003cTASK\u003e\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:37.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"
},
{
"url": "https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"
},
{
"url": "https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"
},
{
"url": "https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"
},
{
"url": "https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"
},
{
"url": "https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"
},
{
"url": "https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"
},
{
"url": "https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"
}
],
"title": "netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31424",
"datePublished": "2026-04-13T13:40:27.957Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:37.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31447 (GCVE-0-2026-31447)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ext4: reject mount if bigalloc with s_first_data_block != 0
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: reject mount if bigalloc with s_first_data_block != 0
bigalloc with s_first_data_block != 0 is not supported, reject mounting
it.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
281b59959707dfae03ce038cdf231bf4904e170c , < 5ad6d994255e27a3254079dfb50ca861fc31f2d0
(git)
Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < 3a926957cc95899ef88529710836edadc03c71a1 (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < 7b58c110b4e1f028eb38eec9ed3555e9be81c8b0 (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < b77de3fceafbb39f30e4ff5dc986f863d5456417 (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < d787d3ae96648dc14a3b7ca8fde817177e82c1c7 (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < ad1f6d608f33f59d21a3d025615d6786a6443998 (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < 7d5b04290156c3fc316eecc86a4f9d201ab7d44a (git) Affected: 281b59959707dfae03ce038cdf231bf4904e170c , < 3822743dc20386d9897e999dbb990befa3a5b3f8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ad6d994255e27a3254079dfb50ca861fc31f2d0",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "3a926957cc95899ef88529710836edadc03c71a1",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "7b58c110b4e1f028eb38eec9ed3555e9be81c8b0",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "b77de3fceafbb39f30e4ff5dc986f863d5456417",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "d787d3ae96648dc14a3b7ca8fde817177e82c1c7",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "ad1f6d608f33f59d21a3d025615d6786a6443998",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "7d5b04290156c3fc316eecc86a4f9d201ab7d44a",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
},
{
"lessThan": "3822743dc20386d9897e999dbb990befa3a5b3f8",
"status": "affected",
"version": "281b59959707dfae03ce038cdf231bf4904e170c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: reject mount if bigalloc with s_first_data_block != 0\n\nbigalloc with s_first_data_block != 0 is not supported, reject mounting\nit."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:12.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ad6d994255e27a3254079dfb50ca861fc31f2d0"
},
{
"url": "https://git.kernel.org/stable/c/3a926957cc95899ef88529710836edadc03c71a1"
},
{
"url": "https://git.kernel.org/stable/c/7b58c110b4e1f028eb38eec9ed3555e9be81c8b0"
},
{
"url": "https://git.kernel.org/stable/c/b77de3fceafbb39f30e4ff5dc986f863d5456417"
},
{
"url": "https://git.kernel.org/stable/c/d787d3ae96648dc14a3b7ca8fde817177e82c1c7"
},
{
"url": "https://git.kernel.org/stable/c/ad1f6d608f33f59d21a3d025615d6786a6443998"
},
{
"url": "https://git.kernel.org/stable/c/7d5b04290156c3fc316eecc86a4f9d201ab7d44a"
},
{
"url": "https://git.kernel.org/stable/c/3822743dc20386d9897e999dbb990befa3a5b3f8"
}
],
"title": "ext4: reject mount if bigalloc with s_first_data_block != 0",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31447",
"datePublished": "2026-04-22T13:53:43.467Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:12.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31508 (GCVE-0-2026-31508)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net: openvswitch: Avoid releasing netdev before teardown completes
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: Avoid releasing netdev before teardown completes
The patch cited in the Fixes tag below changed the teardown code for
OVS ports to no longer unconditionally take the RTNL. After this change,
the netdev_destroy() callback can proceed immediately to the call_rcu()
invocation if the IFF_OVS_DATAPATH flag is already cleared on the
netdev.
The ovs_netdev_detach_dev() function clears the flag before completing
the unregistration, and if it gets preempted after clearing the flag (as
can happen on an -rt kernel), netdev_destroy() can complete and the
device can be freed before the unregistration completes. This leads to a
splat like:
[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI
[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT
[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025
[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0
[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90
[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246
[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000
[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05
[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000
[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006
[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000
[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000
[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0
[ 998.393944] PKRU: 55555554
[ 998.393946] Call Trace:
[ 998.393949] <TASK>
[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]
[ 998.394009] ? __die_body.cold+0x8/0x12
[ 998.394016] ? die_addr+0x3c/0x60
[ 998.394027] ? exc_general_protection+0x16d/0x390
[ 998.394042] ? asm_exc_general_protection+0x26/0x30
[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0
[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]
[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]
[ 998.394102] notifier_call_chain+0x5a/0xd0
[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60
[ 998.394110] rtnl_dellink+0x169/0x3e0
[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0
[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0
[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0
[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 998.394132] netlink_rcv_skb+0x50/0x100
[ 998.394138] netlink_unicast+0x292/0x3f0
[ 998.394141] netlink_sendmsg+0x21b/0x470
[ 998.394145] ____sys_sendmsg+0x39d/0x3d0
[ 998.394149] ___sys_sendmsg+0x9a/0xe0
[ 998.394156] __sys_sendmsg+0x7a/0xd0
[ 998.394160] do_syscall_64+0x7f/0x170
[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 998.394165] RIP: 0033:0x7fad61bf4724
[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724
[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003
[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f
[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b823c3344d5446b720227ba561df10a4f0add515 , < df3c95be76103604e752131d9495a24814915ece
(git)
Affected: 052e5db5be4576e0a8ef1460b210da5f328f4cd1 , < 33609454be4f582e686a4bf13d4482a5ca0f6c4b (git) Affected: c98263d5ace597c096a7a60aeef790da7b54979e , < 5fdeaf591a0942772c2d18ff3563697a49ad01c6 (git) Affected: 0fc642f011cb7a7eff41109e66d3b552e9f4d795 , < 4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8 (git) Affected: 5116f61ab11846844585c9082c547c4ccd97ff1a , < 43579baa17270aa51f93eb09b6e4af6e047b7f6e (git) Affected: f31557fb1b35332cca9994aa196cef284bcf3807 , < 95265232b49765a4d00f4d028c100bb7185600f4 (git) Affected: 5498227676303e3ffa9a3a46214af96bc3e81314 , < 755a6300afbd743cda4b102f24f343380ec0e0ff (git) Affected: 5498227676303e3ffa9a3a46214af96bc3e81314 , < 7c770dadfda5cbbde6aa3c4363ed513f1d212bf8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df3c95be76103604e752131d9495a24814915ece",
"status": "affected",
"version": "b823c3344d5446b720227ba561df10a4f0add515",
"versionType": "git"
},
{
"lessThan": "33609454be4f582e686a4bf13d4482a5ca0f6c4b",
"status": "affected",
"version": "052e5db5be4576e0a8ef1460b210da5f328f4cd1",
"versionType": "git"
},
{
"lessThan": "5fdeaf591a0942772c2d18ff3563697a49ad01c6",
"status": "affected",
"version": "c98263d5ace597c096a7a60aeef790da7b54979e",
"versionType": "git"
},
{
"lessThan": "4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8",
"status": "affected",
"version": "0fc642f011cb7a7eff41109e66d3b552e9f4d795",
"versionType": "git"
},
{
"lessThan": "43579baa17270aa51f93eb09b6e4af6e047b7f6e",
"status": "affected",
"version": "5116f61ab11846844585c9082c547c4ccd97ff1a",
"versionType": "git"
},
{
"lessThan": "95265232b49765a4d00f4d028c100bb7185600f4",
"status": "affected",
"version": "f31557fb1b35332cca9994aa196cef284bcf3807",
"versionType": "git"
},
{
"lessThan": "755a6300afbd743cda4b102f24f343380ec0e0ff",
"status": "affected",
"version": "5498227676303e3ffa9a3a46214af96bc3e81314",
"versionType": "git"
},
{
"lessThan": "7c770dadfda5cbbde6aa3c4363ed513f1d212bf8",
"status": "affected",
"version": "5498227676303e3ffa9a3a46214af96bc3e81314",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 \u003c48\u003e 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[ 998.393944] PKRU: 55555554\n[ 998.393946] Call Trace:\n[ 998.393949] \u003cTASK\u003e\n[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394009] ? __die_body.cold+0x8/0x12\n[ 998.394016] ? die_addr+0x3c/0x60\n[ 998.394027] ? exc_general_protection+0x16d/0x390\n[ 998.394042] ? asm_exc_general_protection+0x26/0x30\n[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0\n[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394102] notifier_call_chain+0x5a/0xd0\n[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60\n[ 998.394110] rtnl_dellink+0x169/0x3e0\n[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0\n[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0\n[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 998.394132] netlink_rcv_skb+0x50/0x100\n[ 998.394138] netlink_unicast+0x292/0x3f0\n[ 998.394141] netlink_sendmsg+0x21b/0x470\n[ 998.394145] ____sys_sendmsg+0x39d/0x3d0\n[ 998.394149] ___sys_sendmsg+0x9a/0xe0\n[ 998.394156] __sys_sendmsg+0x7a/0xd0\n[ 998.394160] do_syscall_64+0x7f/0x170\n[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 998.394165] RIP: 0033:0x7fad61bf4724\n[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:46.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df3c95be76103604e752131d9495a24814915ece"
},
{
"url": "https://git.kernel.org/stable/c/33609454be4f582e686a4bf13d4482a5ca0f6c4b"
},
{
"url": "https://git.kernel.org/stable/c/5fdeaf591a0942772c2d18ff3563697a49ad01c6"
},
{
"url": "https://git.kernel.org/stable/c/4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8"
},
{
"url": "https://git.kernel.org/stable/c/43579baa17270aa51f93eb09b6e4af6e047b7f6e"
},
{
"url": "https://git.kernel.org/stable/c/95265232b49765a4d00f4d028c100bb7185600f4"
},
{
"url": "https://git.kernel.org/stable/c/755a6300afbd743cda4b102f24f343380ec0e0ff"
},
{
"url": "https://git.kernel.org/stable/c/7c770dadfda5cbbde6aa3c4363ed513f1d212bf8"
}
],
"title": "net: openvswitch: Avoid releasing netdev before teardown completes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31508",
"datePublished": "2026-04-22T13:54:26.599Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-04-27T14:03:46.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31661 (GCVE-0-2026-31661)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
wifi: brcmsmac: Fix dma_free_coherent() size
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: Fix dma_free_coherent() size
dma_alloc_consistent() may change the size to align it. The new size is
saved in alloced.
Change the free size to match the allocation size.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5b435de0d786869c95d1962121af0d7df2542009 , < f449676bab54fea1440775c8c915dadb323fe015
(git)
Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 3c204a0fd079fa7a867151a47d830ad1c2db5177 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 0f87777b74bcce29b966ec42d9aa8f9edd9b1667 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 4bf41c2731a0549e21f66180ff780b1e036639ab (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 77263f053963dea9f3962505ac0c768853d7dc59 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 01f1330d3d1bee07e0c42d40cc48b7be8b6dad84 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 12cd7632757a54ce586e36040210b1a738a0fc53 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f449676bab54fea1440775c8c915dadb323fe015",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "3c204a0fd079fa7a867151a47d830ad1c2db5177",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "0f87777b74bcce29b966ec42d9aa8f9edd9b1667",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "4bf41c2731a0549e21f66180ff780b1e036639ab",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "77263f053963dea9f3962505ac0c768853d7dc59",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "01f1330d3d1bee07e0c42d40cc48b7be8b6dad84",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "12cd7632757a54ce586e36040210b1a738a0fc53",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:11.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015"
},
{
"url": "https://git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177"
},
{
"url": "https://git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667"
},
{
"url": "https://git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639ab"
},
{
"url": "https://git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59"
},
{
"url": "https://git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa"
},
{
"url": "https://git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84"
},
{
"url": "https://git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53"
}
],
"title": "wifi: brcmsmac: Fix dma_free_coherent() size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31661",
"datePublished": "2026-04-24T14:45:11.917Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:11.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31683 (GCVE-0-2026-31683)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-04-27 14:05
VLAI?
EPSS
Title
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
When OGM aggregation state is toggled at runtime, an existing forwarded
packet may have been allocated with only packet_len bytes, while a later
packet can still be selected for aggregation. Appending in this case can
hit skb_put overflow conditions.
Reject aggregation when the target skb tailroom cannot accommodate the new
packet. The caller then falls back to creating a new forward packet
instead of appending.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 67176c96f325837b0bb3e9538ca2eba414f447d8
(git)
Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 0b10a8b355c3f71012ce89289ec2c2f5e3bfd6c1 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 6755347c5f9bdd44dee80f692208b056fcd40a52 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 1ada20331f2df2a942d6b83ae1f04a304b642e2a (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 6e40ebb999c2c3d2fbb3cacb61f0384ee6e69075 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 0e35db29fc5a97a8553f7c2d3a2ba730e46b1ee8 (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < eda89a1bae0602aec8314ced299bb243b9f9aeef (git) Affected: c6c8fea29769d998d94fcec9b9f14d4b52b349d3 , < 0d4aef630be9d5f9c1227d07669c26c4383b5ad0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_iv_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67176c96f325837b0bb3e9538ca2eba414f447d8",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "0b10a8b355c3f71012ce89289ec2c2f5e3bfd6c1",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "6755347c5f9bdd44dee80f692208b056fcd40a52",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "1ada20331f2df2a942d6b83ae1f04a304b642e2a",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "6e40ebb999c2c3d2fbb3cacb61f0384ee6e69075",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "0e35db29fc5a97a8553f7c2d3a2ba730e46b1ee8",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "eda89a1bae0602aec8314ced299bb243b9f9aeef",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
},
{
"lessThan": "0d4aef630be9d5f9c1227d07669c26c4383b5ad0",
"status": "affected",
"version": "c6c8fea29769d998d94fcec9b9f14d4b52b349d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bat_iv_ogm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: avoid OGM aggregation when skb tailroom is insufficient\n\nWhen OGM aggregation state is toggled at runtime, an existing forwarded\npacket may have been allocated with only packet_len bytes, while a later\npacket can still be selected for aggregation. Appending in this case can\nhit skb_put overflow conditions.\n\nReject aggregation when the target skb tailroom cannot accommodate the new\npacket. The caller then falls back to creating a new forward packet\ninstead of appending."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:05:03.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67176c96f325837b0bb3e9538ca2eba414f447d8"
},
{
"url": "https://git.kernel.org/stable/c/0b10a8b355c3f71012ce89289ec2c2f5e3bfd6c1"
},
{
"url": "https://git.kernel.org/stable/c/6755347c5f9bdd44dee80f692208b056fcd40a52"
},
{
"url": "https://git.kernel.org/stable/c/1ada20331f2df2a942d6b83ae1f04a304b642e2a"
},
{
"url": "https://git.kernel.org/stable/c/6e40ebb999c2c3d2fbb3cacb61f0384ee6e69075"
},
{
"url": "https://git.kernel.org/stable/c/0e35db29fc5a97a8553f7c2d3a2ba730e46b1ee8"
},
{
"url": "https://git.kernel.org/stable/c/eda89a1bae0602aec8314ced299bb243b9f9aeef"
},
{
"url": "https://git.kernel.org/stable/c/0d4aef630be9d5f9c1227d07669c26c4383b5ad0"
}
],
"title": "batman-adv: avoid OGM aggregation when skb tailroom is insufficient",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31683",
"datePublished": "2026-04-25T08:47:00.334Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:05:03.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31546 (GCVE-0-2026-31546)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
rlb_clear_slave intentionally keeps RLB hash-table entries on
the rx_hashtbl_used_head list with slave set to NULL when no
replacement slave is available. However, bond_debug_rlb_hash_show
visites client_info->slave without checking if it's NULL.
Other used-list iterators in bond_alb.c already handle this NULL-slave
state safely:
- rlb_update_client returns early on !client_info->slave
- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
compare slave values before visiting
- lb_req_update_subnet_clients continues if slave is NULL
The following NULL deref crash can be trigger in
bond_debug_rlb_hash_show:
[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
[ 1.295897] Call Trace:
[ 1.296134] seq_read_iter (fs/seq_file.c:231)
[ 1.296341] seq_read (fs/seq_file.c:164)
[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
[ 1.296658] vfs_read (fs/read_write.c:572)
[ 1.296981] ksys_read (fs/read_write.c:717)
[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Add a NULL check and print "(none)" for entries with no assigned slave.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 19f0fd87df0e5746b24f5caa465a66a8c6e6e241
(git)
Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < edacf1613f7b26423ebfa8b2892e7453c4235354 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 2ec2c777f357a83c3d503d8d9370c90b60f0ae63 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 0a3f8cd3f370247ded14d38d216b49dd30eade76 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 017d674cf6930e9586a29ee808c7ca09d1396d07 (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c (git) Affected: caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 , < 605b52497bf89b3b154674deb135da98f916e390 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19f0fd87df0e5746b24f5caa465a66a8c6e6e241",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "edacf1613f7b26423ebfa8b2892e7453c4235354",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "2ec2c777f357a83c3d503d8d9370c90b60f0ae63",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "0a3f8cd3f370247ded14d38d216b49dd30eade76",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "017d674cf6930e9586a29ee808c7ca09d1396d07",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
},
{
"lessThan": "605b52497bf89b3b154674deb135da98f916e390",
"status": "affected",
"version": "caafa84251b886feb6cdf23d50e2cc99dcdaaaf3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info-\u003eslave without checking if it\u0027s NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info-\u003eslave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[ 1.295897] Call Trace:\n[ 1.296134] seq_read_iter (fs/seq_file.c:231)\n[ 1.296341] seq_read (fs/seq_file.c:164)\n[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[ 1.296658] vfs_read (fs/read_write.c:572)\n[ 1.296981] ksys_read (fs/read_write.c:717)\n[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:14.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19f0fd87df0e5746b24f5caa465a66a8c6e6e241"
},
{
"url": "https://git.kernel.org/stable/c/edacf1613f7b26423ebfa8b2892e7453c4235354"
},
{
"url": "https://git.kernel.org/stable/c/2ec2c777f357a83c3d503d8d9370c90b60f0ae63"
},
{
"url": "https://git.kernel.org/stable/c/0a3f8cd3f370247ded14d38d216b49dd30eade76"
},
{
"url": "https://git.kernel.org/stable/c/6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4"
},
{
"url": "https://git.kernel.org/stable/c/017d674cf6930e9586a29ee808c7ca09d1396d07"
},
{
"url": "https://git.kernel.org/stable/c/ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c"
},
{
"url": "https://git.kernel.org/stable/c/605b52497bf89b3b154674deb135da98f916e390"
}
],
"title": "net: bonding: fix NULL deref in bond_debug_rlb_hash_show",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31546",
"datePublished": "2026-04-24T14:33:14.572Z",
"dateReserved": "2026-03-09T15:48:24.114Z",
"dateUpdated": "2026-04-24T14:33:14.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40135 (GCVE-0-2025-40135)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
ipv6: use RCU in ip6_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_xmit()
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f0a54d00d2f36de40266f47c27989853e8588656
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f69fec6287565fdeb61f65e700a1184352306943 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < bd0905e2122e3680968cd0741966983490bf2ed3 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < f7f9e924f23684b4b23cd9f976cceab24a968e34 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 9085e56501d93af9f2d7bd16f7fcfacdde47b99c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f0a54d00d2f36de40266f47c27989853e8588656",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "f69fec6287565fdeb61f65e700a1184352306943",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "bd0905e2122e3680968cd0741966983490bf2ed3",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "f7f9e924f23684b4b23cd9f976cceab24a968e34",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "9085e56501d93af9f2d7bd16f7fcfacdde47b99c",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:45.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f0a54d00d2f36de40266f47c27989853e8588656"
},
{
"url": "https://git.kernel.org/stable/c/f69fec6287565fdeb61f65e700a1184352306943"
},
{
"url": "https://git.kernel.org/stable/c/bd0905e2122e3680968cd0741966983490bf2ed3"
},
{
"url": "https://git.kernel.org/stable/c/f7f9e924f23684b4b23cd9f976cceab24a968e34"
},
{
"url": "https://git.kernel.org/stable/c/9085e56501d93af9f2d7bd16f7fcfacdde47b99c"
}
],
"title": "ipv6: use RCU in ip6_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40135",
"datePublished": "2025-11-12T10:23:23.051Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2026-03-25T10:19:45.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23335 (GCVE-0-2026-23335)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
struct irdma_create_ah_resp { // 8 bytes, no padding
__u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
__u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
};
rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
The reserved members of the structure were not zeroed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 1f70df004fdd944653013ccc2e1dfd472a693b46
(git)
Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 14b47c07c69930254f549a17ee245c80a65b1609 (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8 (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 2fd37450d271d74b3847baed284f9cfdf198c6f8 (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < cfe962216c164fe2b1c1fb6ac925a7413f5abc84 (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < c9bd0007c4bdb7806bbd323287e50f9cf467c51a (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 74586c6da9ea222a61c98394f2fc0a604748438c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f70df004fdd944653013ccc2e1dfd472a693b46",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "14b47c07c69930254f549a17ee245c80a65b1609",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "2fd37450d271d74b3847baed284f9cfdf198c6f8",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "cfe962216c164fe2b1c1fb6ac925a7413f5abc84",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "c9bd0007c4bdb7806bbd323287e50f9cf467c51a",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "74586c6da9ea222a61c98394f2fc0a604748438c",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah-\u003esc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET \u003c- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:59.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f70df004fdd944653013ccc2e1dfd472a693b46"
},
{
"url": "https://git.kernel.org/stable/c/14b47c07c69930254f549a17ee245c80a65b1609"
},
{
"url": "https://git.kernel.org/stable/c/1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8"
},
{
"url": "https://git.kernel.org/stable/c/2fd37450d271d74b3847baed284f9cfdf198c6f8"
},
{
"url": "https://git.kernel.org/stable/c/cfe962216c164fe2b1c1fb6ac925a7413f5abc84"
},
{
"url": "https://git.kernel.org/stable/c/c9bd0007c4bdb7806bbd323287e50f9cf467c51a"
},
{
"url": "https://git.kernel.org/stable/c/74586c6da9ea222a61c98394f2fc0a604748438c"
}
],
"title": "RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23335",
"datePublished": "2026-03-25T10:27:25.418Z",
"dateReserved": "2026-01-13T15:37:45.997Z",
"dateUpdated": "2026-04-18T08:57:59.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31441 (GCVE-0-2026-31441)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-22 13:53
VLAI?
EPSS
Title
dmaengine: idxd: Fix memory leak when a wq is reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix memory leak when a wq is reset
idxd_wq_disable_cleanup() which is called from the reset path for a
workqueue, sets the wq type to NONE, which for other parts of the
driver mean that the wq is empty (all its resources were released).
Only set the wq type to NONE after its resources are released.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
da32b28c95a79e399e18c03f8178f41aec9c66e4 , < a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658
(git)
Affected: da32b28c95a79e399e18c03f8178f41aec9c66e4 , < 54d77cc0c40ca2f894859dc7b3c52997574f1a2a (git) Affected: da32b28c95a79e399e18c03f8178f41aec9c66e4 , < 39c1504e0e76bcfb93991fd94288a83e05d13b51 (git) Affected: da32b28c95a79e399e18c03f8178f41aec9c66e4 , < a9e7815d38629bcf59d3005001f1f315424a58de (git) Affected: da32b28c95a79e399e18c03f8178f41aec9c66e4 , < 0c3d3ac57e3c52b570b8c695903306bff07e04c8 (git) Affected: da32b28c95a79e399e18c03f8178f41aec9c66e4 , < d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478 (git) Affected: 2a2df2bd10de44c3804661ed15157817c12d6291 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"lessThan": "54d77cc0c40ca2f894859dc7b3c52997574f1a2a",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"lessThan": "39c1504e0e76bcfb93991fd94288a83e05d13b51",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"lessThan": "a9e7815d38629bcf59d3005001f1f315424a58de",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"lessThan": "0c3d3ac57e3c52b570b8c695903306bff07e04c8",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"lessThan": "d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478",
"status": "affected",
"version": "da32b28c95a79e399e18c03f8178f41aec9c66e4",
"versionType": "git"
},
{
"status": "affected",
"version": "2a2df2bd10de44c3804661ed15157817c12d6291",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:53:39.055Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658"
},
{
"url": "https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a"
},
{
"url": "https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51"
},
{
"url": "https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de"
},
{
"url": "https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8"
},
{
"url": "https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478"
}
],
"title": "dmaengine: idxd: Fix memory leak when a wq is reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31441",
"datePublished": "2026-04-22T13:53:39.055Z",
"dateReserved": "2026-03-09T15:48:24.090Z",
"dateUpdated": "2026-04-22T13:53:39.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23242 (GCVE-0-2026-23242)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
RDMA/siw: Fix potential NULL pointer dereference in header processing
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix potential NULL pointer dereference in header processing
If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),
qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()
dereferences qp->rx_fpdu->more_ddp_segs without checking, which
may lead to a NULL pointer deref. Only check more_ddp_segs when
rx_fpdu is present.
KASAN splat:
[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ab61841633d10e56a58c1493a262f0d02dba2f5e
(git)
Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 8564dcc12fbb372d984ab45768cae9335777b274 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ab957056192d6bd068b3759cb2077d859cca01f0 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ffba40b67663567481fa8a1ed5d2da36897c175d (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 87b7a036d2c73d5bb3ae2d47dee23de465db3355 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 714c99e1dc8f85f446e05be02ba83972e981a817 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ce025f7f5d070596194315eb2e4e89d568b8a755 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 14ab3da122bd18920ad57428f6cf4fade8385142 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_qp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab61841633d10e56a58c1493a262f0d02dba2f5e",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "8564dcc12fbb372d984ab45768cae9335777b274",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "ab957056192d6bd068b3759cb2077d859cca01f0",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "ffba40b67663567481fa8a1ed5d2da36897c175d",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "87b7a036d2c73d5bb3ae2d47dee23de465db3355",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "714c99e1dc8f85f446e05be02ba83972e981a817",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "ce025f7f5d070596194315eb2e4e89d568b8a755",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
},
{
"lessThan": "14ab3da122bd18920ad57428f6cf4fade8385142",
"status": "affected",
"version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_qp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix potential NULL pointer dereference in header processing\n\nIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),\nqp-\u003erx_fpdu can be NULL. The error path in siw_tcp_rx_data()\ndereferences qp-\u003erx_fpdu-\u003emore_ddp_segs without checking, which\nmay lead to a NULL pointer deref. Only check more_ddp_segs when\nrx_fpdu is present.\n\nKASAN splat:\n[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]\n[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:58.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab61841633d10e56a58c1493a262f0d02dba2f5e"
},
{
"url": "https://git.kernel.org/stable/c/8564dcc12fbb372d984ab45768cae9335777b274"
},
{
"url": "https://git.kernel.org/stable/c/ab957056192d6bd068b3759cb2077d859cca01f0"
},
{
"url": "https://git.kernel.org/stable/c/ffba40b67663567481fa8a1ed5d2da36897c175d"
},
{
"url": "https://git.kernel.org/stable/c/87b7a036d2c73d5bb3ae2d47dee23de465db3355"
},
{
"url": "https://git.kernel.org/stable/c/714c99e1dc8f85f446e05be02ba83972e981a817"
},
{
"url": "https://git.kernel.org/stable/c/ce025f7f5d070596194315eb2e4e89d568b8a755"
},
{
"url": "https://git.kernel.org/stable/c/14ab3da122bd18920ad57428f6cf4fade8385142"
}
],
"title": "RDMA/siw: Fix potential NULL pointer dereference in header processing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23242",
"datePublished": "2026-03-18T10:05:05.108Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-04-13T06:02:58.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23456 (GCVE-0-2026-23456)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
value, then calls get_uint(bs, len) without checking that len bytes
remain in the buffer. The existing boundary check only validates the
2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
slab-out-of-bounds read.
Add a boundary check for len bytes after get_bits() and before
get_uint().
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e35941d990123f155b02d5663e51a24f816b6f3 , < a2cd54b9348e485d338b3c132338a4410c99afaf
(git)
Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < c95dc674ebf01ecfb40388b6facfc89b81fed3b7 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 41b417ff73a24b2c68134992cc44c88db27f482d (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 52235bf88159a1ef16434ab49e47e99c8a09ab20 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 774a434f8c9c8602a976b2536f65d0172a07f4d2 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 6bce72daeccca9aa1746e92d6c3d4784e71f2ebb (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < fb6c3596823ec5dd09c2123340330d7448f51a59 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2cd54b9348e485d338b3c132338a4410c99afaf",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "c95dc674ebf01ecfb40388b6facfc89b81fed3b7",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "41b417ff73a24b2c68134992cc44c88db27f482d",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "52235bf88159a1ef16434ab49e47e99c8a09ab20",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "774a434f8c9c8602a976b2536f65d0172a07f4d2",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "6bce72daeccca9aa1746e92d6c3d4784e71f2ebb",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "fb6c3596823ec5dd09c2123340330d7448f51a59",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "1e3a3593162c96e8a8de48b1e14f60c3b57fca8a",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:34.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf"
},
{
"url": "https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7"
},
{
"url": "https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d"
},
{
"url": "https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20"
},
{
"url": "https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2"
},
{
"url": "https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb"
},
{
"url": "https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59"
},
{
"url": "https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a"
}
],
"title": "netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23456",
"datePublished": "2026-04-03T15:15:37.534Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-27T14:02:34.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49998 (GCVE-0-2024-49998)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
net: dsa: improve shutdown sequence
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: improve shutdown sequence
Alexander Sverdlin presents 2 problems during shutdown with the
lan9303 driver. One is specific to lan9303 and the other just happens
to reproduce there.
The first problem is that lan9303 is unique among DSA drivers in that it
calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown,
not remove):
phy_state_machine()
-> ...
-> dsa_user_phy_read()
-> ds->ops->phy_read()
-> lan9303_phy_read()
-> chip->ops->phy_read()
-> lan9303_mdio_phy_read()
-> dev_get_drvdata()
But we never stop the phy_state_machine(), so it may continue to run
after dsa_switch_shutdown(). Our common pattern in all DSA drivers is
to set drvdata to NULL to suppress the remove() method that may come
afterwards. But in this case it will result in an NPD.
The second problem is that the way in which we set
dp->conduit->dsa_ptr = NULL; is concurrent with receive packet
processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,
but afterwards, rather than continuing to use that non-NULL value,
dev->dsa_ptr is dereferenced again and again without NULL checks:
dsa_conduit_find_user() and many other places. In between dereferences,
there is no locking to ensure that what was valid once continues to be
valid.
Both problems have the common aspect that closing the conduit interface
solves them.
In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN
event in dsa_user_netdevice_event() which closes user ports as well.
dsa_port_disable_rt() calls phylink_stop(), which synchronously stops
the phylink state machine, and ds->ops->phy_read() will thus no longer
call into the driver after this point.
In the second case, dev_close(conduit) should do this, as per
Documentation/networking/driver.rst:
| Quiescence
| ----------
|
| After the ndo_stop routine has been called, the hardware must
| not receive or transmit any data. All in flight packets must
| be aborted. If necessary, poll or wait for completion of
| any reset commands.
So it should be sufficient to ensure that later, when we zeroize
conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call
on this conduit.
The addition of the netif_device_detach() function is to ensure that
ioctls, rtnetlinks and ethtool requests on the user ports no longer
propagate down to the driver - we're no longer prepared to handle them.
The race condition actually did not exist when commit 0650bf52b31f
("net: dsa: be compatible with masters which unregister on shutdown")
first introduced dsa_switch_shutdown(). It was created later, when we
stopped unregistering the user interfaces from a bad spot, and we just
replaced that sequence with a racy zeroization of conduit->dsa_ptr
(one which doesn't ensure that the interfaces aren't up).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff45899e732e57088985e3a497b1d9100571c0f5 , < 87bd909a7014e32790e8c759d5b7694a95778ca5
(git)
Affected: ee534378f00561207656663d93907583958339ae , < ab9e90619b6339becc5415647ae154a9a46a044d (git) Affected: ee534378f00561207656663d93907583958339ae , < 2e93bf719462ac6d23c881c8b93e5dc9bf5ab7f5 (git) Affected: ee534378f00561207656663d93907583958339ae , < ab5d3420a1120950703dbdc33698b28a6ebc3d23 (git) Affected: ee534378f00561207656663d93907583958339ae , < b4a65d479213fe84ecb14e328271251eebe69492 (git) Affected: ee534378f00561207656663d93907583958339ae , < 6c24a03a61a245fe34d47582898331fa034b6ccd (git) Affected: 89b60402d43cdab4387dbbf24afebda5cf092ae7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:30:20.999100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:41.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dsa/dsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87bd909a7014e32790e8c759d5b7694a95778ca5",
"status": "affected",
"version": "ff45899e732e57088985e3a497b1d9100571c0f5",
"versionType": "git"
},
{
"lessThan": "ab9e90619b6339becc5415647ae154a9a46a044d",
"status": "affected",
"version": "ee534378f00561207656663d93907583958339ae",
"versionType": "git"
},
{
"lessThan": "2e93bf719462ac6d23c881c8b93e5dc9bf5ab7f5",
"status": "affected",
"version": "ee534378f00561207656663d93907583958339ae",
"versionType": "git"
},
{
"lessThan": "ab5d3420a1120950703dbdc33698b28a6ebc3d23",
"status": "affected",
"version": "ee534378f00561207656663d93907583958339ae",
"versionType": "git"
},
{
"lessThan": "b4a65d479213fe84ecb14e328271251eebe69492",
"status": "affected",
"version": "ee534378f00561207656663d93907583958339ae",
"versionType": "git"
},
{
"lessThan": "6c24a03a61a245fe34d47582898331fa034b6ccd",
"status": "affected",
"version": "ee534378f00561207656663d93907583958339ae",
"versionType": "git"
},
{
"status": "affected",
"version": "89b60402d43cdab4387dbbf24afebda5cf092ae7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dsa/dsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "5.15.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: improve shutdown sequence\n\nAlexander Sverdlin presents 2 problems during shutdown with the\nlan9303 driver. One is specific to lan9303 and the other just happens\nto reproduce there.\n\nThe first problem is that lan9303 is unique among DSA drivers in that it\ncalls dev_get_drvdata() at \"arbitrary runtime\" (not probe, not shutdown,\nnot remove):\n\nphy_state_machine()\n-\u003e ...\n -\u003e dsa_user_phy_read()\n -\u003e ds-\u003eops-\u003ephy_read()\n -\u003e lan9303_phy_read()\n -\u003e chip-\u003eops-\u003ephy_read()\n -\u003e lan9303_mdio_phy_read()\n -\u003e dev_get_drvdata()\n\nBut we never stop the phy_state_machine(), so it may continue to run\nafter dsa_switch_shutdown(). Our common pattern in all DSA drivers is\nto set drvdata to NULL to suppress the remove() method that may come\nafterwards. But in this case it will result in an NPD.\n\nThe second problem is that the way in which we set\ndp-\u003econduit-\u003edsa_ptr = NULL; is concurrent with receive packet\nprocessing. dsa_switch_rcv() checks once whether dev-\u003edsa_ptr is NULL,\nbut afterwards, rather than continuing to use that non-NULL value,\ndev-\u003edsa_ptr is dereferenced again and again without NULL checks:\ndsa_conduit_find_user() and many other places. In between dereferences,\nthere is no locking to ensure that what was valid once continues to be\nvalid.\n\nBoth problems have the common aspect that closing the conduit interface\nsolves them.\n\nIn the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN\nevent in dsa_user_netdevice_event() which closes user ports as well.\ndsa_port_disable_rt() calls phylink_stop(), which synchronously stops\nthe phylink state machine, and ds-\u003eops-\u003ephy_read() will thus no longer\ncall into the driver after this point.\n\nIn the second case, dev_close(conduit) should do this, as per\nDocumentation/networking/driver.rst:\n\n| Quiescence\n| ----------\n|\n| After the ndo_stop routine has been called, the hardware must\n| not receive or transmit any data. All in flight packets must\n| be aborted. If necessary, poll or wait for completion of\n| any reset commands.\n\nSo it should be sufficient to ensure that later, when we zeroize\nconduit-\u003edsa_ptr, there will be no concurrent dsa_switch_rcv() call\non this conduit.\n\nThe addition of the netif_device_detach() function is to ensure that\nioctls, rtnetlinks and ethtool requests on the user ports no longer\npropagate down to the driver - we\u0027re no longer prepared to handle them.\n\nThe race condition actually did not exist when commit 0650bf52b31f\n(\"net: dsa: be compatible with masters which unregister on shutdown\")\nfirst introduced dsa_switch_shutdown(). It was created later, when we\nstopped unregistering the user interfaces from a bad spot, and we just\nreplaced that sequence with a racy zeroization of conduit-\u003edsa_ptr\n(one which doesn\u0027t ensure that the interfaces aren\u0027t up)."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:14.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87bd909a7014e32790e8c759d5b7694a95778ca5"
},
{
"url": "https://git.kernel.org/stable/c/ab9e90619b6339becc5415647ae154a9a46a044d"
},
{
"url": "https://git.kernel.org/stable/c/2e93bf719462ac6d23c881c8b93e5dc9bf5ab7f5"
},
{
"url": "https://git.kernel.org/stable/c/ab5d3420a1120950703dbdc33698b28a6ebc3d23"
},
{
"url": "https://git.kernel.org/stable/c/b4a65d479213fe84ecb14e328271251eebe69492"
},
{
"url": "https://git.kernel.org/stable/c/6c24a03a61a245fe34d47582898331fa034b6ccd"
}
],
"title": "net: dsa: improve shutdown sequence",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49998",
"datePublished": "2024-10-21T18:02:38.316Z",
"dateReserved": "2024-10-21T12:17:06.057Z",
"dateUpdated": "2026-03-25T10:19:14.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31549 (GCVE-0-2026-31549)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
i2c: cp2615: fix serial string NULL-deref at probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: cp2615: fix serial string NULL-deref at probe
The cp2615 driver uses the USB device serial string as the i2c adapter
name but does not make sure that the string exists.
Verify that the device has a serial number before accessing it to avoid
triggering a NULL-pointer dereference (e.g. with malicious devices).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a7695429eade517b07ea72f9ec366130e81a076 , < e68c267787778bcdf3d91b06f794faaba7f0d1d1
(git)
Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < 4a22af879172336370ae3e81e7f65fb2f69472ee (git) Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < 69aece634a7eebafd9a596e5494d52facf6f26ec (git) Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < 13ccf9b106bba121728f1625c4375a1bd8f5c5a3 (git) Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < a9778298f47036866ea15eeb17242e8a4612580f (git) Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < efe996bcfe50c2dcc6cf65c574285713b722ced7 (git) Affected: 4a7695429eade517b07ea72f9ec366130e81a076 , < aa79f996eb41e95aed85a1bd7f56bcd6a3842008 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cp2615.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e68c267787778bcdf3d91b06f794faaba7f0d1d1",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "4a22af879172336370ae3e81e7f65fb2f69472ee",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "69aece634a7eebafd9a596e5494d52facf6f26ec",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "13ccf9b106bba121728f1625c4375a1bd8f5c5a3",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "a9778298f47036866ea15eeb17242e8a4612580f",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "efe996bcfe50c2dcc6cf65c574285713b722ced7",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
},
{
"lessThan": "aa79f996eb41e95aed85a1bd7f56bcd6a3842008",
"status": "affected",
"version": "4a7695429eade517b07ea72f9ec366130e81a076",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cp2615.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cp2615: fix serial string NULL-deref at probe\n\nThe cp2615 driver uses the USB device serial string as the i2c adapter\nname but does not make sure that the string exists.\n\nVerify that the device has a serial number before accessing it to avoid\ntriggering a NULL-pointer dereference (e.g. with malicious devices)."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:16.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e68c267787778bcdf3d91b06f794faaba7f0d1d1"
},
{
"url": "https://git.kernel.org/stable/c/4a22af879172336370ae3e81e7f65fb2f69472ee"
},
{
"url": "https://git.kernel.org/stable/c/69aece634a7eebafd9a596e5494d52facf6f26ec"
},
{
"url": "https://git.kernel.org/stable/c/13ccf9b106bba121728f1625c4375a1bd8f5c5a3"
},
{
"url": "https://git.kernel.org/stable/c/a9778298f47036866ea15eeb17242e8a4612580f"
},
{
"url": "https://git.kernel.org/stable/c/efe996bcfe50c2dcc6cf65c574285713b722ced7"
},
{
"url": "https://git.kernel.org/stable/c/aa79f996eb41e95aed85a1bd7f56bcd6a3842008"
}
],
"title": "i2c: cp2615: fix serial string NULL-deref at probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31549",
"datePublished": "2026-04-24T14:33:16.814Z",
"dateReserved": "2026-03-09T15:48:24.115Z",
"dateUpdated": "2026-04-24T14:33:16.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71067 (GCVE-0-2025-71067)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
ntfs: set dummy blocksize to read boot_block when mounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: set dummy blocksize to read boot_block when mounting
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5
(git)
Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 44a38eb4f7876513db5a1bccde74de9bc4389d43 (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 4fff9a625da958a33191c8553a03283786f9f417 (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < d1693a7d5a38acf6424235a6070bcf5b186a360d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "44a38eb4f7876513db5a1bccde74de9bc4389d43",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "4fff9a625da958a33191c8553a03283786f9f417",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "d1693a7d5a38acf6424235a6070bcf5b186a360d",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb-\u003es_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n mkdirat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027./file1\\x00\u0027, 0x0)\n r4 = openat$nullb(0xffffffffffffff9c, \u0026(0x7f0000000040), 0x121403, 0x0)\n ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, \u0026(0x7f0000000980)=0x4000)\n mount(\u0026(0x7f0000000140)=@nullb, \u0026(0x7f0000000040)=\u0027./cgroup\\x00\u0027,\n \u0026(0x7f0000000000)=\u0027ntfs3\\x00\u0027, 0x2208004, 0x0)\n syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) \u003e PAGE_SIZE, sb_set_blocksize() leaves\nsb-\u003es_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb-\u003es_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:00.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"
},
{
"url": "https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"
},
{
"url": "https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"
},
{
"url": "https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"
},
{
"url": "https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"
}
],
"title": "ntfs: set dummy blocksize to read boot_block when mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71067",
"datePublished": "2026-01-13T15:31:22.585Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-03-25T10:20:00.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23306 (GCVE-0-2026-23306)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04
VLAI?
EPSS
Title
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.
In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.
Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < ebbb852ffbc952b95ddb7e3872b67b3e74c6da47
(git)
Affected: e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < 8b00427317ba7b7ec91252b034009f638d0f311b (git) Affected: e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < c5dc39f8ae055520fd778b7fb0423f11586f15c4 (git) Affected: e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < 824a7672e3540962d5c77d4c6666254d7aa6f0b3 (git) Affected: e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < 227ff4af00abc40b95123cc27ee8079069dcd8d7 (git) Affected: e29c47fe8946cc732b0e0d393b65b13c84bb69d0 , < 38353c26db28efd984f51d426eac2396d299cca7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebbb852ffbc952b95ddb7e3872b67b3e74c6da47",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
},
{
"lessThan": "8b00427317ba7b7ec91252b034009f638d0f311b",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
},
{
"lessThan": "c5dc39f8ae055520fd778b7fb0423f11586f15c4",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
},
{
"lessThan": "824a7672e3540962d5c77d4c6666254d7aa6f0b3",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
},
{
"lessThan": "227ff4af00abc40b95123cc27ee8079069dcd8d7",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
},
{
"lessThan": "38353c26db28efd984f51d426eac2396d299cca7",
"status": "affected",
"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_sas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn\u0027t handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:04:03.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"
},
{
"url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"
},
{
"url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"
},
{
"url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"
},
{
"url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"
},
{
"url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"
}
],
"title": "scsi: pm8001: Fix use-after-free in pm8001_queue_command()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23306",
"datePublished": "2026-03-25T10:27:01.719Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-13T06:04:03.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31659 (GCVE-0-2026-31659)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
batman-adv: reject oversized global TT response buffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: reject oversized global TT response buffers
batadv_tt_prepare_tvlv_global_data() builds the allocation length for a
global TT response in 16-bit temporaries. When a remote originator
advertises a large enough global TT, the TT payload length plus the VLAN
header offset can exceed 65535 and wrap before kmalloc().
The full-table response path still uses the original TT payload length when
it fills tt_change, so the wrapped allocation is too small and
batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object
before the later packet-size check runs.
Fix this by rejecting TT responses whose TVLV value length cannot fit in
the 16-bit TVLV payload length field.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 7e5d007e0df946bffb8542fb112e0044014a5897
(git)
Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 2997f4bd1f982e7013709946e00be89b507693fa (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 95c71365a2222908441b54d6f2c315e0c79fcec3 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 69d61639bc7e963c3b645e570279d731e7c89062 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < f970646b9a39539d1bac86822ac78b5915455ea9 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < de6c1dc3c7d01a152607e6fcecee4d5288283f10 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < cf2199171ef799ca7270019125f4a91bd20ad4d9 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 3a359bf5c61d52e7f09754108309d637532164a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/translation-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e5d007e0df946bffb8542fb112e0044014a5897",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "2997f4bd1f982e7013709946e00be89b507693fa",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "95c71365a2222908441b54d6f2c315e0c79fcec3",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "69d61639bc7e963c3b645e570279d731e7c89062",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "f970646b9a39539d1bac86822ac78b5915455ea9",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "de6c1dc3c7d01a152607e6fcecee4d5288283f10",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "cf2199171ef799ca7270019125f4a91bd20ad4d9",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "3a359bf5c61d52e7f09754108309d637532164a6",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/translation-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:46.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897"
},
{
"url": "https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa"
},
{
"url": "https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3"
},
{
"url": "https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062"
},
{
"url": "https://git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9"
},
{
"url": "https://git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10"
},
{
"url": "https://git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9"
},
{
"url": "https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6"
}
],
"title": "batman-adv: reject oversized global TT response buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31659",
"datePublished": "2026-04-24T14:45:10.254Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:46.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37980 (GCVE-0-2025-37980)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:58 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
block: fix resource leak in blk_register_queue() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix resource leak in blk_register_queue() error path
When registering a queue fails after blk_mq_sysfs_register() is
successful but the function later encounters an error, we need
to clean up the blk_mq_sysfs resources.
Add the missing blk_mq_sysfs_unregister() call in the error path
to properly clean up these resources and prevent a memory leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
320ae51feed5c2f13664aa05a76bec198967e04d , < 6af6d5feebf9423ab3b252831d1f52de31a8b5e0
(git)
Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 549cbbd14bbec12469ceb279b79c763c8a24224e (git) Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 41e43134ddda35949974be40520460a12dda3502 (git) Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 55a7bb2708f7c7c5b366d4e40916113168a3824c (git) Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 40f2eb9b531475dd01b683fdaf61ca3cfd03a51e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6af6d5feebf9423ab3b252831d1f52de31a8b5e0",
"status": "affected",
"version": "320ae51feed5c2f13664aa05a76bec198967e04d",
"versionType": "git"
},
{
"lessThan": "549cbbd14bbec12469ceb279b79c763c8a24224e",
"status": "affected",
"version": "320ae51feed5c2f13664aa05a76bec198967e04d",
"versionType": "git"
},
{
"lessThan": "41e43134ddda35949974be40520460a12dda3502",
"status": "affected",
"version": "320ae51feed5c2f13664aa05a76bec198967e04d",
"versionType": "git"
},
{
"lessThan": "55a7bb2708f7c7c5b366d4e40916113168a3824c",
"status": "affected",
"version": "320ae51feed5c2f13664aa05a76bec198967e04d",
"versionType": "git"
},
{
"lessThan": "40f2eb9b531475dd01b683fdaf61ca3cfd03a51e",
"status": "affected",
"version": "320ae51feed5c2f13664aa05a76bec198967e04d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.25",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.4",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix resource leak in blk_register_queue() error path\n\nWhen registering a queue fails after blk_mq_sysfs_register() is\nsuccessful but the function later encounters an error, we need\nto clean up the blk_mq_sysfs resources.\n\nAdd the missing blk_mq_sysfs_unregister() call in the error path\nto properly clean up these resources and prevent a memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:34.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6af6d5feebf9423ab3b252831d1f52de31a8b5e0"
},
{
"url": "https://git.kernel.org/stable/c/549cbbd14bbec12469ceb279b79c763c8a24224e"
},
{
"url": "https://git.kernel.org/stable/c/41e43134ddda35949974be40520460a12dda3502"
},
{
"url": "https://git.kernel.org/stable/c/55a7bb2708f7c7c5b366d4e40916113168a3824c"
},
{
"url": "https://git.kernel.org/stable/c/40f2eb9b531475dd01b683fdaf61ca3cfd03a51e"
}
],
"title": "block: fix resource leak in blk_register_queue() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37980",
"datePublished": "2025-05-20T16:58:22.720Z",
"dateReserved": "2025-04-16T04:51:23.975Z",
"dateUpdated": "2026-04-11T12:45:34.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23113 (GCVE-0-2026-23113)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Currently this is checked before running the pending work. Normally this
is quite fine, as work items either end up blocking (which will create a
new worker for other items), or they complete fairly quickly. But syzbot
reports an issue where io-wq takes seemingly forever to exit, and with a
bit of debugging, this turns out to be because it queues a bunch of big
(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't
support ->read_iter(), loop_rw_iter() ends up handling them. Each read
returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of
these pending, processing the whole chain can take a long time. Easily
longer than the syzbot uninterruptible sleep timeout of 140 seconds.
This then triggers a complaint off the io-wq exit path:
INFO: task syz.4.135:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1328 [inline]
io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa02738f749
RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098
RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98
There's really nothing wrong here, outside of processing these reads
will take a LONG time. However, we can speed up the exit by checking the
IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will
exit the ring after queueing up all of these reads. Then once the first
item is processed, io-wq will simply cancel the rest. That should avoid
syzbot running into this complaint again.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 27e47500fac23d15b7dc93ff650bc4844d2581bd
(git)
Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < d05d99573f81a091547b1778b9a50120f5d6c68a (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 85eb83694a91c89d9abe615d717c0053c3efa714 (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 2e8ca1078b14142db2ce51cbd18ff9971560046b (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < bdf0bf73006ea8af9327cdb85cfdff4c23a5f966 (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 10dc959398175736e495f71c771f8641e1ca1907 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27e47500fac23d15b7dc93ff650bc4844d2581bd",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "d05d99573f81a091547b1778b9a50120f5d6c68a",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "85eb83694a91c89d9abe615d717c0053c3efa714",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "2e8ca1078b14142db2ce51cbd18ff9971560046b",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "bdf0bf73006ea8af9327cdb85cfdff4c23a5f966",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "10dc959398175736e495f71c771f8641e1ca1907",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop\n\nCurrently this is checked before running the pending work. Normally this\nis quite fine, as work items either end up blocking (which will create a\nnew worker for other items), or they complete fairly quickly. But syzbot\nreports an issue where io-wq takes seemingly forever to exit, and with a\nbit of debugging, this turns out to be because it queues a bunch of big\n(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn\u0027t\nsupport -\u003eread_iter(), loop_rw_iter() ends up handling them. Each read\nreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch of\nthese pending, processing the whole chain can take a long time. Easily\nlonger than the syzbot uninterruptible sleep timeout of 140 seconds.\nThis then triggers a complaint off the io-wq exit path:\n\nINFO: task syz.4.135:6326 blocked for more than 143 seconds.\n Not tainted syzkaller #0\n Blocked by coredump.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5256 [inline]\n __schedule+0x1139/0x6150 kernel/sched/core.c:6863\n __schedule_loop kernel/sched/core.c:6945 [inline]\n schedule+0xe7/0x3a0 kernel/sched/core.c:6960\n schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75\n do_wait_for_common kernel/sched/completion.c:100 [inline]\n __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121\n io_wq_exit_workers io_uring/io-wq.c:1328 [inline]\n io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356\n io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203\n io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651\n io_uring_files_cancel include/linux/io_uring.h:19 [inline]\n do_exit+0x2ce/0x2bd0 kernel/exit.c:911\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1112\n get_signal+0x2671/0x26d0 kernel/signal.c:3034\n arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337\n __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]\n exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa02738f749\nRSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca\nRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749\nRDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098\nRBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98\n\nThere\u0027s really nothing wrong here, outside of processing these reads\nwill take a LONG time. However, we can speed up the exit by checking the\nIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will\nexit the ring after queueing up all of these reads. Then once the first\nitem is processed, io-wq will simply cancel the rest. That should avoid\nsyzbot running into this complaint again."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:19.961Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27e47500fac23d15b7dc93ff650bc4844d2581bd"
},
{
"url": "https://git.kernel.org/stable/c/d05d99573f81a091547b1778b9a50120f5d6c68a"
},
{
"url": "https://git.kernel.org/stable/c/85eb83694a91c89d9abe615d717c0053c3efa714"
},
{
"url": "https://git.kernel.org/stable/c/2e8ca1078b14142db2ce51cbd18ff9971560046b"
},
{
"url": "https://git.kernel.org/stable/c/bdf0bf73006ea8af9327cdb85cfdff4c23a5f966"
},
{
"url": "https://git.kernel.org/stable/c/10dc959398175736e495f71c771f8641e1ca1907"
}
],
"title": "io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23113",
"datePublished": "2026-02-14T15:09:46.379Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-04-18T08:57:19.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31786 (GCVE-0-2026-31786)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-05-04 07:46
VLAI?
EPSS
Title
Buffer overflow in drivers/xen/sys-hypervisor.c
Summary
In the Linux kernel, the following vulnerability has been resolved:
Buffer overflow in drivers/xen/sys-hypervisor.c
The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.
The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.
00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017
So use a memcpy instead of sprintf to have the correct value:
00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014
(the above have a hack to embed a zero inside and check it's
returned correctly).
This is XSA-485 / CVE-2026-31786
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
84b7625728ea311ea35bdaa0eded53c1c56baeaa , < e3af585e1728c917682b6a3de9a69b41fb9194d4
(git)
Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 8288d031a01dbacfde3fc643f7be3d23504de64d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < f458ba102da97fafca106327086fc95f3fc764cb (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 4b4defd2fce3f966c25adabf46644a85558f1169 (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < d5f59216650c51e5e3fcb7517c825bc8047f60ef (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 27fdbab4221b375de54bf91919798d88520c6e28 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:32.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/12"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-485.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3af585e1728c917682b6a3de9a69b41fb9194d4",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "8288d031a01dbacfde3fc643f7be3d23504de64d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "f458ba102da97fafca106327086fc95f3fc764cb",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "4b4defd2fce3f966c25adabf46644a85558f1169",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "d5f59216650c51e5e3fcb7517c825bc8047f60ef",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "52cecff98bda2c51eed1c6ce9d21c5d6268fb19d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "27fdbab4221b375de54bf91919798d88520c6e28",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it\u0027s\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T07:46:40.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4"
},
{
"url": "https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d"
},
{
"url": "https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb"
},
{
"url": "https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169"
},
{
"url": "https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a"
},
{
"url": "https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef"
},
{
"url": "https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d"
},
{
"url": "https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28"
}
],
"title": "Buffer overflow in drivers/xen/sys-hypervisor.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31786",
"datePublished": "2026-04-30T10:31:28.293Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-05-04T07:46:40.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43047 (GCVE-0-2026-43047)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
HID: multitouch: Check to ensure report responses match the request
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Check to ensure report responses match the request
It is possible for a malicious (or clumsy) device to respond to a
specific report's feature request using a completely different report
ID. This can cause confusion in the HID core resulting in nasty
side-effects such as OOB writes.
Add a check to ensure that the report ID in the response, matches the
one that was requested. If it doesn't, omit reporting the raw event and
return early.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < 516da3f25cfe18643835af1cf09b0e9ffc36c383
(git)
Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < a61163daf8a90b4a7ef154d5fc9c525f665734e3 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < 74c6015375d8b9bc1b1eb79f20636c8e894bcad7 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < c7a27bb4d0f6573ca0f9c7ef0b63291486239190 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < 6a4acd3e86fe5584050c213d95147eba33856033 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < 7f66fdbc077faed3b52519228d21d81979e92249 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < 2edc92f89eee328b5be5706b5d431bf90669e9c0 (git) Affected: 6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095 , < e716edafedad4952fe3a4a273d2e039a84e8681a (git) Affected: fee906f035f0bd18ff12d84d58766c44a2ab0918 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "516da3f25cfe18643835af1cf09b0e9ffc36c383",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "a61163daf8a90b4a7ef154d5fc9c525f665734e3",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "74c6015375d8b9bc1b1eb79f20636c8e894bcad7",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "c7a27bb4d0f6573ca0f9c7ef0b63291486239190",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "6a4acd3e86fe5584050c213d95147eba33856033",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "7f66fdbc077faed3b52519228d21d81979e92249",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "2edc92f89eee328b5be5706b5d431bf90669e9c0",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"lessThan": "e716edafedad4952fe3a4a273d2e039a84e8681a",
"status": "affected",
"version": "6d4f5440a3a2bb2e9d0d582bbf98234e9e9bb095",
"versionType": "git"
},
{
"status": "affected",
"version": "fee906f035f0bd18ff12d84d58766c44a2ab0918",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Check to ensure report responses match the request\n\nIt is possible for a malicious (or clumsy) device to respond to a\nspecific report\u0027s feature request using a completely different report\nID. This can cause confusion in the HID core resulting in nasty\nside-effects such as OOB writes.\n\nAdd a check to ensure that the report ID in the response, matches the\none that was requested. If it doesn\u0027t, omit reporting the raw event and\nreturn early."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:22.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/516da3f25cfe18643835af1cf09b0e9ffc36c383"
},
{
"url": "https://git.kernel.org/stable/c/a61163daf8a90b4a7ef154d5fc9c525f665734e3"
},
{
"url": "https://git.kernel.org/stable/c/74c6015375d8b9bc1b1eb79f20636c8e894bcad7"
},
{
"url": "https://git.kernel.org/stable/c/c7a27bb4d0f6573ca0f9c7ef0b63291486239190"
},
{
"url": "https://git.kernel.org/stable/c/6a4acd3e86fe5584050c213d95147eba33856033"
},
{
"url": "https://git.kernel.org/stable/c/7f66fdbc077faed3b52519228d21d81979e92249"
},
{
"url": "https://git.kernel.org/stable/c/2edc92f89eee328b5be5706b5d431bf90669e9c0"
},
{
"url": "https://git.kernel.org/stable/c/e716edafedad4952fe3a4a273d2e039a84e8681a"
}
],
"title": "HID: multitouch: Check to ensure report responses match the request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43047",
"datePublished": "2026-05-01T14:15:42.562Z",
"dateReserved": "2026-05-01T14:12:55.979Z",
"dateUpdated": "2026-05-03T05:46:22.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23434 (GCVE-0-2026-23434)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
mtd: rawnand: serialize lock/unlock against other NAND operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: serialize lock/unlock against other NAND operations
nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
without holding the NAND device lock. On controllers that implement
SET_FEATURES via multiple low-level PIO commands, these can race with
concurrent UBI/UBIFS background erase/write operations that hold the
device lock, resulting in cmd_pending conflicts on the NAND controller.
Add nand_get_device()/nand_release_device() around the lock/unlock
operations to serialize them against all other NAND controller access.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
92270086b7e5ada7ab381c06cc3da2e95ed17088 , < 28ea836cc44cb8b89c1c174707ead0c1133c60e9
(git)
Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < fe4a73c3dd48308149d57a10c2761e1d36ced7ba (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < ce5229e78078e437704157eb542f43a6f83b429b (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < a80291e577b44593a724d6cd64c14337c78f194d (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2 (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < 5fd5c078af23cb353507aa522e09d557d7eaef04 (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < f25446e2c28939753d3b62d34dfda49952b2557d (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < bab2bc6e850a697a23b9e5f0e21bb8c187615e95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/nand_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28ea836cc44cb8b89c1c174707ead0c1133c60e9",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "fe4a73c3dd48308149d57a10c2761e1d36ced7ba",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "ce5229e78078e437704157eb542f43a6f83b429b",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "a80291e577b44593a724d6cd64c14337c78f194d",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "5fd5c078af23cb353507aa522e09d557d7eaef04",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "f25446e2c28939753d3b62d34dfda49952b2557d",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "bab2bc6e850a697a23b9e5f0e21bb8c187615e95",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/nand_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip-\u003eops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:23.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28ea836cc44cb8b89c1c174707ead0c1133c60e9"
},
{
"url": "https://git.kernel.org/stable/c/fe4a73c3dd48308149d57a10c2761e1d36ced7ba"
},
{
"url": "https://git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429b"
},
{
"url": "https://git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194d"
},
{
"url": "https://git.kernel.org/stable/c/f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2"
},
{
"url": "https://git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04"
},
{
"url": "https://git.kernel.org/stable/c/f25446e2c28939753d3b62d34dfda49952b2557d"
},
{
"url": "https://git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95"
}
],
"title": "mtd: rawnand: serialize lock/unlock against other NAND operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23434",
"datePublished": "2026-04-03T15:15:19.450Z",
"dateReserved": "2026-01-13T15:37:46.016Z",
"dateUpdated": "2026-04-27T14:02:23.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38105 (GCVE-0-2025-38105)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
ALSA: usb-audio: Kill timer properly at removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Kill timer properly at removal
The USB-audio MIDI code initializes the timer, but in a rare case, the
driver might be freed without the disconnect call. This leaves the
timer in an active state while the assigned object is released via
snd_usbmidi_free(), which ends up with a kernel warning when the debug
configuration is enabled, as spotted by fuzzer.
For avoiding the problem, put timer_shutdown_sync() at
snd_usbmidi_free(), so that the timer can be killed properly.
While we're at it, replace the existing timer_delete_sync() at the
disconnect callback with timer_shutdown_sync(), too.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c88469704d63787e8d44ca5ea1c1bd0adc29572d , < efaf61052b8ff9ee8968912fbaf02c2847c78ede
(git)
Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 647410a7da46067953a53c0d03f8680eff570959 (git) Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < c611b9e55174e439dcd85a72969b43a95f3827a4 (git) Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 62066758d2ae169278e5d6aea5995b1b6f6ddeb5 (git) Affected: c88469704d63787e8d44ca5ea1c1bd0adc29572d , < 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efaf61052b8ff9ee8968912fbaf02c2847c78ede",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "647410a7da46067953a53c0d03f8680eff570959",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "c611b9e55174e439dcd85a72969b43a95f3827a4",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "62066758d2ae169278e5d6aea5995b1b6f6ddeb5",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
},
{
"lessThan": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1",
"status": "affected",
"version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.111",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.52",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call. This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we\u0027re at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:23.151Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efaf61052b8ff9ee8968912fbaf02c2847c78ede"
},
{
"url": "https://git.kernel.org/stable/c/647410a7da46067953a53c0d03f8680eff570959"
},
{
"url": "https://git.kernel.org/stable/c/c611b9e55174e439dcd85a72969b43a95f3827a4"
},
{
"url": "https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5"
},
{
"url": "https://git.kernel.org/stable/c/0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1"
}
],
"title": "ALSA: usb-audio: Kill timer properly at removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38105",
"datePublished": "2025-07-03T08:35:15.301Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2026-03-25T10:19:23.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68239 (GCVE-0-2025-68239)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
binfmt_misc: restore write access before closing files opened by open_exec()
Summary
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec()
bm_register_write() opens an executable file using open_exec(), which
internally calls do_open_execat() and denies write access on the file to
avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using
filp_close() directly. This does not restore the write permission, which
may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to
restore the write permission properly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e7850f4d844e0acfac7e570af611d89deade3146 , < 480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f
(git)
Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < fbab8c08e1a6dbaef81e22d672a7647553101d16 (git) Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < 6cce7bc7fac8471c832696720d9c8f2a976d9c54 (git) Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < e785f552ab04dbca01d31f0334f4561240b04459 (git) Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < 90f601b497d76f40fa66795c3ecf625b6aced9fd (git) Affected: 467a50d5db7deaf656e18a1f633be9ecd94b393a (git) Affected: 4a8b4124ea4156ca52918b66c750a69c6d932aa5 (git) Affected: 3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6 (git) Affected: c0e0ab60d0b15469e69db93215dad009999f5a5b (git) Affected: 5ab9464a2a3c538eedbb438f1802f2fd98d0953f (git) Affected: d28492be82e19fc69cc69975fc2052b37ef0c821 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"lessThan": "fbab8c08e1a6dbaef81e22d672a7647553101d16",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"lessThan": "6cce7bc7fac8471c832696720d9c8f2a976d9c54",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"lessThan": "e785f552ab04dbca01d31f0334f4561240b04459",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"lessThan": "90f601b497d76f40fa66795c3ecf625b6aced9fd",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"status": "affected",
"version": "467a50d5db7deaf656e18a1f633be9ecd94b393a",
"versionType": "git"
},
{
"status": "affected",
"version": "4a8b4124ea4156ca52918b66c750a69c6d932aa5",
"versionType": "git"
},
{
"status": "affected",
"version": "3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6",
"versionType": "git"
},
{
"status": "affected",
"version": "c0e0ab60d0b15469e69db93215dad009999f5a5b",
"versionType": "git"
},
{
"status": "affected",
"version": "5ab9464a2a3c538eedbb438f1802f2fd98d0953f",
"versionType": "git"
},
{
"status": "affected",
"version": "d28492be82e19fc69cc69975fc2052b37ef0c821",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: restore write access before closing files opened by open_exec()\n\nbm_register_write() opens an executable file using open_exec(), which\ninternally calls do_open_execat() and denies write access on the file to\navoid modification while it is being executed.\n\nHowever, when an error occurs, bm_register_write() closes the file using\nfilp_close() directly. This does not restore the write permission, which\nmay cause subsequent write operations on the same file to fail.\n\nFix this by calling exe_file_allow_write_access() before filp_close() to\nrestore the write permission properly."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:54.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f"
},
{
"url": "https://git.kernel.org/stable/c/fbab8c08e1a6dbaef81e22d672a7647553101d16"
},
{
"url": "https://git.kernel.org/stable/c/6cce7bc7fac8471c832696720d9c8f2a976d9c54"
},
{
"url": "https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459"
},
{
"url": "https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd"
}
],
"title": "binfmt_misc: restore write access before closing files opened by open_exec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68239",
"datePublished": "2025-12-16T14:21:16.889Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2026-03-25T10:19:54.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43011 (GCVE-0-2026-43011)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
net/x25: Fix potential double free of skb
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/x25: Fix potential double free of skb
When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at
line 48 and returns 1 (error).
This error propagates back through the call chain:
x25_queue_rx_frame returns 1
|
v
x25_state3_machine receives the return value 1 and takes the else
branch at line 278, setting queued=0 and returning 0
|
v
x25_process_rx_frame returns queued=0
|
v
x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)
again
This would free the same skb twice. Looking at x25_backlog_rcv:
net/x25/x25_in.c:x25_backlog_rcv() {
...
queued = x25_process_rx_frame(sk, skb);
...
if (!queued)
kfree_skb(skb);
}
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3f5e3005984645bf5bd129c6b13149879580b1fb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f782dd382203b2a8c4552a628431b7de65a19a7b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 524371398d8463ea7e101fce2cbf3915645d1730 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fa1dbc93530b34fab0da9862426fe9c918c74dc0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c87dd137c0dad07cc55f98181ff380b0c23d2878 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d10a26aa4d072320530e6968ef945c8c575edf61 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/x25/x25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3f5e3005984645bf5bd129c6b13149879580b1fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f782dd382203b2a8c4552a628431b7de65a19a7b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "524371398d8463ea7e101fce2cbf3915645d1730",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa1dbc93530b34fab0da9862426fe9c918c74dc0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c87dd137c0dad07cc55f98181ff380b0c23d2878",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d10a26aa4d072320530e6968ef945c8c575edf61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/x25/x25_in.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix potential double free of skb\n\nWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at\nline 48 and returns 1 (error).\nThis error propagates back through the call chain:\n\nx25_queue_rx_frame returns 1\n |\n v\nx25_state3_machine receives the return value 1 and takes the else\nbranch at line 278, setting queued=0 and returning 0\n |\n v\nx25_process_rx_frame returns queued=0\n |\n v\nx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)\nagain\n\nThis would free the same skb twice. Looking at x25_backlog_rcv:\n\nnet/x25/x25_in.c:x25_backlog_rcv() {\n ...\n queued = x25_process_rx_frame(sk, skb);\n ...\n if (!queued)\n kfree_skb(skb);\n}"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:03.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9"
},
{
"url": "https://git.kernel.org/stable/c/3f5e3005984645bf5bd129c6b13149879580b1fb"
},
{
"url": "https://git.kernel.org/stable/c/f782dd382203b2a8c4552a628431b7de65a19a7b"
},
{
"url": "https://git.kernel.org/stable/c/143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1"
},
{
"url": "https://git.kernel.org/stable/c/524371398d8463ea7e101fce2cbf3915645d1730"
},
{
"url": "https://git.kernel.org/stable/c/fa1dbc93530b34fab0da9862426fe9c918c74dc0"
},
{
"url": "https://git.kernel.org/stable/c/c87dd137c0dad07cc55f98181ff380b0c23d2878"
},
{
"url": "https://git.kernel.org/stable/c/d10a26aa4d072320530e6968ef945c8c575edf61"
}
],
"title": "net/x25: Fix potential double free of skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43011",
"datePublished": "2026-05-01T14:15:17.597Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-03T05:46:03.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23356 (GCVE-0-2026-23356)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Even though we check that we "should" be able to do lc_get_cumulative()
while holding the device->al_lock spinlock, it may still fail,
if some other code path decided to do lc_try_lock() with bad timing.
If that happened, we logged "LOGIC BUG for enr=...",
but still did not return an error.
The rest of the code now assumed that this request has references
for the relevant activity log extents.
The implcations are that during an active resync, mutual exclusivity of
resync versus application IO is not guaranteed. And a potential crash
at this point may not realizs that these extents could have been target
of in-flight IO and would need to be resynced just in case.
Also, once the request completes, it will give up activity log references it
does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
Fix:
Do not crash the kernel for a condition that is harmless during normal
operation: also catch "e->refcnt == 0", not only "e == NULL"
when being noisy about "al_complete_io() called on inactive extent %u\n".
And do not try to be smart and "guess" whether something will work, then
be surprised when it does not.
Deal with the fact that it may or may not work. If it does not, remember a
possible "partially in activity log" state (only possible for requests that
cross extent boundaries), and return an error code from
drbd_al_begin_io_nonblock().
A latter call for the same request will then resume from where we left off.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < 933d161baa3794547adee621c0bf52cbf2c1b3cd
(git)
Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < cf01aa6288e1190f89865e765056e2a9d8190639 (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < 7752569fc78e89794ce28946529850282233f99d (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < e91d8d6565b7819d13dab21d4dbed5b45efba59b (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < eef1390125b660b8b61f9f227a03bb9c5e6d36a5 (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508 (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < f558e5404a72054b525dced1a0c66aa95a144153 (git) Affected: 08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 , < ab140365fb62c0bdab22b2f516aff563b2559e3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/drbd/drbd_actlog.c",
"drivers/block/drbd/drbd_interval.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "933d161baa3794547adee621c0bf52cbf2c1b3cd",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "cf01aa6288e1190f89865e765056e2a9d8190639",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "7752569fc78e89794ce28946529850282233f99d",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "e91d8d6565b7819d13dab21d4dbed5b45efba59b",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "eef1390125b660b8b61f9f227a03bb9c5e6d36a5",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "f558e5404a72054b525dced1a0c66aa95a144153",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
},
{
"lessThan": "ab140365fb62c0bdab22b2f516aff563b2559e3b",
"status": "affected",
"version": "08a1ddab6df7d3c7b6341774cb1cf4b21b96a214",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/drbd/drbd_actlog.c",
"drivers/block/drbd/drbd_interval.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device-\u003eal_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e-\u003erefcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work. If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:08.080Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/933d161baa3794547adee621c0bf52cbf2c1b3cd"
},
{
"url": "https://git.kernel.org/stable/c/cf01aa6288e1190f89865e765056e2a9d8190639"
},
{
"url": "https://git.kernel.org/stable/c/7752569fc78e89794ce28946529850282233f99d"
},
{
"url": "https://git.kernel.org/stable/c/e91d8d6565b7819d13dab21d4dbed5b45efba59b"
},
{
"url": "https://git.kernel.org/stable/c/eef1390125b660b8b61f9f227a03bb9c5e6d36a5"
},
{
"url": "https://git.kernel.org/stable/c/d1ef3aed4df2ef1fe46befd8f2da9a6ec5445508"
},
{
"url": "https://git.kernel.org/stable/c/f558e5404a72054b525dced1a0c66aa95a144153"
},
{
"url": "https://git.kernel.org/stable/c/ab140365fb62c0bdab22b2f516aff563b2559e3b"
}
],
"title": "drbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23356",
"datePublished": "2026-03-25T10:27:40.454Z",
"dateReserved": "2026-01-13T15:37:46.000Z",
"dateUpdated": "2026-04-18T08:58:08.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31422 (GCVE-0-2026-31422)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
net/sched: cls_flow: fix NULL pointer dereference on shared blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_flow: fix NULL pointer dereference on shared blocks
flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass. Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.
Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks. This avoids the null-deref shown below:
=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
tc_new_tfilter (net/sched/cls_api.c:2432)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
[...]
=======================================================================
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1abf272022cf1d18469405f47b4ec49c6a3125db , < 57f94ac7e953eece5ed4819605a18f3cdfc63dcc
(git)
Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 942813276edeb1741fa5b0a73471beb4e495fa08 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < cc707a4fd4c3b6ab2722e06bc359aa010e13d408 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 4a09f72007201c9f667dc47f64517ec23eea65e5 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < a208c3e1232997e9317887294c20008dfcb75449 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 415ea0c973c754b9f375225807810eb9045f4293 (git) Affected: 1abf272022cf1d18469405f47b4ec49c6a3125db , < 1a280dd4bd1d616a01d6ffe0de284c907b555504 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57f94ac7e953eece5ed4819605a18f3cdfc63dcc",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "942813276edeb1741fa5b0a73471beb4e495fa08",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "cc707a4fd4c3b6ab2722e06bc359aa010e13d408",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "4a09f72007201c9f667dc47f64517ec23eea65e5",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "a208c3e1232997e9317887294c20008dfcb75449",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "415ea0c973c754b9f375225807810eb9045f4293",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
},
{
"lessThan": "1a280dd4bd1d616a01d6ffe0de284c907b555504",
"status": "affected",
"version": "1abf272022cf1d18469405f47b4ec49c6a3125db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_flow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q-\u003ehandle to derive\na default baseclass. Shared blocks leave block-\u003eq NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block-\u003eq and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n======================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:34.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc"
},
{
"url": "https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08"
},
{
"url": "https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"
},
{
"url": "https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5"
},
{
"url": "https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e"
},
{
"url": "https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449"
},
{
"url": "https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293"
},
{
"url": "https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504"
}
],
"title": "net/sched: cls_flow: fix NULL pointer dereference on shared blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31422",
"datePublished": "2026-04-13T13:40:25.911Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:34.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47809 (GCVE-0-2024-47809)
Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
dlm: fix possible lkb_resource null dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
dlm: fix possible lkb_resource null dereference
This patch fixes a possible null pointer dereference when this function is
called from request_lock() as lkb->lkb_resource is not assigned yet,
only after validate_lock_args() by calling attach_lkb(). Another issue
is that a resource name could be a non printable bytearray and we cannot
assume to be ASCII coded.
The log functionality is probably never being hit when DLM is used in
normal way and no debug logging is enabled. The null pointer dereference
can only occur on a new created lkb that does not have the resource
assigned yet, it probably never hits the null pointer dereference but we
should be sure that other changes might not change this behaviour and we
actually can hit the mentioned null pointer dereference.
In this patch we just drop the printout of the resource name, the lkb id
is enough to make a possible connection to a resource name if this
exists.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
43279e5376017c40b4be9af5bc79cbb4ef6f53d7 , < 8d55ce46dd543c6965970ce70c22c3076dd35b1e
(git)
Affected: 43279e5376017c40b4be9af5bc79cbb4ef6f53d7 , < 6fbdc3980b70e9c1c86eccea7d5ee68108008fa7 (git) Affected: 43279e5376017c40b4be9af5bc79cbb4ef6f53d7 , < 2db11504ef82a60c1a2063ba7431a5cd013ecfcb (git) Affected: 43279e5376017c40b4be9af5bc79cbb4ef6f53d7 , < b98333c67daf887c724cd692e88e2db9418c0861 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:55:47.946343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:22.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d55ce46dd543c6965970ce70c22c3076dd35b1e",
"status": "affected",
"version": "43279e5376017c40b4be9af5bc79cbb4ef6f53d7",
"versionType": "git"
},
{
"lessThan": "6fbdc3980b70e9c1c86eccea7d5ee68108008fa7",
"status": "affected",
"version": "43279e5376017c40b4be9af5bc79cbb4ef6f53d7",
"versionType": "git"
},
{
"lessThan": "2db11504ef82a60c1a2063ba7431a5cd013ecfcb",
"status": "affected",
"version": "43279e5376017c40b4be9af5bc79cbb4ef6f53d7",
"versionType": "git"
},
{
"lessThan": "b98333c67daf887c724cd692e88e2db9418c0861",
"status": "affected",
"version": "43279e5376017c40b4be9af5bc79cbb4ef6f53d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dlm/lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix possible lkb_resource null dereference\n\nThis patch fixes a possible null pointer dereference when this function is\ncalled from request_lock() as lkb-\u003elkb_resource is not assigned yet,\nonly after validate_lock_args() by calling attach_lkb(). Another issue\nis that a resource name could be a non printable bytearray and we cannot\nassume to be ASCII coded.\n\nThe log functionality is probably never being hit when DLM is used in\nnormal way and no debug logging is enabled. The null pointer dereference\ncan only occur on a new created lkb that does not have the resource\nassigned yet, it probably never hits the null pointer dereference but we\nshould be sure that other changes might not change this behaviour and we\nactually can hit the mentioned null pointer dereference.\n\nIn this patch we just drop the printout of the resource name, the lkb id\nis enough to make a possible connection to a resource name if this\nexists."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:11.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d55ce46dd543c6965970ce70c22c3076dd35b1e"
},
{
"url": "https://git.kernel.org/stable/c/6fbdc3980b70e9c1c86eccea7d5ee68108008fa7"
},
{
"url": "https://git.kernel.org/stable/c/2db11504ef82a60c1a2063ba7431a5cd013ecfcb"
},
{
"url": "https://git.kernel.org/stable/c/b98333c67daf887c724cd692e88e2db9418c0861"
}
],
"title": "dlm: fix possible lkb_resource null dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47809",
"datePublished": "2025-01-11T12:25:15.356Z",
"dateReserved": "2025-01-09T09:51:32.479Z",
"dateUpdated": "2026-03-25T10:19:11.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31563 (GCVE-0-2026-31563)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
net: macb: Use dev_consume_skb_any() to free TX SKBs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: Use dev_consume_skb_any() to free TX SKBs
The napi_consume_skb() function is not intended to be called in an IRQ
disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix
tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs
disabled. To resolve the following call trace, use dev_consume_skb_any()
for freeing TX SKBs:
WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15
Modules linked in:
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT
Hardware name: ZynqMP ZCU102 Rev1.1 (DT)
pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __local_bh_enable_ip+0x174/0x188
lr : local_bh_enable+0x24/0x38
sp : ffff800082b3bb10
x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0
x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80
x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000
x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001
x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000
x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650
x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258
x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc
Call trace:
__local_bh_enable_ip+0x174/0x188 (P)
local_bh_enable+0x24/0x38
skb_attempt_defer_free+0x190/0x1d8
napi_consume_skb+0x58/0x108
macb_tx_poll+0x1a4/0x558
__napi_poll+0x50/0x198
net_rx_action+0x1f4/0x3d8
handle_softirqs+0x16c/0x560
run_ksoftirqd+0x44/0x80
smpboot_thread_fn+0x1d8/0x338
kthread+0x120/0x150
ret_from_fork+0x10/0x20
irq event stamp: 29751
hardirqs last enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88
hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98
softirqs last enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560
softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6 , < 92e7081f0c79d9073087e54bab745bb184192c2e
(git)
Affected: 5430388a81113e62a2d48b5d7dc1e76231908ebf , < 78c8b090a3d5c1689dc989861b0163180db2b3f8 (git) Affected: 7db8aa3fc4ed0a2928246747b2514b0741a8187e , < 984350b37372f79f71d4f0a5264c640e40daf9ce (git) Affected: 6bc8a5098bf4a365c4086a4a4130bfab10a58260 , < f4bc91398b579730284328322365afa77a9d568f (git) Affected: 6bc8a5098bf4a365c4086a4a4130bfab10a58260 , < ca4d05afb4683d685bb2c6fccae4386c478f524a (git) Affected: 6bc8a5098bf4a365c4086a4a4130bfab10a58260 , < 647b8a2fe474474704110db6bd07f7a139e621eb (git) Affected: a4cb0a15ab8e6d06c08229a2c7bdbe1f2454473f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92e7081f0c79d9073087e54bab745bb184192c2e",
"status": "affected",
"version": "aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6",
"versionType": "git"
},
{
"lessThan": "78c8b090a3d5c1689dc989861b0163180db2b3f8",
"status": "affected",
"version": "5430388a81113e62a2d48b5d7dc1e76231908ebf",
"versionType": "git"
},
{
"lessThan": "984350b37372f79f71d4f0a5264c640e40daf9ce",
"status": "affected",
"version": "7db8aa3fc4ed0a2928246747b2514b0741a8187e",
"versionType": "git"
},
{
"lessThan": "f4bc91398b579730284328322365afa77a9d568f",
"status": "affected",
"version": "6bc8a5098bf4a365c4086a4a4130bfab10a58260",
"versionType": "git"
},
{
"lessThan": "ca4d05afb4683d685bb2c6fccae4386c478f524a",
"status": "affected",
"version": "6bc8a5098bf4a365c4086a4a4130bfab10a58260",
"versionType": "git"
},
{
"lessThan": "647b8a2fe474474704110db6bd07f7a139e621eb",
"status": "affected",
"version": "6bc8a5098bf4a365c4086a4a4130bfab10a58260",
"versionType": "git"
},
{
"status": "affected",
"version": "a4cb0a15ab8e6d06c08229a2c7bdbe1f2454473f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Use dev_consume_skb_any() to free TX SKBs\n\nThe napi_consume_skb() function is not intended to be called in an IRQ\ndisabled context. However, after commit 6bc8a5098bf4 (\"net: macb: Fix\ntx_ptr_lock locking\"), the freeing of TX SKBs is performed with IRQs\ndisabled. To resolve the following call trace, use dev_consume_skb_any()\nfor freeing TX SKBs:\n WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15\n Modules linked in:\n CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT\n Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __local_bh_enable_ip+0x174/0x188\n lr : local_bh_enable+0x24/0x38\n sp : ffff800082b3bb10\n x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0\n x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80\n x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000\n x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001\n x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000\n x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650\n x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258\n x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000\n x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc\n Call trace:\n __local_bh_enable_ip+0x174/0x188 (P)\n local_bh_enable+0x24/0x38\n skb_attempt_defer_free+0x190/0x1d8\n napi_consume_skb+0x58/0x108\n macb_tx_poll+0x1a4/0x558\n __napi_poll+0x50/0x198\n net_rx_action+0x1f4/0x3d8\n handle_softirqs+0x16c/0x560\n run_ksoftirqd+0x44/0x80\n smpboot_thread_fn+0x1d8/0x338\n kthread+0x120/0x150\n ret_from_fork+0x10/0x20\n irq event stamp: 29751\n hardirqs last enabled at (29750): [\u003cffff8000813be184\u003e] _raw_spin_unlock_irqrestore+0x44/0x88\n hardirqs last disabled at (29751): [\u003cffff8000813bdf60\u003e] _raw_spin_lock_irqsave+0x38/0x98\n softirqs last enabled at (29150): [\u003cffff8000800f1aec\u003e] handle_softirqs+0x504/0x560\n softirqs last disabled at (29153): [\u003cffff8000800f2fec\u003e] run_ksoftirqd+0x44/0x80"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:05.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92e7081f0c79d9073087e54bab745bb184192c2e"
},
{
"url": "https://git.kernel.org/stable/c/78c8b090a3d5c1689dc989861b0163180db2b3f8"
},
{
"url": "https://git.kernel.org/stable/c/984350b37372f79f71d4f0a5264c640e40daf9ce"
},
{
"url": "https://git.kernel.org/stable/c/f4bc91398b579730284328322365afa77a9d568f"
},
{
"url": "https://git.kernel.org/stable/c/ca4d05afb4683d685bb2c6fccae4386c478f524a"
},
{
"url": "https://git.kernel.org/stable/c/647b8a2fe474474704110db6bd07f7a139e621eb"
}
],
"title": "net: macb: Use dev_consume_skb_any() to free TX SKBs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31563",
"datePublished": "2026-04-24T14:35:44.610Z",
"dateReserved": "2026-03-09T15:48:24.116Z",
"dateUpdated": "2026-04-27T14:04:05.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31498 (GCVE-0-2026-31498)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED
state to support L2CAP reconfiguration (e.g. MTU changes). However,
since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from
the initial configuration, the reconfiguration path falls through to
l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations and sets
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.
Fix the double-init by skipping l2cap_ertm_init() and
l2cap_chan_ready() when the channel is already in BT_CONNECTED state,
while still allowing the reconfiguration parameters to be updated
through l2cap_parse_conf_req(). Also add a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96298f640104e4cd9a913a6e50b0b981829b94ff , < 9760b83cfd24b38caee663f429011a0dd6064fa9
(git)
Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < de37e2655b7abc3f59254c6b72256840f39fc6d5 (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < e7aab23b7df89a3d754a5f0a7d2237548b328bd0 (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < 52667c859fe33f70c2e711cb81bbd505d5eb8e75 (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < 9a21a631ee034b1573dce14b572a24943dbfd7ae (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < 900e4db5385ec2cacd372345a80ab9c8e105b3a3 (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < 042e2cd4bb11e5313b19b87593616524949e4c52 (git) Affected: 96298f640104e4cd9a913a6e50b0b981829b94ff , < 25f420a0d4cfd61d3d23ec4b9c56d9f443d91377 (git) Affected: 4ad03ff6f680681c5f78254e37c4c856fa953629 (git) Affected: b7d0ca715c1008acd2fc018f02a56fed88f78b75 (git) Affected: 799263eb37a4f7f6d39334046929c3bc92452a7f (git) Affected: 8828622fb9b4201eeb0870587052e3d834cfaf61 (git) Affected: b432ea85ab8472763870dd0f2c186130dd36d68c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9760b83cfd24b38caee663f429011a0dd6064fa9",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "de37e2655b7abc3f59254c6b72256840f39fc6d5",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "e7aab23b7df89a3d754a5f0a7d2237548b328bd0",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "52667c859fe33f70c2e711cb81bbd505d5eb8e75",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "9a21a631ee034b1573dce14b572a24943dbfd7ae",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "900e4db5385ec2cacd372345a80ab9c8e105b3a3",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "042e2cd4bb11e5313b19b87593616524949e4c52",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"lessThan": "25f420a0d4cfd61d3d23ec4b9c56d9f443d91377",
"status": "affected",
"version": "96298f640104e4cd9a913a6e50b0b981829b94ff",
"versionType": "git"
},
{
"status": "affected",
"version": "4ad03ff6f680681c5f78254e37c4c856fa953629",
"versionType": "git"
},
{
"status": "affected",
"version": "b7d0ca715c1008acd2fc018f02a56fed88f78b75",
"versionType": "git"
},
{
"status": "affected",
"version": "799263eb37a4f7f6d39334046929c3bc92452a7f",
"versionType": "git"
},
{
"status": "affected",
"version": "8828622fb9b4201eeb0870587052e3d834cfaf61",
"versionType": "git"
},
{
"status": "affected",
"version": "b432ea85ab8472763870dd0f2c186130dd36d68c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.69",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan-\u003esdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:19.714Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9760b83cfd24b38caee663f429011a0dd6064fa9"
},
{
"url": "https://git.kernel.org/stable/c/de37e2655b7abc3f59254c6b72256840f39fc6d5"
},
{
"url": "https://git.kernel.org/stable/c/e7aab23b7df89a3d754a5f0a7d2237548b328bd0"
},
{
"url": "https://git.kernel.org/stable/c/52667c859fe33f70c2e711cb81bbd505d5eb8e75"
},
{
"url": "https://git.kernel.org/stable/c/9a21a631ee034b1573dce14b572a24943dbfd7ae"
},
{
"url": "https://git.kernel.org/stable/c/900e4db5385ec2cacd372345a80ab9c8e105b3a3"
},
{
"url": "https://git.kernel.org/stable/c/042e2cd4bb11e5313b19b87593616524949e4c52"
},
{
"url": "https://git.kernel.org/stable/c/25f420a0d4cfd61d3d23ec4b9c56d9f443d91377"
}
],
"title": "Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31498",
"datePublished": "2026-04-22T13:54:19.714Z",
"dateReserved": "2026-03-09T15:48:24.103Z",
"dateUpdated": "2026-04-22T13:54:19.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31409 (GCVE-0-2026-31409)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:38 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
ksmbd: unset conn->binding on failed binding request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: unset conn->binding on failed binding request
When a multichannel SMB2_SESSION_SETUP request with
SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
but never clears it on the error path. This leaves the connection in
a binding state where all subsequent ksmbd_session_lookup_all() calls
fall back to the global sessions table. This fix it by clearing
conn->binding = false in the error path.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5a544e3bab78142207e0242d22442db85ba1eff , < d073870dab8f6dadced81d13d273ff0b21cb7f4e
(git)
Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 6ebef4a220a1ebe345de899ebb9ae394206fe921 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 89afe5e2dbea6e9d8e5f11324149d06fa3a4efca (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 6260fc85ed1298a71d24a75d01f8b2e56d489a60 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d073870dab8f6dadced81d13d273ff0b21cb7f4e",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "6ebef4a220a1ebe345de899ebb9ae394206fe921",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "89afe5e2dbea6e9d8e5f11324149d06fa3a4efca",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "6260fc85ed1298a71d24a75d01f8b2e56d489a60",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "282343cf8a4a5a3603b1cb0e17a7083e4a593b03",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn-\u003ebinding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn-\u003ebinding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn-\u003ebinding = false in the error path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:56.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e"
},
{
"url": "https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921"
},
{
"url": "https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca"
},
{
"url": "https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772"
},
{
"url": "https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60"
},
{
"url": "https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03"
}
],
"title": "ksmbd: unset conn-\u003ebinding on failed binding request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31409",
"datePublished": "2026-04-06T07:38:21.223Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-27T14:02:56.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23339 (GCVE-0-2026-23339)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
nfc: nci: free skb on nci_transceive early error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: free skb on nci_transceive early error paths
nci_transceive() takes ownership of the skb passed by the caller,
but the -EPROTO, -EINVAL, and -EBUSY error paths return without
freeing it.
Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes
the nci/nci_dev selftest hits the error path occasionally in NIPA,
and kmemleak detects leaks:
unreferenced object 0xff11000015ce6a40 (size 640):
comm "nci_dev", pid 3954, jiffies 4295441246
hex dump (first 32 bytes):
6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
backtrace (crc 7c40cc2a):
kmem_cache_alloc_node_noprof+0x492/0x630
__alloc_skb+0x11e/0x5f0
alloc_skb_with_frags+0xc6/0x8f0
sock_alloc_send_pskb+0x326/0x3f0
nfc_alloc_send_skb+0x94/0x1d0
rawsock_sendmsg+0x162/0x4c0
do_syscall_64+0x117/0xfc0
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a2968aaf50c7a22fced77a5e24aa636281efca8 , < b367cb44d919f35b07cd56feffa15e68cd9f53f9
(git)
Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 6d898f943766440cf766d30364e715111c3563b5 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 33f6b8a96dda045789796c3bcb451c74ac158039 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 3245801d44a44c090acefe19a12d22d12cac45c5 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 9d448bbab724b94d6c561e1f314656f5b88a7cb3 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 54f7f0eaafa56b5994cdb5c7967946922c2e1d22 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 7bd4b0c4779f978a6528c9b7937d2ca18e936e2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b367cb44d919f35b07cd56feffa15e68cd9f53f9",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "6d898f943766440cf766d30364e715111c3563b5",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "33f6b8a96dda045789796c3bcb451c74ac158039",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "3245801d44a44c090acefe19a12d22d12cac45c5",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "9d448bbab724b94d6c561e1f314656f5b88a7cb3",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "54f7f0eaafa56b5994cdb5c7967946922c2e1d22",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "7bd4b0c4779f978a6528c9b7937d2ca18e936e2c",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free skb on nci_transceive early error paths\n\nnci_transceive() takes ownership of the skb passed by the caller,\nbut the -EPROTO, -EINVAL, and -EBUSY error paths return without\nfreeing it.\n\nDue to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes\nthe nci/nci_dev selftest hits the error path occasionally in NIPA,\nand kmemleak detects leaks:\n\nunreferenced object 0xff11000015ce6a40 (size 640):\n comm \"nci_dev\", pid 3954, jiffies 4295441246\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace (crc 7c40cc2a):\n kmem_cache_alloc_node_noprof+0x492/0x630\n __alloc_skb+0x11e/0x5f0\n alloc_skb_with_frags+0xc6/0x8f0\n sock_alloc_send_pskb+0x326/0x3f0\n nfc_alloc_send_skb+0x94/0x1d0\n rawsock_sendmsg+0x162/0x4c0\n do_syscall_64+0x117/0xfc0"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:02.658Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b367cb44d919f35b07cd56feffa15e68cd9f53f9"
},
{
"url": "https://git.kernel.org/stable/c/6d898f943766440cf766d30364e715111c3563b5"
},
{
"url": "https://git.kernel.org/stable/c/33f6b8a96dda045789796c3bcb451c74ac158039"
},
{
"url": "https://git.kernel.org/stable/c/dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89"
},
{
"url": "https://git.kernel.org/stable/c/3245801d44a44c090acefe19a12d22d12cac45c5"
},
{
"url": "https://git.kernel.org/stable/c/9d448bbab724b94d6c561e1f314656f5b88a7cb3"
},
{
"url": "https://git.kernel.org/stable/c/54f7f0eaafa56b5994cdb5c7967946922c2e1d22"
},
{
"url": "https://git.kernel.org/stable/c/7bd4b0c4779f978a6528c9b7937d2ca18e936e2c"
}
],
"title": "nfc: nci: free skb on nci_transceive early error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23339",
"datePublished": "2026-03-25T10:27:28.073Z",
"dateReserved": "2026-01-13T15:37:45.997Z",
"dateUpdated": "2026-04-18T08:58:02.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31658 (GCVE-0-2026-31658)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
When dma_map_single() fails in tse_start_xmit(), the function returns
NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the
stack the packet was consumed, the skb is never freed, leaking memory
on every DMA mapping failure.
Add dev_kfree_skb_any() before returning to properly free the skb.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < ae2cd46f57f422b51aedd406ff5d75cbff401d5d
(git)
Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < cb1d318702fdf643061350d164250198df4116f2 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < d5ec406f0543bd6cdfd563b08015fdec8c4d5712 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 2eb9d67704ca8f1101f7435b85f113ede471f9f2 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 60f462cd2716d86bd2174f9d5e035c9278f30480 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 3aca300e88afe56afb000cdc4c65383014fb17f9 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 6dede3967619b5944003227a5d09fdc21ed57d10 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae2cd46f57f422b51aedd406ff5d75cbff401d5d",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "cb1d318702fdf643061350d164250198df4116f2",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "d5ec406f0543bd6cdfd563b08015fdec8c4d5712",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "2eb9d67704ca8f1101f7435b85f113ede471f9f2",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "60f462cd2716d86bd2174f9d5e035c9278f30480",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "3aca300e88afe56afb000cdc4c65383014fb17f9",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "6dede3967619b5944003227a5d09fdc21ed57d10",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()\n\nWhen dma_map_single() fails in tse_start_xmit(), the function returns\nNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the\nstack the packet was consumed, the skb is never freed, leaking memory\non every DMA mapping failure.\n\nAdd dev_kfree_skb_any() before returning to properly free the skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:09.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae2cd46f57f422b51aedd406ff5d75cbff401d5d"
},
{
"url": "https://git.kernel.org/stable/c/cb1d318702fdf643061350d164250198df4116f2"
},
{
"url": "https://git.kernel.org/stable/c/d5ec406f0543bd6cdfd563b08015fdec8c4d5712"
},
{
"url": "https://git.kernel.org/stable/c/2eb9d67704ca8f1101f7435b85f113ede471f9f2"
},
{
"url": "https://git.kernel.org/stable/c/9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7"
},
{
"url": "https://git.kernel.org/stable/c/60f462cd2716d86bd2174f9d5e035c9278f30480"
},
{
"url": "https://git.kernel.org/stable/c/3aca300e88afe56afb000cdc4c65383014fb17f9"
},
{
"url": "https://git.kernel.org/stable/c/6dede3967619b5944003227a5d09fdc21ed57d10"
}
],
"title": "net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31658",
"datePublished": "2026-04-24T14:45:09.566Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:09.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31752 (GCVE-0-2026-31752)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
bridge: br_nd_send: validate ND option lengths
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: br_nd_send: validate ND option lengths
br_nd_send() walks ND options according to option-provided lengths.
A malformed option can make the parser advance beyond the computed
option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed842faeb2bd49256f00485402f3113205f91d30 , < 82a42eceec7c6bdb0e0da94c0542a173b7ea57f2
(git)
Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 259466f76f5a2148aff11134e68f4b4c6d52725b (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < c49b9256bbacb6a135654aebd12e4c0e87166b7c (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 837392a38445729c22e03d3abcf33f07763efd85 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < e71303a9190496136e240c4f2872b7b0b16027a7 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 850837965af15707fd3142c1cf3c5bfaf022299b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_arp_nd_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82a42eceec7c6bdb0e0da94c0542a173b7ea57f2",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "259466f76f5a2148aff11134e68f4b4c6d52725b",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "c49b9256bbacb6a135654aebd12e4c0e87166b7c",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "837392a38445729c22e03d3abcf33f07763efd85",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "e71303a9190496136e240c4f2872b7b0b16027a7",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "850837965af15707fd3142c1cf3c5bfaf022299b",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_arp_nd_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: validate ND option lengths\n\nbr_nd_send() walks ND options according to option-provided lengths.\nA malformed option can make the parser advance beyond the computed\noption span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:44.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82a42eceec7c6bdb0e0da94c0542a173b7ea57f2"
},
{
"url": "https://git.kernel.org/stable/c/259466f76f5a2148aff11134e68f4b4c6d52725b"
},
{
"url": "https://git.kernel.org/stable/c/ee02d8991fd7bd86ed6ebd0deb4aab53feb0e43a"
},
{
"url": "https://git.kernel.org/stable/c/e0bfd6d4dc77ab345b6c65eef0cfe9b2f69085aa"
},
{
"url": "https://git.kernel.org/stable/c/c49b9256bbacb6a135654aebd12e4c0e87166b7c"
},
{
"url": "https://git.kernel.org/stable/c/837392a38445729c22e03d3abcf33f07763efd85"
},
{
"url": "https://git.kernel.org/stable/c/e71303a9190496136e240c4f2872b7b0b16027a7"
},
{
"url": "https://git.kernel.org/stable/c/850837965af15707fd3142c1cf3c5bfaf022299b"
}
],
"title": "bridge: br_nd_send: validate ND option lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31752",
"datePublished": "2026-05-01T14:14:44.298Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:44.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38250 (GCVE-0-2025-38250)
Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
Bluetooth: hci_core: Fix use-after-free in vhci_flush()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: Fix use-after-free in vhci_flush()
syzbot reported use-after-free in vhci_flush() without repro. [0]
From the splat, a thread close()d a vhci file descriptor while
its device was being used by iotcl() on another thread.
Once the last fd refcnt is released, vhci_release() calls
hci_unregister_dev(), hci_free_dev(), and kfree() for struct
vhci_data, which is set to hci_dev->dev->driver_data.
The problem is that there is no synchronisation after unlinking
hdev from hci_dev_list in hci_unregister_dev(). There might be
another thread still accessing the hdev which was fetched before
the unlink operation.
We can use SRCU for such synchronisation.
Let's run hci_dev_reset() under SRCU and wait for its completion
in hci_unregister_dev().
Another option would be to restore hci_dev->destruct(), which was
removed in commit 587ae086f6e4 ("Bluetooth: Remove unused
hci-destruct cb"). However, this would not be a good solution, as
we should not run hci_unregister_dev() while there are in-flight
ioctl() requests, which could lead to another data-race KCSAN splat.
Note that other drivers seem to have the same problem, for exmaple,
virtbt_remove().
[0]:
BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718
CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
skb_queue_purge include/linux/skbuff.h:3368 [inline]
vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69
hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]
hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592
sock_do_ioctl+0xd9/0x300 net/socket.c:1190
sock_ioctl+0x576/0x790 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcf5b98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929
RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009
RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528
</TASK>
Allocated by task 6535:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635
misc_open+0x2bc/0x330 drivers/char/misc.c:161
chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf0/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3887 [inline]
path_openat+0x2ee5/0x3830 fs/name
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f , < c56b177efce8b62798e4d96bdb9867106cb7c4a0
(git)
Affected: bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f , < bc0819a25e04cd68ef3568cfa51b63118fea39a7 (git) Affected: bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f , < ce23b73f0f27e2dbeb81734a79db710f05aa33c6 (git) Affected: bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f , < 0e5c144c557df910ab64d9c25d06399a9a735e65 (git) Affected: bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f , < 1d6123102e9fbedc8d25bf4731da6d513173e49e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c56b177efce8b62798e4d96bdb9867106cb7c4a0",
"status": "affected",
"version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f",
"versionType": "git"
},
{
"lessThan": "bc0819a25e04cd68ef3568cfa51b63118fea39a7",
"status": "affected",
"version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f",
"versionType": "git"
},
{
"lessThan": "ce23b73f0f27e2dbeb81734a79db710f05aa33c6",
"status": "affected",
"version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f",
"versionType": "git"
},
{
"lessThan": "0e5c144c557df910ab64d9c25d06399a9a735e65",
"status": "affected",
"version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f",
"versionType": "git"
},
{
"lessThan": "1d6123102e9fbedc8d25bf4731da6d513173e49e",
"status": "affected",
"version": "bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/hci_core.h",
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix use-after-free in vhci_flush()\n\nsyzbot reported use-after-free in vhci_flush() without repro. [0]\n\nFrom the splat, a thread close()d a vhci file descriptor while\nits device was being used by iotcl() on another thread.\n\nOnce the last fd refcnt is released, vhci_release() calls\nhci_unregister_dev(), hci_free_dev(), and kfree() for struct\nvhci_data, which is set to hci_dev-\u003edev-\u003edriver_data.\n\nThe problem is that there is no synchronisation after unlinking\nhdev from hci_dev_list in hci_unregister_dev(). There might be\nanother thread still accessing the hdev which was fetched before\nthe unlink operation.\n\nWe can use SRCU for such synchronisation.\n\nLet\u0027s run hci_dev_reset() under SRCU and wait for its completion\nin hci_unregister_dev().\n\nAnother option would be to restore hci_dev-\u003edestruct(), which was\nremoved in commit 587ae086f6e4 (\"Bluetooth: Remove unused\nhci-destruct cb\"). However, this would not be a good solution, as\nwe should not run hci_unregister_dev() while there are in-flight\nioctl() requests, which could lead to another data-race KCSAN splat.\n\nNote that other drivers seem to have the same problem, for exmaple,\nvirtbt_remove().\n\n[0]:\nBUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\nBUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\nRead of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718\n\nCPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\n skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\n skb_queue_purge include/linux/skbuff.h:3368 [inline]\n vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69\n hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]\n hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592\n sock_do_ioctl+0xd9/0x300 net/socket.c:1190\n sock_ioctl+0x576/0x790 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcf5b98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929\nRDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009\nRBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528\n \u003c/TASK\u003e\n\nAllocated by task 6535:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635\n misc_open+0x2bc/0x330 drivers/char/misc.c:161\n chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414\n do_dentry_open+0xdf0/0x1970 fs/open.c:964\n vfs_open+0x3b/0x340 fs/open.c:1094\n do_open fs/namei.c:3887 [inline]\n path_openat+0x2ee5/0x3830 fs/name\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:28.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c56b177efce8b62798e4d96bdb9867106cb7c4a0"
},
{
"url": "https://git.kernel.org/stable/c/bc0819a25e04cd68ef3568cfa51b63118fea39a7"
},
{
"url": "https://git.kernel.org/stable/c/ce23b73f0f27e2dbeb81734a79db710f05aa33c6"
},
{
"url": "https://git.kernel.org/stable/c/0e5c144c557df910ab64d9c25d06399a9a735e65"
},
{
"url": "https://git.kernel.org/stable/c/1d6123102e9fbedc8d25bf4731da6d513173e49e"
}
],
"title": "Bluetooth: hci_core: Fix use-after-free in vhci_flush()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38250",
"datePublished": "2025-07-09T10:42:30.294Z",
"dateReserved": "2025-04-16T04:51:23.997Z",
"dateUpdated": "2026-03-25T10:19:28.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31418 (GCVE-0-2026-31418)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
netfilter: ipset: drop logically empty buckets in mtype_del
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: drop logically empty buckets in mtype_del
mtype_del() counts empty slots below n->pos in k, but it only drops the
bucket when both n->pos and k are zero. This misses buckets whose live
entries have all been removed while n->pos still points past deleted slots.
Treat a bucket as empty when all positions below n->pos are unused and
release it directly instead of shrinking it further.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < c098ff857e7ca923539164af5b3c2fe3e8f8afaf
(git)
Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 58f3a14826d4e6b0d5421f1a64be280b48601ea2 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 6cea34d7ec6829b62f521a37a287f670144a2233 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < b7eef00f08b92b0b9efe8ae0df6d0005e6199323 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < ceacaa76f221a6577aba945bb8873c2e640aeba4 (git) Affected: 8af1c6fbd9239877998c7f5a591cb2c88d41fb66 , < 9862ef9ab0a116c6dca98842aab7de13a252ae02 (git) Affected: 6c717726f341fd8f39a3ec2dcf5d98d9d28a2769 (git) Affected: d2997d64dfa65082236bca1efd596b6c935daf5e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_gen.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c098ff857e7ca923539164af5b3c2fe3e8f8afaf",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "58f3a14826d4e6b0d5421f1a64be280b48601ea2",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "6cea34d7ec6829b62f521a37a287f670144a2233",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "b7eef00f08b92b0b9efe8ae0df6d0005e6199323",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "ceacaa76f221a6577aba945bb8873c2e640aeba4",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"lessThan": "9862ef9ab0a116c6dca98842aab7de13a252ae02",
"status": "affected",
"version": "8af1c6fbd9239877998c7f5a591cb2c88d41fb66",
"versionType": "git"
},
{
"status": "affected",
"version": "6c717726f341fd8f39a3ec2dcf5d98d9d28a2769",
"versionType": "git"
},
{
"status": "affected",
"version": "d2997d64dfa65082236bca1efd596b6c935daf5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_hash_gen.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n-\u003epos in k, but it only drops the\nbucket when both n-\u003epos and k are zero. This misses buckets whose live\nentries have all been removed while n-\u003epos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n-\u003epos are unused and\nrelease it directly instead of shrinking it further."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:32.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c098ff857e7ca923539164af5b3c2fe3e8f8afaf"
},
{
"url": "https://git.kernel.org/stable/c/58f3a14826d4e6b0d5421f1a64be280b48601ea2"
},
{
"url": "https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb"
},
{
"url": "https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233"
},
{
"url": "https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323"
},
{
"url": "https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4"
},
{
"url": "https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4"
},
{
"url": "https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02"
}
],
"title": "netfilter: ipset: drop logically empty buckets in mtype_del",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31418",
"datePublished": "2026-04-13T13:21:05.316Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-18T08:59:32.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43013 (GCVE-0-2026-43013)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net/mlx5: lag: Check for LAG device before creating debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: lag: Check for LAG device before creating debugfs
__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error
occurs that is handled gracefully. Consequently, the initialization
flow proceeds to call mlx5_ldev_add_debugfs() even when there is no
valid LAG context.
mlx5_ldev_add_debugfs() blindly created the debugfs directory and
attributes. This exposed interfaces (like the members file) that rely on
a valid ldev pointer, leading to potential NULL pointer dereferences if
accessed when ldev is NULL.
Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer
before attempting to create the debugfs entries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f46a0b7327ae261f9981888708dbca22c283900 , < a3db46d5f4df92630a96f7bc77b60e75c2353e06
(git)
Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < 7129632cab3e4d23510b21930aa73b8d97a859f5 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < cfa774e6c920c81e700327bf10db8cb50d5db456 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < c53cf44588a93000f71817a6bb87a66353c48dee (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < 89c65f2fcd8801365b410f40a427cbcd7f4c28e9 (git) Affected: 7f46a0b7327ae261f9981888708dbca22c283900 , < bf16bca6653679d8a514d6c1c5a2c67065033f14 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3db46d5f4df92630a96f7bc77b60e75c2353e06",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "7129632cab3e4d23510b21930aa73b8d97a859f5",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "cfa774e6c920c81e700327bf10db8cb50d5db456",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "c53cf44588a93000f71817a6bb87a66353c48dee",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "89c65f2fcd8801365b410f40a427cbcd7f4c28e9",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
},
{
"lessThan": "bf16bca6653679d8a514d6c1c5a2c67065033f14",
"status": "affected",
"version": "7f46a0b7327ae261f9981888708dbca22c283900",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:18.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3db46d5f4df92630a96f7bc77b60e75c2353e06"
},
{
"url": "https://git.kernel.org/stable/c/7129632cab3e4d23510b21930aa73b8d97a859f5"
},
{
"url": "https://git.kernel.org/stable/c/cfa774e6c920c81e700327bf10db8cb50d5db456"
},
{
"url": "https://git.kernel.org/stable/c/c53cf44588a93000f71817a6bb87a66353c48dee"
},
{
"url": "https://git.kernel.org/stable/c/89c65f2fcd8801365b410f40a427cbcd7f4c28e9"
},
{
"url": "https://git.kernel.org/stable/c/bf16bca6653679d8a514d6c1c5a2c67065033f14"
}
],
"title": "net/mlx5: lag: Check for LAG device before creating debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43013",
"datePublished": "2026-05-01T14:15:18.907Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-01T14:15:18.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23396 (GCVE-0-2026-23396)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
wifi: mac80211: fix NULL deref in mesh_matches_local()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL deref in mesh_matches_local()
mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.
The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too
mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.
The captured crash log:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>
This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 14a4fd13657a3f2489db6566f081adfb27a49c64
(git)
Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 74de6fa472b03bc8cde0a081484e9960bcbda568 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < c1e3f2416fb27c816ce96d747d3e784e31f4d95c (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 0a4da176ae4b4e075a19c00d3e269cfd5e05a813 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 44699c6cdfce80a0f296b54ae9314461e3e41b3d (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 7c55a3deaf7eaaafa2546f8de7fed19382a0a116 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14a4fd13657a3f2489db6566f081adfb27a49c64",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "74de6fa472b03bc8cde0a081484e9960bcbda568",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "c1e3f2416fb27c816ce96d747d3e784e31f4d95c",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "0a4da176ae4b4e075a19c00d3e269cfd5e05a813",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "44699c6cdfce80a0f296b54ae9314461e3e41b3d",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "7c55a3deaf7eaaafa2546f8de7fed19382a0a116",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie-\u003emesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie-\u003emesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems-\u003emesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems-\u003emesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \u003cTASK\u003e\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nThis patch adds a NULL check for ie-\u003emesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:31.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64"
},
{
"url": "https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568"
},
{
"url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"
},
{
"url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"
},
{
"url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"
},
{
"url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"
},
{
"url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"
},
{
"url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"
}
],
"title": "wifi: mac80211: fix NULL deref in mesh_matches_local()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23396",
"datePublished": "2026-03-26T10:22:49.287Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-18T08:58:31.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23428 (GCVE-0-2026-23428)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
ksmbd: fix use-after-free of share_conf in compound request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free of share_conf in compound request
smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
TREE_CONNECTED on the initial lookup path, but the compound reuse path
bypasses this check entirely.
If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
subsequent commands dereference the freed share_conf through
work->tcon->share_conf.
KASAN report:
[ 4.144653] ==================================================================
[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
[ 4.145772]
[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
[ 4.145888] Call Trace:
[ 4.145892] <TASK>
[ 4.145894] dump_stack_lvl+0x64/0x80
[ 4.145910] print_report+0xce/0x660
[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 4.145928] ? smb2_write+0xc74/0xe70
[ 4.145931] kasan_report+0xce/0x100
[ 4.145934] ? smb2_write+0xc74/0xe70
[ 4.145937] smb2_write+0xc74/0xe70
[ 4.145939] ? __pfx_smb2_write+0x10/0x10
[ 4.145942] ? _raw_spin_unlock+0xe/0x30
[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
[ 4.145951] handle_ksmbd_work+0x40f/0x1080
[ 4.145953] process_one_work+0x5fa/0xef0
[ 4.145962] ? assign_work+0x122/0x3e0
[ 4.145964] worker_thread+0x54b/0xf70
[ 4.145967] ? __pfx_worker_thread+0x10/0x10
[ 4.145970] kthread+0x346/0x470
[ 4.145976] ? recalc_sigpending+0x19b/0x230
[ 4.145980] ? __pfx_kthread+0x10/0x10
[ 4.145984] ret_from_fork+0x4fb/0x6c0
[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
[ 4.145995] ? __switch_to+0x36c/0xbe0
[ 4.145999] ? __pfx_kthread+0x10/0x10
[ 4.146003] ret_from_fork_asm+0x1a/0x30
[ 4.146013] </TASK>
[ 4.146014]
[ 4.149858] Allocated by task 44:
[ 4.149953] kasan_save_stack+0x33/0x60
[ 4.150061] kasan_save_track+0x14/0x30
[ 4.150169] __kasan_kmalloc+0x8f/0xa0
[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
[ 4.150529] smb2_tree_connect+0x2e6/0x1000
[ 4.150645] handle_ksmbd_work+0x40f/0x1080
[ 4.150761] process_one_work+0x5fa/0xef0
[ 4.150873] worker_thread+0x54b/0xf70
[ 4.150978] kthread+0x346/0x470
[ 4.151071] ret_from_fork+0x4fb/0x6c0
[ 4.151176] ret_from_fork_asm+0x1a/0x30
[ 4.151286]
[ 4.151332] Freed by task 44:
[ 4.151418] kasan_save_stack+0x33/0x60
[ 4.151526] kasan_save_track+0x14/0x30
[ 4.151634] kasan_save_free_info+0x3b/0x60
[ 4.151751] __kasan_slab_free+0x43/0x70
[ 4.151861] kfree+0x1ca/0x430
[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
[ 4.152211] handle_ksmbd_work+0x40f/0x1080
[ 4.152326] process_one_work+0x5fa/0xef0
[ 4.152438] worker_thread+0x54b/0xf70
[ 4.152545] kthread+0x346/0x470
[ 4.152638] ret_from_fork+0x4fb/0x6c0
[ 4.152743] ret_from_fork_asm+0x1a/0x30
[ 4.152853]
[ 4.152900] The buggy address belongs to the object at ffff88810430c180
[ 4.152900] which belongs to the cache kmalloc-96 of size 96
[ 4.153226] The buggy address is located 20 bytes inside of
[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
[ 4.153549]
[ 4.153596] The buggy address belongs to the physical page:
[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
[ 4.154000] flags: 0x
---truncated---
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
eb947403518ea3d93f6d89264bb1f5416bb0c7d0 , < d08417981155883068b7260d9500ca306a03edac
(git)
Affected: 854156d12caa9d36de1cf5f084591c7686cc8a9d , < eae0dc86f71e6f3294c0cd7ffc05039258d243af (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < 806f13752652216db0c309392b4db3e64eeed4f2 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < c742b46a153d3ff95ff0825ab1950c87b9e14470 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < 7f7468fd2a7554cea91b7d430335a3dbf01dcc09 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < a5929c2020ce54e1dcbd1078c0f30b8aaf73c105 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < c33615f995aee80657b9fdfbc4ee7f49c2bd733d (git) Affected: d1066c1b3663401cd23c0d6e60cdae750ce00c0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d08417981155883068b7260d9500ca306a03edac",
"status": "affected",
"version": "eb947403518ea3d93f6d89264bb1f5416bb0c7d0",
"versionType": "git"
},
{
"lessThan": "eae0dc86f71e6f3294c0cd7ffc05039258d243af",
"status": "affected",
"version": "854156d12caa9d36de1cf5f084591c7686cc8a9d",
"versionType": "git"
},
{
"lessThan": "806f13752652216db0c309392b4db3e64eeed4f2",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "c742b46a153d3ff95ff0825ab1950c87b9e14470",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "7f7468fd2a7554cea91b7d430335a3dbf01dcc09",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "a5929c2020ce54e1dcbd1078c0f30b8aaf73c105",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "c33615f995aee80657b9fdfbc4ee7f49c2bd733d",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"status": "affected",
"version": "d1066c1b3663401cd23c0d6e60cdae750ce00c0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of share_conf in compound request\n\nsmb2_get_ksmbd_tcon() reuses work-\u003etcon in compound requests without\nvalidating tcon-\u003et_state. ksmbd_tree_conn_lookup() checks t_state ==\nTREE_CONNECTED on the initial lookup path, but the compound reuse path\nbypasses this check entirely.\n\nIf a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state\nto TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),\nsubsequent commands dereference the freed share_conf through\nwork-\u003etcon-\u003eshare_conf.\n\nKASAN report:\n\n[ 4.144653] ==================================================================\n[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70\n[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44\n[ 4.145772]\n[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY\n[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work\n[ 4.145888] Call Trace:\n[ 4.145892] \u003cTASK\u003e\n[ 4.145894] dump_stack_lvl+0x64/0x80\n[ 4.145910] print_report+0xce/0x660\n[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 4.145928] ? smb2_write+0xc74/0xe70\n[ 4.145931] kasan_report+0xce/0x100\n[ 4.145934] ? smb2_write+0xc74/0xe70\n[ 4.145937] smb2_write+0xc74/0xe70\n[ 4.145939] ? __pfx_smb2_write+0x10/0x10\n[ 4.145942] ? _raw_spin_unlock+0xe/0x30\n[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0\n[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480\n[ 4.145951] handle_ksmbd_work+0x40f/0x1080\n[ 4.145953] process_one_work+0x5fa/0xef0\n[ 4.145962] ? assign_work+0x122/0x3e0\n[ 4.145964] worker_thread+0x54b/0xf70\n[ 4.145967] ? __pfx_worker_thread+0x10/0x10\n[ 4.145970] kthread+0x346/0x470\n[ 4.145976] ? recalc_sigpending+0x19b/0x230\n[ 4.145980] ? __pfx_kthread+0x10/0x10\n[ 4.145984] ret_from_fork+0x4fb/0x6c0\n[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10\n[ 4.145995] ? __switch_to+0x36c/0xbe0\n[ 4.145999] ? __pfx_kthread+0x10/0x10\n[ 4.146003] ret_from_fork_asm+0x1a/0x30\n[ 4.146013] \u003c/TASK\u003e\n[ 4.146014]\n[ 4.149858] Allocated by task 44:\n[ 4.149953] kasan_save_stack+0x33/0x60\n[ 4.150061] kasan_save_track+0x14/0x30\n[ 4.150169] __kasan_kmalloc+0x8f/0xa0\n[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0\n[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600\n[ 4.150529] smb2_tree_connect+0x2e6/0x1000\n[ 4.150645] handle_ksmbd_work+0x40f/0x1080\n[ 4.150761] process_one_work+0x5fa/0xef0\n[ 4.150873] worker_thread+0x54b/0xf70\n[ 4.150978] kthread+0x346/0x470\n[ 4.151071] ret_from_fork+0x4fb/0x6c0\n[ 4.151176] ret_from_fork_asm+0x1a/0x30\n[ 4.151286]\n[ 4.151332] Freed by task 44:\n[ 4.151418] kasan_save_stack+0x33/0x60\n[ 4.151526] kasan_save_track+0x14/0x30\n[ 4.151634] kasan_save_free_info+0x3b/0x60\n[ 4.151751] __kasan_slab_free+0x43/0x70\n[ 4.151861] kfree+0x1ca/0x430\n[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190\n[ 4.152088] smb2_tree_disconnect+0x1cd/0x480\n[ 4.152211] handle_ksmbd_work+0x40f/0x1080\n[ 4.152326] process_one_work+0x5fa/0xef0\n[ 4.152438] worker_thread+0x54b/0xf70\n[ 4.152545] kthread+0x346/0x470\n[ 4.152638] ret_from_fork+0x4fb/0x6c0\n[ 4.152743] ret_from_fork_asm+0x1a/0x30\n[ 4.152853]\n[ 4.152900] The buggy address belongs to the object at ffff88810430c180\n[ 4.152900] which belongs to the cache kmalloc-96 of size 96\n[ 4.153226] The buggy address is located 20 bytes inside of\n[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)\n[ 4.153549]\n[ 4.153596] The buggy address belongs to the physical page:\n[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c\n[ 4.154000] flags: 0x\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:19.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d08417981155883068b7260d9500ca306a03edac"
},
{
"url": "https://git.kernel.org/stable/c/eae0dc86f71e6f3294c0cd7ffc05039258d243af"
},
{
"url": "https://git.kernel.org/stable/c/806f13752652216db0c309392b4db3e64eeed4f2"
},
{
"url": "https://git.kernel.org/stable/c/c742b46a153d3ff95ff0825ab1950c87b9e14470"
},
{
"url": "https://git.kernel.org/stable/c/7f7468fd2a7554cea91b7d430335a3dbf01dcc09"
},
{
"url": "https://git.kernel.org/stable/c/a5929c2020ce54e1dcbd1078c0f30b8aaf73c105"
},
{
"url": "https://git.kernel.org/stable/c/c33615f995aee80657b9fdfbc4ee7f49c2bd733d"
}
],
"title": "ksmbd: fix use-after-free of share_conf in compound request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23428",
"datePublished": "2026-04-03T15:15:14.981Z",
"dateReserved": "2026-01-13T15:37:46.016Z",
"dateUpdated": "2026-04-27T14:02:19.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31788 (GCVE-0-2026-31788)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:25 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
xen/privcmd: restrict usage in unprivileged domU
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: restrict usage in unprivileged domU
The Xen privcmd driver allows to issue arbitrary hypercalls from
user space processes. This is normally no problem, as access is
usually limited to root and the hypervisor will deny any hypercalls
affecting other domains.
In case the guest is booted using secure boot, however, the privcmd
driver would be enabling a root user process to modify e.g. kernel
memory contents, thus breaking the secure boot feature.
The only known case where an unprivileged domU is really needing to
use the privcmd driver is the case when it is acting as the device
model for another guest. In this case all hypercalls issued via the
privcmd driver will target that other guest.
Fortunately the privcmd driver can already be locked down to allow
only hypercalls targeting a specific domain, but this mode can be
activated from user land only today.
The target domain can be obtained from Xenstore, so when not running
in dom0 restrict the privcmd driver to that target domain from the
beginning, resolving the potential problem of breaking secure boot.
This is XSA-482
---
V2:
- defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich)
- wait in open() if target domain isn't known yet
- issue message in case no target domain found (Jan Beulich)
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 4eb245ff0d33b618e097a2c23de5df56d4ad6969
(git)
Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 3ee5b9e3de4b8bdd74183d83205481c91a9effc8 (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 87a803edb2ded911cb587c53bff179d2a2ed2a28 (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 1879319d790f7d57622cdc22807b60ea78b56b6d (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 78432d8f0372c71c518096395537fa12be7ff24e (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4 (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < cbede2e833da1893afbea9b3ff29b5dda23a4a91 (git) Affected: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b , < 453b8fb68f3641fea970db88b7d9a153ed2a37e8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-26T16:26:26.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-482.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/24/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/24/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/24/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/24/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/26/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4eb245ff0d33b618e097a2c23de5df56d4ad6969",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "3ee5b9e3de4b8bdd74183d83205481c91a9effc8",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "87a803edb2ded911cb587c53bff179d2a2ed2a28",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "1879319d790f7d57622cdc22807b60ea78b56b6d",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "78432d8f0372c71c518096395537fa12be7ff24e",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "cbede2e833da1893afbea9b3ff29b5dda23a4a91",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
},
{
"lessThan": "453b8fb68f3641fea970db88b7d9a153ed2a37e8",
"status": "affected",
"version": "1c5de1939c204bde9cce87f4eb3d26e9f9eb732b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: restrict usage in unprivileged domU\n\nThe Xen privcmd driver allows to issue arbitrary hypercalls from\nuser space processes. This is normally no problem, as access is\nusually limited to root and the hypervisor will deny any hypercalls\naffecting other domains.\n\nIn case the guest is booted using secure boot, however, the privcmd\ndriver would be enabling a root user process to modify e.g. kernel\nmemory contents, thus breaking the secure boot feature.\n\nThe only known case where an unprivileged domU is really needing to\nuse the privcmd driver is the case when it is acting as the device\nmodel for another guest. In this case all hypercalls issued via the\nprivcmd driver will target that other guest.\n\nFortunately the privcmd driver can already be locked down to allow\nonly hypercalls targeting a specific domain, but this mode can be\nactivated from user land only today.\n\nThe target domain can be obtained from Xenstore, so when not running\nin dom0 restrict the privcmd driver to that target domain from the\nbeginning, resolving the potential problem of breaking secure boot.\n\nThis is XSA-482\n\n---\nV2:\n- defer reading from Xenstore if Xenstore isn\u0027t ready yet (Jan Beulich)\n- wait in open() if target domain isn\u0027t known yet\n- issue message in case no target domain found (Jan Beulich)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:47.134Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969"
},
{
"url": "https://git.kernel.org/stable/c/3ee5b9e3de4b8bdd74183d83205481c91a9effc8"
},
{
"url": "https://git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28"
},
{
"url": "https://git.kernel.org/stable/c/1879319d790f7d57622cdc22807b60ea78b56b6d"
},
{
"url": "https://git.kernel.org/stable/c/78432d8f0372c71c518096395537fa12be7ff24e"
},
{
"url": "https://git.kernel.org/stable/c/389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4"
},
{
"url": "https://git.kernel.org/stable/c/cbede2e833da1893afbea9b3ff29b5dda23a4a91"
},
{
"url": "https://git.kernel.org/stable/c/453b8fb68f3641fea970db88b7d9a153ed2a37e8"
}
],
"title": "xen/privcmd: restrict usage in unprivileged domU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31788",
"datePublished": "2026-03-25T10:25:05.542Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-04-18T08:59:47.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43018 (GCVE-0-2026-43018)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
hci_conn lookup and field access must be covered by hdev lock in
hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed
concurrently.
Extend the hci_dev_lock critical section to cover all conn usage.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95118dd4edfec950898a00180c6f998df0a6406d , < 59eecf0ffde15670e6a5e10c47be67f73d843b20
(git)
Affected: 95118dd4edfec950898a00180c6f998df0a6406d , < 5fb69e1eeea9d6cba80517e9f058b56b34bc3a81 (git) Affected: 95118dd4edfec950898a00180c6f998df0a6406d , < 7cadb03be37e761130edb153544fe0770a842b19 (git) Affected: 95118dd4edfec950898a00180c6f998df0a6406d , < 1d0bdbfe3e91c11f0a704c52443a9446a10d699c (git) Affected: 95118dd4edfec950898a00180c6f998df0a6406d , < ea3cd36d7382d5f8309df04c275d20df139ed42c (git) Affected: 95118dd4edfec950898a00180c6f998df0a6406d , < b255531b27da336571411248c2a72a350662bd09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59eecf0ffde15670e6a5e10c47be67f73d843b20",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
},
{
"lessThan": "5fb69e1eeea9d6cba80517e9f058b56b34bc3a81",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
},
{
"lessThan": "7cadb03be37e761130edb153544fe0770a842b19",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
},
{
"lessThan": "1d0bdbfe3e91c11f0a704c52443a9446a10d699c",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
},
{
"lessThan": "ea3cd36d7382d5f8309df04c275d20df139ed42c",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
},
{
"lessThan": "b255531b27da336571411248c2a72a350662bd09",
"status": "affected",
"version": "95118dd4edfec950898a00180c6f998df0a6406d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_le_remote_conn_param_req_evt, otherwise it\u0027s possible it is freed\nconcurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:05.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59eecf0ffde15670e6a5e10c47be67f73d843b20"
},
{
"url": "https://git.kernel.org/stable/c/5fb69e1eeea9d6cba80517e9f058b56b34bc3a81"
},
{
"url": "https://git.kernel.org/stable/c/7cadb03be37e761130edb153544fe0770a842b19"
},
{
"url": "https://git.kernel.org/stable/c/1d0bdbfe3e91c11f0a704c52443a9446a10d699c"
},
{
"url": "https://git.kernel.org/stable/c/ea3cd36d7382d5f8309df04c275d20df139ed42c"
},
{
"url": "https://git.kernel.org/stable/c/b255531b27da336571411248c2a72a350662bd09"
}
],
"title": "Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43018",
"datePublished": "2026-05-01T14:15:22.308Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-03T05:46:05.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23303 (GCVE-0-2026-23303)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
When debug logging is enabled, cifs_set_cifscreds() logs the key
payload and exposes the plaintext username and password. Remove the
debug log to avoid exposing credentials.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < e5a3b11e07b335006371915b2da47b6056c9e3bc
(git)
Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 54c570de9a35860dfa85fe668f23ddfda8cc7e26 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < ff0ece8ed04180c52167c003362284b23cf54e8d (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 3990f352bb0adc8688d0949a9c13e3110570eb61 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < b746a357abfb8fdb0a171d51ec5091e786d34be1 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 3e182701db612ddd794ccd5ed822e6cc1db2b972 (git) Affected: 8a8798a5ff90977d6459ce1d657cf8fe13a51e97 , < 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5a3b11e07b335006371915b2da47b6056c9e3bc",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "54c570de9a35860dfa85fe668f23ddfda8cc7e26",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "ff0ece8ed04180c52167c003362284b23cf54e8d",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "3990f352bb0adc8688d0949a9c13e3110570eb61",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "b746a357abfb8fdb0a171d51ec5091e786d34be1",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "3e182701db612ddd794ccd5ed822e6cc1db2b972",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
},
{
"lessThan": "2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d",
"status": "affected",
"version": "8a8798a5ff90977d6459ce1d657cf8fe13a51e97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Don\u0027t log plaintext credentials in cifs_set_cifscreds\n\nWhen debug logging is enabled, cifs_set_cifscreds() logs the key\npayload and exposes the plaintext username and password. Remove the\ndebug log to avoid exposing credentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:50.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5a3b11e07b335006371915b2da47b6056c9e3bc"
},
{
"url": "https://git.kernel.org/stable/c/54c570de9a35860dfa85fe668f23ddfda8cc7e26"
},
{
"url": "https://git.kernel.org/stable/c/ff0ece8ed04180c52167c003362284b23cf54e8d"
},
{
"url": "https://git.kernel.org/stable/c/3990f352bb0adc8688d0949a9c13e3110570eb61"
},
{
"url": "https://git.kernel.org/stable/c/b746a357abfb8fdb0a171d51ec5091e786d34be1"
},
{
"url": "https://git.kernel.org/stable/c/2ef0fc3bf49db2b9df36d5f44508c9e384bfa2a1"
},
{
"url": "https://git.kernel.org/stable/c/3e182701db612ddd794ccd5ed822e6cc1db2b972"
},
{
"url": "https://git.kernel.org/stable/c/2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d"
}
],
"title": "smb: client: Don\u0027t log plaintext credentials in cifs_set_cifscreds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23303",
"datePublished": "2026-03-25T10:26:58.166Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:50.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71267 (GCVE-0-2025-71267)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.
A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute
indicates a zero data size while the driver allocates memory for it.
When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set
to zero, it still allocates memory because of al_aligned(0). This creates an
inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is
non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute
list exists and enumerates only the primary MFT record. When it finds
ATTR_LIST, the code reloads it and restarts the enumeration, repeating
indefinitely. The mount operation never completes, hanging the kernel thread.
This patch adds validation to ensure that data_size is non-zero before memory
allocation. When a zero-sized ATTR_LIST is detected, the function returns
-EINVAL, preventing a DoS vulnerability.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 9267d99fade76d44d4a133599524031fe684156e
(git)
Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 976e6a7c51fabf150478decbe8ef5d9a26039b7c (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 8d8c70b57dbeda3eb165c0940b97e85373ca9354 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 7ef219656febf5ae06ae56b1fce47ebd05f92b68 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 9779a6eaaabdf47aa57910d352b398ad742e6a5f (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < fd508939dbca5eceefb2d0c2564beb15469572f2 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 06909b2549d631a47fcda249d34be26f7ca1711d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/attrlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9267d99fade76d44d4a133599524031fe684156e",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "976e6a7c51fabf150478decbe8ef5d9a26039b7c",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "8d8c70b57dbeda3eb165c0940b97e85373ca9354",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "7ef219656febf5ae06ae56b1fce47ebd05f92b68",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "9779a6eaaabdf47aa57910d352b398ad742e6a5f",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "fd508939dbca5eceefb2d0c2564beb15469572f2",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "06909b2549d631a47fcda249d34be26f7ca1711d",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/attrlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni-\u003eattr_list.size is zero, but ni-\u003eattr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:33.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e"
},
{
"url": "https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c"
},
{
"url": "https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354"
},
{
"url": "https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68"
},
{
"url": "https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f"
},
{
"url": "https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2"
},
{
"url": "https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d"
}
],
"title": "fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71267",
"datePublished": "2026-03-18T10:05:04.008Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-04-13T06:02:33.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31497 (GCVE-0-2026-31497)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
Bluetooth: btusb: clamp SCO altsetting table indices
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: clamp SCO altsetting table indices
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.
While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 312c4450fe23014665c163f480edd5ad2e27bbb8
(git)
Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 9dd13a8641de79bc1bc93da55cdd35259a002683 (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 476c9262b430c38c6a701a3b8176a3f48689085b (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 6fba3c3d48c927e55611a0f5ea34da88138ed0ff (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 834cf890d2c3d29cbfa1ee2376c40469c28ec297 (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 1019028eb124564cf7bca58a16f1df8a1ca30726 (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 21c254202f9d78abe0fcd642a92966deb92bd226 (git) Affected: baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 , < 129fa608b6ad08b8ab7178eeb2ec272c993aaccc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "312c4450fe23014665c163f480edd5ad2e27bbb8",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "9dd13a8641de79bc1bc93da55cdd35259a002683",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "476c9262b430c38c6a701a3b8176a3f48689085b",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "6fba3c3d48c927e55611a0f5ea34da88138ed0ff",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "834cf890d2c3d29cbfa1ee2376c40469c28ec297",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "1019028eb124564cf7bca58a16f1df8a1ca30726",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "21c254202f9d78abe0fcd642a92966deb92bd226",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
},
{
"lessThan": "129fa608b6ad08b8ab7178eeb2ec272c993aaccc",
"status": "affected",
"version": "baac6276c0a9f36f1fe1f00590ef00d2ba5ba626",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata-\u003esco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data-\u003esco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[]."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:19.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/312c4450fe23014665c163f480edd5ad2e27bbb8"
},
{
"url": "https://git.kernel.org/stable/c/9dd13a8641de79bc1bc93da55cdd35259a002683"
},
{
"url": "https://git.kernel.org/stable/c/476c9262b430c38c6a701a3b8176a3f48689085b"
},
{
"url": "https://git.kernel.org/stable/c/6fba3c3d48c927e55611a0f5ea34da88138ed0ff"
},
{
"url": "https://git.kernel.org/stable/c/834cf890d2c3d29cbfa1ee2376c40469c28ec297"
},
{
"url": "https://git.kernel.org/stable/c/1019028eb124564cf7bca58a16f1df8a1ca30726"
},
{
"url": "https://git.kernel.org/stable/c/21c254202f9d78abe0fcd642a92966deb92bd226"
},
{
"url": "https://git.kernel.org/stable/c/129fa608b6ad08b8ab7178eeb2ec272c993aaccc"
}
],
"title": "Bluetooth: btusb: clamp SCO altsetting table indices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31497",
"datePublished": "2026-04-22T13:54:19.051Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-04-22T13:54:19.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31689 (GCVE-0-2026-31689)
Vulnerability from cvelistv5 – Published: 2026-04-27 17:34 – Updated: 2026-04-27 17:34
VLAI?
EPSS
Title
EDAC/mc: Fix error path ordering in edac_mc_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/mc: Fix error path ordering in edac_mc_alloc()
When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path
will call put_device() which will end up calling the device's release
function.
However, the init ordering is wrong such that device_initialize() happens
*after* the failed allocation and thus the device itself and the release
function pointer are not initialized yet when they're called:
MCE: In-kernel MCE decoding enabled.
------------[ cut here ]------------
kobject: '(null)': is not initialized, yet kobject_put() is being called.
WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd
CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)
RIP: 0010:kobject_put
Call Trace:
<TASK>
edac_mc_alloc+0xbe/0xe0 [edac_core]
amd64_edac_init+0x7a4/0xff0 [amd64_edac]
? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]
do_one_initcall
...
Reorder the calling sequence so that the device is initialized and thus the
release function pointer is properly set before it can be used.
This was found by Claude while reviewing another EDAC patch.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < aae95970fad2127a1bd49d8713c7cd0677dcd2d6
(git)
Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < d3de72e2a2b9ee3a57734c1c068823e41a707715 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < d20e98c2df9354cc744431ad8ccbf49405b8b40f (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 87ce8ae511962e105bcb3534944208c6a9471ed9 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 75825648ce984ca4cebb28e4bd2bf8c3a7e837c5 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 51520e03e70d6c73e33ee7cbe0319767d05764fe (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/edac_mc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aae95970fad2127a1bd49d8713c7cd0677dcd2d6",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "d3de72e2a2b9ee3a57734c1c068823e41a707715",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "d20e98c2df9354cc744431ad8ccbf49405b8b40f",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "87ce8ae511962e105bcb3534944208c6a9471ed9",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "75825648ce984ca4cebb28e4bd2bf8c3a7e837c5",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "51520e03e70d6c73e33ee7cbe0319767d05764fe",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/edac_mc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci-\u003epvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device\u0027s release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they\u0027re called:\n\n MCE: In-kernel MCE decoding enabled.\n ------------[ cut here ]------------\n kobject: \u0027(null)\u0027: is not initialized, yet kobject_put() is being called.\n WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n RIP: 0010:kobject_put\n Call Trace:\n \u003cTASK\u003e\n edac_mc_alloc+0xbe/0xe0 [edac_core]\n amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n do_one_initcall\n ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:34:27.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aae95970fad2127a1bd49d8713c7cd0677dcd2d6"
},
{
"url": "https://git.kernel.org/stable/c/d3de72e2a2b9ee3a57734c1c068823e41a707715"
},
{
"url": "https://git.kernel.org/stable/c/d20e98c2df9354cc744431ad8ccbf49405b8b40f"
},
{
"url": "https://git.kernel.org/stable/c/87ce8ae511962e105bcb3534944208c6a9471ed9"
},
{
"url": "https://git.kernel.org/stable/c/75825648ce984ca4cebb28e4bd2bf8c3a7e837c5"
},
{
"url": "https://git.kernel.org/stable/c/51520e03e70d6c73e33ee7cbe0319767d05764fe"
}
],
"title": "EDAC/mc: Fix error path ordering in edac_mc_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31689",
"datePublished": "2026-04-27T17:34:27.793Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-04-27T17:34:27.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23463 (GCVE-0-2026-23463)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
soc: fsl: qbman: fix race condition in qman_destroy_fq
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qman_destroy_fq
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
Indeed, we can have:
Thread A Thread B
qman_destroy_fq() qman_create_fq()
qman_release_fqid()
qman_shutdown_fq()
gen_pool_free()
-- At this point, the fqid is available again --
qman_alloc_fqid()
-- so, we can get the just-freed fqid in thread B --
fq->fqid = fqid;
fq->idx = fqid * 2;
WARN_ON(fq_table[fq->idx]);
fq_table[fq->idx] = fq;
fq_table[fq->idx] = NULL;
And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c535e923bb97a4b361e89a6383693482057f8b0c , < 66442cf9989bd4489fa80d9f37637d58ab016835
(git)
Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210 (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8 (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < d21923a8059fa896bfef016f55dd769299335cb4 (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < 751f60bd48edaf03f9d84ab09e5ce6705757d50f (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < 85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < 265e56714635c5dd1e5964bfd97fa6e73f62cde5 (git) Affected: c535e923bb97a4b361e89a6383693482057f8b0c , < 014077044e874e270ec480515edbc1cadb976cf2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/fsl/qbman/qman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66442cf9989bd4489fa80d9f37637d58ab016835",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "9e3d47904b8153c8c3ad2f9b66d5008aad677aa8",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "d21923a8059fa896bfef016f55dd769299335cb4",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "751f60bd48edaf03f9d84ab09e5ce6705757d50f",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "265e56714635c5dd1e5964bfd97fa6e73f62cde5",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
},
{
"lessThan": "014077044e874e270ec480515edbc1cadb976cf2",
"status": "affected",
"version": "c535e923bb97a4b361e89a6383693482057f8b0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/fsl/qbman/qman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there\u0027s a race condition between\nfq_table[fq-\u003eidx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq-\u003eidx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq-\u003efqid = fqid;\n fq-\u003eidx = fqid * 2;\n WARN_ON(fq_table[fq-\u003eidx]);\n fq_table[fq-\u003eidx] = fq;\n fq_table[fq-\u003eidx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq-\u003eidx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq-\u003eidx] is set to NULL before\ngen_pool_free() is called by using smp_wmb()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:12.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835"
},
{
"url": "https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210"
},
{
"url": "https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8"
},
{
"url": "https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4"
},
{
"url": "https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f"
},
{
"url": "https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa"
},
{
"url": "https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5"
},
{
"url": "https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2"
}
],
"title": "soc: fsl: qbman: fix race condition in qman_destroy_fq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23463",
"datePublished": "2026-04-03T15:15:42.411Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-04-18T08:59:12.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31473 (GCVE-0-2026-31473)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.
We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.
This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 331242998a7ade5c2f65e14988901614629f3db5
(git)
Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 2c685e99efb3b3bd2b78699fba6b1cf321975db0 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 585fd9a2063dacce8b2820f675ef23d5d17434c5 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 1a0d9083c24fbd5d22f7100f09d11e4d696a5f01 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < d8549a453d5bdc0a71de66ad47a1106703406a56 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 72b9e81e0203f03c40f3adb457f55bd4c8eb112d (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < cf2023e84f0888f96f4b65dc0804e7f3651969c1 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < bef4f4a88b73e4cc550d25f665b8a9952af22773 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "331242998a7ade5c2f65e14988901614629f3db5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "2c685e99efb3b3bd2b78699fba6b1cf321975db0",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "585fd9a2063dacce8b2820f675ef23d5d17434c5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "1a0d9083c24fbd5d22f7100f09d11e4d696a5f01",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "d8549a453d5bdc0a71de66ad47a1106703406a56",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "72b9e81e0203f03c40f3adb457f55bd4c8eb112d",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "cf2023e84f0888f96f4b65dc0804e7f3651969c1",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "bef4f4a88b73e4cc550d25f665b8a9952af22773",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:27.149Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5"
},
{
"url": "https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0"
},
{
"url": "https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5"
},
{
"url": "https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01"
},
{
"url": "https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"
},
{
"url": "https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d"
},
{
"url": "https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1"
},
{
"url": "https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773"
}
],
"title": "media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31473",
"datePublished": "2026-04-22T13:54:00.970Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-04-27T14:03:27.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31770 (GCVE-0-2026-31770)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
hwmon: (occ) Fix division by zero in occ_show_power_1()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (occ) Fix division by zero in occ_show_power_1()
In occ_show_power_1() case 1, the accumulator is divided by
update_tag without checking for zero. If no samples have been
collected yet (e.g. during early boot when the sensor block is
included but hasn't been updated), update_tag is zero, causing
a kernel divide-by-zero crash.
The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division by
zero issue") only addressed occ_get_powr_avg() used by
occ_show_power_2() and occ_show_power_a0(). This separate code
path in occ_show_power_1() was missed.
Fix this by reusing the existing occ_get_powr_avg() helper, which
already handles the zero-sample case and uses mul_u64_u32_div()
to multiply before dividing for better precision. Move the helper
above occ_show_power_1() so it is visible at the call site.
[groeck: Fix alignment problems reported by checkpatch]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < c7d3712362c8ab8f82f441b649d9e446e7b9aa9d
(git)
Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 53e6175756b8c474b6247bbcea0aad3d68357475 (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 2502684b9e835de9a992ec47c3e6c6faabe3858d (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 37ae8fadc74ed68e5bc364ffd17746d88e449ae3 (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < bbbefc48f6617cfb738dcff7f44beb50b5dfeb38 (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 243d55bd3f08cb15eee9d63f4716d4d4cdd760f5 (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 7b89ce0c98bf3015f493ca4285b2d1056cd8c733 (git) Affected: c10e753d43ebd1d17e1c62bcee20c6124c2c7cca , < 39e2a5bf970402a8530a319cf06122e216ba57b8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/occ/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7d3712362c8ab8f82f441b649d9e446e7b9aa9d",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "53e6175756b8c474b6247bbcea0aad3d68357475",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "2502684b9e835de9a992ec47c3e6c6faabe3858d",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "37ae8fadc74ed68e5bc364ffd17746d88e449ae3",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "bbbefc48f6617cfb738dcff7f44beb50b5dfeb38",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "243d55bd3f08cb15eee9d63f4716d4d4cdd760f5",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "7b89ce0c98bf3015f493ca4285b2d1056cd8c733",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
},
{
"lessThan": "39e2a5bf970402a8530a319cf06122e216ba57b8",
"status": "affected",
"version": "c10e753d43ebd1d17e1c62bcee20c6124c2c7cca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/occ/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (occ) Fix division by zero in occ_show_power_1()\n\nIn occ_show_power_1() case 1, the accumulator is divided by\nupdate_tag without checking for zero. If no samples have been\ncollected yet (e.g. during early boot when the sensor block is\nincluded but hasn\u0027t been updated), update_tag is zero, causing\na kernel divide-by-zero crash.\n\nThe 2019 fix in commit 211186cae14d (\"hwmon: (occ) Fix division by\nzero issue\") only addressed occ_get_powr_avg() used by\nocc_show_power_2() and occ_show_power_a0(). This separate code\npath in occ_show_power_1() was missed.\n\nFix this by reusing the existing occ_get_powr_avg() helper, which\nalready handles the zero-sample case and uses mul_u64_u32_div()\nto multiply before dividing for better precision. Move the helper\nabove occ_show_power_1() so it is visible at the call site.\n\n[groeck: Fix alignment problems reported by checkpatch]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:59.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7d3712362c8ab8f82f441b649d9e446e7b9aa9d"
},
{
"url": "https://git.kernel.org/stable/c/53e6175756b8c474b6247bbcea0aad3d68357475"
},
{
"url": "https://git.kernel.org/stable/c/2502684b9e835de9a992ec47c3e6c6faabe3858d"
},
{
"url": "https://git.kernel.org/stable/c/37ae8fadc74ed68e5bc364ffd17746d88e449ae3"
},
{
"url": "https://git.kernel.org/stable/c/bbbefc48f6617cfb738dcff7f44beb50b5dfeb38"
},
{
"url": "https://git.kernel.org/stable/c/243d55bd3f08cb15eee9d63f4716d4d4cdd760f5"
},
{
"url": "https://git.kernel.org/stable/c/7b89ce0c98bf3015f493ca4285b2d1056cd8c733"
},
{
"url": "https://git.kernel.org/stable/c/39e2a5bf970402a8530a319cf06122e216ba57b8"
}
],
"title": "hwmon: (occ) Fix division by zero in occ_show_power_1()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31770",
"datePublished": "2026-05-01T14:14:59.256Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-01T14:14:59.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23422 (GCVE-0-2026-23422)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ
handler") introduces a range check for if_id to avoid an out-of-bounds
access. If an out-of-bounds if_id is detected, the interrupt status is
not cleared. This may result in an interrupt storm.
Clear the interrupt status after detecting an out-of-bounds if_id to avoid
the problem.
Found by an experimental AI code review agent at Google.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77611cab5bdfff7a070ae574bbfba20a1de99d1b , < 7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d
(git)
Affected: 34b56c16efd61325d80bf1d780d0e176be662f59 , < b5bababe7703a7322bc59b803ab1587887a2a5e4 (git) Affected: f89e33c9c37f0001b730e23b3b05ab7b1ecface2 , < c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e (git) Affected: 2447edc367800ba914acf7ddd5d250416b45fb31 , < fa4412cdc5178a48799bafcb8af28fd2fbf3d703 (git) Affected: 1b381a638e1851d8cfdfe08ed9cdbec5295b18c9 , < 00f42ace446f1e4bf84988f2281131f52cd32796 (git) Affected: 31a7a0bbeb006bac2d9c81a2874825025214b6d8 , < 28fd8ac1d49389cb230d712116f54e27ebec11b8 (git) Affected: 31a7a0bbeb006bac2d9c81a2874825025214b6d8 , < 74badb9c20b1a9c02a95c735c6d3cd6121679c93 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d",
"status": "affected",
"version": "77611cab5bdfff7a070ae574bbfba20a1de99d1b",
"versionType": "git"
},
{
"lessThan": "b5bababe7703a7322bc59b803ab1587887a2a5e4",
"status": "affected",
"version": "34b56c16efd61325d80bf1d780d0e176be662f59",
"versionType": "git"
},
{
"lessThan": "c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e",
"status": "affected",
"version": "f89e33c9c37f0001b730e23b3b05ab7b1ecface2",
"versionType": "git"
},
{
"lessThan": "fa4412cdc5178a48799bafcb8af28fd2fbf3d703",
"status": "affected",
"version": "2447edc367800ba914acf7ddd5d250416b45fb31",
"versionType": "git"
},
{
"lessThan": "00f42ace446f1e4bf84988f2281131f52cd32796",
"status": "affected",
"version": "1b381a638e1851d8cfdfe08ed9cdbec5295b18c9",
"versionType": "git"
},
{
"lessThan": "28fd8ac1d49389cb230d712116f54e27ebec11b8",
"status": "affected",
"version": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"versionType": "git"
},
{
"lessThan": "74badb9c20b1a9c02a95c735c6d3cd6121679c93",
"status": "affected",
"version": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler\n\nCommit 31a7a0bbeb00 (\"dpaa2-switch: add bounds check for if_id in IRQ\nhandler\") introduces a range check for if_id to avoid an out-of-bounds\naccess. If an out-of-bounds if_id is detected, the interrupt status is\nnot cleared. This may result in an interrupt storm.\n\nClear the interrupt status after detecting an out-of-bounds if_id to avoid\nthe problem.\n\nFound by an experimental AI code review agent at Google."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:50.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d"
},
{
"url": "https://git.kernel.org/stable/c/b5bababe7703a7322bc59b803ab1587887a2a5e4"
},
{
"url": "https://git.kernel.org/stable/c/c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e"
},
{
"url": "https://git.kernel.org/stable/c/fa4412cdc5178a48799bafcb8af28fd2fbf3d703"
},
{
"url": "https://git.kernel.org/stable/c/00f42ace446f1e4bf84988f2281131f52cd32796"
},
{
"url": "https://git.kernel.org/stable/c/28fd8ac1d49389cb230d712116f54e27ebec11b8"
},
{
"url": "https://git.kernel.org/stable/c/74badb9c20b1a9c02a95c735c6d3cd6121679c93"
}
],
"title": "dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23422",
"datePublished": "2026-04-03T13:24:31.281Z",
"dateReserved": "2026-01-13T15:37:46.015Z",
"dateUpdated": "2026-04-18T08:58:50.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31776 (GCVE-0-2026-31776)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
ALSA: ctxfi: Fix missing SPDIFI1 index handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Fix missing SPDIFI1 index handling
SPDIF1 DAIO type isn't properly handled in daio_device_index() for
hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds
array access. Follow the hw20k1 pattern and return the proper index
for this type, too.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctdaio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "950decf59d4e978b60a792ce0b3e1555a608f489",
"status": "affected",
"version": "a2dbaeb5c61ef110ceefe0d48fe94d428d3bcf16",
"versionType": "git"
},
{
"lessThan": "b045ab3dff97edae6d538eeff900a34c098761f8",
"status": "affected",
"version": "a2dbaeb5c61ef110ceefe0d48fe94d428d3bcf16",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/ctxfi/ctdaio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix missing SPDIFI1 index handling\n\nSPDIF1 DAIO type isn\u0027t properly handled in daio_device_index() for\nhw20k2, and it returned -EINVAL, which ended up with the out-of-bounds\narray access. Follow the hw20k1 pattern and return the proper index\nfor this type, too."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:25.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/950decf59d4e978b60a792ce0b3e1555a608f489"
},
{
"url": "https://git.kernel.org/stable/c/b045ab3dff97edae6d538eeff900a34c098761f8"
}
],
"title": "ALSA: ctxfi: Fix missing SPDIFI1 index handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31776",
"datePublished": "2026-05-01T14:15:04.423Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-02T06:14:25.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23324 (GCVE-0-2026-23324)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
When submitting an urb, that is using the anchor pattern, it needs to be
anchored before submitting it otherwise it could be leaked if
usb_kill_anchored_urbs() is called. This logic is correctly done
elsewhere in the driver, except in the read bulk callback so do that
here also.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8537257874e949a59c834cecfd5a063e11b64b0b , < 7a0171b4921ad443fee5ed4fcb9d99fa4776edac
(git)
Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 2185ea6e4ebcb61d1224dc7d187c59723cb5ad59 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < f6e90c113c92e83fc0963d5e60e16b0e8a268981 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < b878444519fa03a3edd287d1963cf79ef78be2f1 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 18eee279e9b5bff0db1aca9475ae4bc12804f05c (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < b8f9ca88253574638bcff38900a4c28d570b1919 (git) Affected: 8537257874e949a59c834cecfd5a063e11b64b0b , < 5eaad4f768266f1f17e01232ffe2ef009f8129b7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a0171b4921ad443fee5ed4fcb9d99fa4776edac",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "2185ea6e4ebcb61d1224dc7d187c59723cb5ad59",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "f6e90c113c92e83fc0963d5e60e16b0e8a268981",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b878444519fa03a3edd287d1963cf79ef78be2f1",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "18eee279e9b5bff0db1aca9475ae4bc12804f05c",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "b8f9ca88253574638bcff38900a4c28d570b1919",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
},
{
"lessThan": "5eaad4f768266f1f17e01232ffe2ef009f8129b7",
"status": "affected",
"version": "8537257874e949a59c834cecfd5a063e11b64b0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/etas_es58x/es58x_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:57.249Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edac"
},
{
"url": "https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59"
},
{
"url": "https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981"
},
{
"url": "https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1"
},
{
"url": "https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c"
},
{
"url": "https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919"
},
{
"url": "https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7"
}
],
"title": "can: usb: etas_es58x: correctly anchor the urb in the read bulk callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23324",
"datePublished": "2026-03-25T10:27:17.476Z",
"dateReserved": "2026-01-13T15:37:45.996Z",
"dateUpdated": "2026-04-18T08:57:57.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43020 (GCVE-0-2026-43020)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
Bluetooth: MGMT: validate LTK enc_size on load
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate LTK enc_size on load
Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.
Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
346af67b8d116f01ef696fd47959a55deb2db8b6 , < 0f37d1e65c6d71ad94ccfb5c602163c525db789d
(git)
Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 257cdb960d8ff6d60bb6461b03c814b6cf0c9e64 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < c34577f517b556fb6ca173d45bf7e766ae2564ce (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < f71695e81f4cb428f3c7e2138eae88199005b52c (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 82f342b3b006ca1d65f4890c05f2ec32fcb808b6 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < 40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009 (git) Affected: 346af67b8d116f01ef696fd47959a55deb2db8b6 , < b8dbe9648d69059cfe3a28917bfbf7e61efd7f15 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f37d1e65c6d71ad94ccfb5c602163c525db789d",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "257cdb960d8ff6d60bb6461b03c814b6cf0c9e64",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "c34577f517b556fb6ca173d45bf7e766ae2564ce",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "f71695e81f4cb428f3c7e2138eae88199005b52c",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "82f342b3b006ca1d65f4890c05f2ec32fcb808b6",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
},
{
"lessThan": "b8dbe9648d69059cfe3a28917bfbf7e61efd7f15",
"status": "affected",
"version": "346af67b8d116f01ef696fd47959a55deb2db8b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:23.699Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f37d1e65c6d71ad94ccfb5c602163c525db789d"
},
{
"url": "https://git.kernel.org/stable/c/257cdb960d8ff6d60bb6461b03c814b6cf0c9e64"
},
{
"url": "https://git.kernel.org/stable/c/c34577f517b556fb6ca173d45bf7e766ae2564ce"
},
{
"url": "https://git.kernel.org/stable/c/f71695e81f4cb428f3c7e2138eae88199005b52c"
},
{
"url": "https://git.kernel.org/stable/c/82f342b3b006ca1d65f4890c05f2ec32fcb808b6"
},
{
"url": "https://git.kernel.org/stable/c/50fb64defa72a3fecd0af1ca7c6b47b5c5c2b257"
},
{
"url": "https://git.kernel.org/stable/c/40ba329e8b4cd2fb11b0caf5e6a543ceaebb6009"
},
{
"url": "https://git.kernel.org/stable/c/b8dbe9648d69059cfe3a28917bfbf7e61efd7f15"
}
],
"title": "Bluetooth: MGMT: validate LTK enc_size on load",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43020",
"datePublished": "2026-05-01T14:15:23.699Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-01T14:15:23.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31726 (GCVE-0-2026-31726)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: gadget: uvc: fix NULL pointer dereference during unbind race
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: fix NULL pointer dereference during unbind race
Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly
shutdown") introduced two stages of synchronization waits totaling 1500ms
in uvc_function_unbind() to prevent several types of kernel panics.
However, this timing-based approach is insufficient during power
management (PM) transitions.
When the PM subsystem starts freezing user space processes, the
wait_event_interruptible_timeout() is aborted early, which allows the
unbind thread to proceed and nullify the gadget pointer
(cdev->gadget = NULL):
[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()
[ 814.178583][ T3173] PM: suspend entry (deep)
[ 814.192487][ T3173] Freezing user space processes
[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release
When the PM subsystem resumes or aborts the suspend and tasks are
restarted, the V4L2 release path is executed and attempts to access the
already nullified gadget pointer, triggering a kernel panic:
[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake
[ 814.386727][ T3173] Restarting tasks ...
[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4
[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94
[ 814.404078][ T4558] Call trace:
[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4
[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94
[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c
[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac
[ 814.404095][ T4558] v4l2_release+0xcc/0x130
Address the race condition and NULL pointer dereference by:
1. State Synchronization (flag + mutex)
Introduce a 'func_unbound' flag in struct uvc_device. This allows
uvc_function_disconnect() to safely skip accessing the nullified
cdev->gadget pointer. As suggested by Alan Stern, this flag is protected
by a new mutex (uvc->lock) to ensure proper memory ordering and prevent
instruction reordering or speculative loads. This mutex is also used to
protect 'func_connected' for consistent state management.
2. Explicit Synchronization (completion)
Use a completion to synchronize uvc_function_unbind() with the
uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by
ensuring struct uvc_device is freed after all video device resources
are released.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1444e0568bc2c70868e7b8da5b46fc2252acc3f5 , < 0c00ec409d7b2bce3fcac73188b79a141db7cfda
(git)
Affected: 4962e5a2f301d24953f17d6748d986e21566abe1 , < d92d1532e05b1b31d36d48765e43bf73d793d19f (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < 0587de744615628c38e33ddc1601160a5ea8c50a (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < c78e463ee134b4669579d453c81ae00795e4c19a (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < 8a1128d604c360eca135f15b882b70256a522145 (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < 1aa9356881ee4ed414bf72d0c56d915492cb5345 (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < c038ba56b92e410d1caec22b2dc68780a0b42091 (git) Affected: b81ac4395bbeaf36e078dea1a48c02dd97b76235 , < eba2936bbe6b752a31725a9eb5c674ecbf21ee7d (git) Affected: e10735ce87502b07e171727e574afdd6c0890a08 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_uvc.c",
"drivers/usb/gadget/function/uvc.h",
"drivers/usb/gadget/function/uvc_v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c00ec409d7b2bce3fcac73188b79a141db7cfda",
"status": "affected",
"version": "1444e0568bc2c70868e7b8da5b46fc2252acc3f5",
"versionType": "git"
},
{
"lessThan": "d92d1532e05b1b31d36d48765e43bf73d793d19f",
"status": "affected",
"version": "4962e5a2f301d24953f17d6748d986e21566abe1",
"versionType": "git"
},
{
"lessThan": "0587de744615628c38e33ddc1601160a5ea8c50a",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"lessThan": "c78e463ee134b4669579d453c81ae00795e4c19a",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"lessThan": "8a1128d604c360eca135f15b882b70256a522145",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"lessThan": "1aa9356881ee4ed414bf72d0c56d915492cb5345",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"lessThan": "c038ba56b92e410d1caec22b2dc68780a0b42091",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"lessThan": "eba2936bbe6b752a31725a9eb5c674ecbf21ee7d",
"status": "affected",
"version": "b81ac4395bbeaf36e078dea1a48c02dd97b76235",
"versionType": "git"
},
{
"status": "affected",
"version": "e10735ce87502b07e171727e574afdd6c0890a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_uvc.c",
"drivers/usb/gadget/function/uvc.h",
"drivers/usb/gadget/function/uvc_v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix NULL pointer dereference during unbind race\n\nCommit b81ac4395bbe (\"usb: gadget: uvc: allow for application to cleanly\nshutdown\") introduced two stages of synchronization waits totaling 1500ms\nin uvc_function_unbind() to prevent several types of kernel panics.\nHowever, this timing-based approach is insufficient during power\nmanagement (PM) transitions.\n\nWhen the PM subsystem starts freezing user space processes, the\nwait_event_interruptible_timeout() is aborted early, which allows the\nunbind thread to proceed and nullify the gadget pointer\n(cdev-\u003egadget = NULL):\n\n[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()\n[ 814.178583][ T3173] PM: suspend entry (deep)\n[ 814.192487][ T3173] Freezing user space processes\n[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release\n\nWhen the PM subsystem resumes or aborts the suspend and tasks are\nrestarted, the V4L2 release path is executed and attempts to access the\nalready nullified gadget pointer, triggering a kernel panic:\n\n[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake\n[ 814.386727][ T3173] Restarting tasks ...\n[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030\n[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4\n[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94\n[ 814.404078][ T4558] Call trace:\n[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4\n[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94\n[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c\n[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac\n[ 814.404095][ T4558] v4l2_release+0xcc/0x130\n\nAddress the race condition and NULL pointer dereference by:\n\n1. State Synchronization (flag + mutex)\nIntroduce a \u0027func_unbound\u0027 flag in struct uvc_device. This allows\nuvc_function_disconnect() to safely skip accessing the nullified\ncdev-\u003egadget pointer. As suggested by Alan Stern, this flag is protected\nby a new mutex (uvc-\u003elock) to ensure proper memory ordering and prevent\ninstruction reordering or speculative loads. This mutex is also used to\nprotect \u0027func_connected\u0027 for consistent state management.\n\n2. Explicit Synchronization (completion)\nUse a completion to synchronize uvc_function_unbind() with the\nuvc_vdev_release() callback. This prevents Use-After-Free (UAF) by\nensuring struct uvc_device is freed after all video device resources\nare released."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:26.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c00ec409d7b2bce3fcac73188b79a141db7cfda"
},
{
"url": "https://git.kernel.org/stable/c/d92d1532e05b1b31d36d48765e43bf73d793d19f"
},
{
"url": "https://git.kernel.org/stable/c/0587de744615628c38e33ddc1601160a5ea8c50a"
},
{
"url": "https://git.kernel.org/stable/c/c78e463ee134b4669579d453c81ae00795e4c19a"
},
{
"url": "https://git.kernel.org/stable/c/8a1128d604c360eca135f15b882b70256a522145"
},
{
"url": "https://git.kernel.org/stable/c/1aa9356881ee4ed414bf72d0c56d915492cb5345"
},
{
"url": "https://git.kernel.org/stable/c/c038ba56b92e410d1caec22b2dc68780a0b42091"
},
{
"url": "https://git.kernel.org/stable/c/eba2936bbe6b752a31725a9eb5c674ecbf21ee7d"
}
],
"title": "usb: gadget: uvc: fix NULL pointer dereference during unbind race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31726",
"datePublished": "2026-05-01T14:14:26.882Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-05-01T14:14:26.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31762 (GCVE-0-2026-31762)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
iio: gyro: mpu3050: Fix irq resource leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: gyro: mpu3050: Fix irq resource leak
The interrupt handler is setup but only a few lines down if
iio_trigger_register() fails the function returns without properly
releasing the handler.
Add cleanup goto to resolve resource leak.
Detected by Smatch:
drivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn:
'irq' from request_threaded_irq() not released on lines: 1124.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3904b28efb2c780c23dcddfb87e07fe0230661e5 , < beb23092571e627190f23da4bb8548065cacd89c
(git)
Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 658d9deb45d5032baf388ac51991d1e789157334 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 889253494ec73d60bd47c0518f8fe3a748520d5b (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 8f237c408f3007d7d9667623ffb41a9e9d661ee9 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < b52fd1644ad2c4e96bbec97543a966d7ad8f21ea (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 3a8e68d65a443de05061818823037931674740e0 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < e66215fc1878357d5c980066e650f542330524af (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 4216db1043a3be72ef9c2b7b9f393d7fa72496e6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "beb23092571e627190f23da4bb8548065cacd89c",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "658d9deb45d5032baf388ac51991d1e789157334",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "889253494ec73d60bd47c0518f8fe3a748520d5b",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "8f237c408f3007d7d9667623ffb41a9e9d661ee9",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "b52fd1644ad2c4e96bbec97543a966d7ad8f21ea",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "3a8e68d65a443de05061818823037931674740e0",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "e66215fc1878357d5c980066e650f542330524af",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "4216db1043a3be72ef9c2b7b9f393d7fa72496e6",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix irq resource leak\n\nThe interrupt handler is setup but only a few lines down if\niio_trigger_register() fails the function returns without properly\nreleasing the handler.\n\nAdd cleanup goto to resolve resource leak.\n\nDetected by Smatch:\ndrivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn:\n\u0027irq\u0027 from request_threaded_irq() not released on lines: 1124."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:53.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/beb23092571e627190f23da4bb8548065cacd89c"
},
{
"url": "https://git.kernel.org/stable/c/658d9deb45d5032baf388ac51991d1e789157334"
},
{
"url": "https://git.kernel.org/stable/c/889253494ec73d60bd47c0518f8fe3a748520d5b"
},
{
"url": "https://git.kernel.org/stable/c/8f237c408f3007d7d9667623ffb41a9e9d661ee9"
},
{
"url": "https://git.kernel.org/stable/c/b52fd1644ad2c4e96bbec97543a966d7ad8f21ea"
},
{
"url": "https://git.kernel.org/stable/c/3a8e68d65a443de05061818823037931674740e0"
},
{
"url": "https://git.kernel.org/stable/c/e66215fc1878357d5c980066e650f542330524af"
},
{
"url": "https://git.kernel.org/stable/c/4216db1043a3be72ef9c2b7b9f393d7fa72496e6"
}
],
"title": "iio: gyro: mpu3050: Fix irq resource leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31762",
"datePublished": "2026-05-01T14:14:53.891Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:53.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31540 (GCVE-0-2026-31540)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
drm/i915/gt: Check set_default_submission() before deferencing
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Check set_default_submission() before deferencing
When the i915 driver firmware binaries are not present, the
set_default_submission pointer is not set. This pointer is
dereferenced during suspend anyways.
Add a check to make sure it is set before dereferencing.
[ 23.289926] PM: suspend entry (deep)
[ 23.293558] Filesystems sync: 0.000 seconds
[ 23.298010] Freezing user space processes
[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
[ 23.309766] OOM killer disabled.
[ 23.313027] Freezing remaining freezable tasks
[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[ 23.342038] serial 00:05: disabled
[ 23.345719] serial 00:02: disabled
[ 23.349342] serial 00:01: disabled
[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
[ 23.361635] ata1.00: Entering standby power mode
[ 23.368863] ata2.00: Entering standby power mode
[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 23.452194] #PF: supervisor instruction fetch in kernel mode
[ 23.457896] #PF: error_code(0x0010) - not-present page
[ 23.463065] PGD 0 P4D 0
[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
[ 23.496511] Workqueue: async async_run_entry_fn
[ 23.501087] RIP: 0010:0x0
[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
[ 23.572539] PKRU: 55555554
[ 23.575281] Call Trace:
[ 23.577770] <TASK>
[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
[ 23.590360] intel_gt_unset_wedged+0x20/0x40
[ 23.594675] gt_sanitize+0x15e/0x170
[ 23.598290] i915_gem_suspend_late+0x6b/0x180
[ 23.602692] i915_drm_suspend_late+0x35/0xf0
[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
[ 23.611843] dpm_run_callback+0x78/0x1c0
[ 23.615817] device_suspend_late+0xde/0x2e0
[ 23.620037] async_suspend_late+0x18/0x30
[ 23.624082] async_run_entry_fn+0x25/0xa0
[ 23.628129] process_one_work+0x15b/0x380
[ 23.632182] worker_thread+0x2a5/0x3c0
[ 23.635973] ? __pfx_worker_thread+0x10/0x10
[ 23.640279] kthread+0xf6/0x1f0
[ 23.643464] ? __pfx_kthread+0x10/0x10
[ 23.647263] ? __pfx_kthread+0x10/0x10
[ 23.651045] ret_from_fork+0x131/0x190
[ 23.654837] ? __pfx_kthread+0x10/0x10
[ 23.658634] ret_from_fork_asm+0x1a/0x30
[ 23.662597] </TASK>
[ 23.664826] Modules linked in:
[ 23.667914] CR2: 0000000000000000
[ 23.671271] ------------[ cut here ]------------
(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < db8b1bebe81ffb410ddd746b6869f72e22420850
(git)
Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < da6552d67012a1cf0585f2eb401d0c4abcf108c9 (git) Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < df1f4a7d9cf689b4e96c95255228896505f44c31 (git) Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < 2e20a886b443a71b573ceaed3ca7053d15380916 (git) Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < cf4b224ffb9a58181be32b64130fc36cf59c3192 (git) Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < 1a16150729db8d997e39519f9d58e6b435c4c087 (git) Affected: ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f , < 0162ab3220bac870e43e229e6e3024d1a21c3f26 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db8b1bebe81ffb410ddd746b6869f72e22420850",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "da6552d67012a1cf0585f2eb401d0c4abcf108c9",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "df1f4a7d9cf689b4e96c95255228896505f44c31",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "2e20a886b443a71b573ceaed3ca7053d15380916",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "cf4b224ffb9a58181be32b64130fc36cf59c3192",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "1a16150729db8d997e39519f9d58e6b435c4c087",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
},
{
"lessThan": "0162ab3220bac870e43e229e6e3024d1a21c3f26",
"status": "affected",
"version": "ff44ad51ebf8e4693bd66ae41aa37a6bc88a134f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Check set_default_submission() before deferencing\n\nWhen the i915 driver firmware binaries are not present, the\nset_default_submission pointer is not set. This pointer is\ndereferenced during suspend anyways.\n\nAdd a check to make sure it is set before dereferencing.\n\n[ 23.289926] PM: suspend entry (deep)\n[ 23.293558] Filesystems sync: 0.000 seconds\n[ 23.298010] Freezing user space processes\n[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)\n[ 23.309766] OOM killer disabled.\n[ 23.313027] Freezing remaining freezable tasks\n[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[ 23.342038] serial 00:05: disabled\n[ 23.345719] serial 00:02: disabled\n[ 23.349342] serial 00:01: disabled\n[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache\n[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache\n[ 23.361635] ata1.00: Entering standby power mode\n[ 23.368863] ata2.00: Entering standby power mode\n[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 23.452194] #PF: supervisor instruction fetch in kernel mode\n[ 23.457896] #PF: error_code(0x0010) - not-present page\n[ 23.463065] PGD 0 P4D 0\n[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI\n[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)\n[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[ 23.496511] Workqueue: async async_run_entry_fn\n[ 23.501087] RIP: 0010:0x0\n[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246\n[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f\n[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000\n[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff\n[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8\n[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68\n[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000\n[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0\n[ 23.572539] PKRU: 55555554\n[ 23.575281] Call Trace:\n[ 23.577770] \u003cTASK\u003e\n[ 23.579905] intel_engines_reset_default_submission+0x42/0x60\n[ 23.585695] __intel_gt_unset_wedged+0x191/0x200\n[ 23.590360] intel_gt_unset_wedged+0x20/0x40\n[ 23.594675] gt_sanitize+0x15e/0x170\n[ 23.598290] i915_gem_suspend_late+0x6b/0x180\n[ 23.602692] i915_drm_suspend_late+0x35/0xf0\n[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10\n[ 23.611843] dpm_run_callback+0x78/0x1c0\n[ 23.615817] device_suspend_late+0xde/0x2e0\n[ 23.620037] async_suspend_late+0x18/0x30\n[ 23.624082] async_run_entry_fn+0x25/0xa0\n[ 23.628129] process_one_work+0x15b/0x380\n[ 23.632182] worker_thread+0x2a5/0x3c0\n[ 23.635973] ? __pfx_worker_thread+0x10/0x10\n[ 23.640279] kthread+0xf6/0x1f0\n[ 23.643464] ? __pfx_kthread+0x10/0x10\n[ 23.647263] ? __pfx_kthread+0x10/0x10\n[ 23.651045] ret_from_fork+0x131/0x190\n[ 23.654837] ? __pfx_kthread+0x10/0x10\n[ 23.658634] ret_from_fork_asm+0x1a/0x30\n[ 23.662597] \u003c/TASK\u003e\n[ 23.664826] Modules linked in:\n[ 23.667914] CR2: 0000000000000000\n[ 23.671271] ------------[ cut here ]------------\n\n(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:09.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db8b1bebe81ffb410ddd746b6869f72e22420850"
},
{
"url": "https://git.kernel.org/stable/c/da6552d67012a1cf0585f2eb401d0c4abcf108c9"
},
{
"url": "https://git.kernel.org/stable/c/df1f4a7d9cf689b4e96c95255228896505f44c31"
},
{
"url": "https://git.kernel.org/stable/c/2e20a886b443a71b573ceaed3ca7053d15380916"
},
{
"url": "https://git.kernel.org/stable/c/cf4b224ffb9a58181be32b64130fc36cf59c3192"
},
{
"url": "https://git.kernel.org/stable/c/1a16150729db8d997e39519f9d58e6b435c4c087"
},
{
"url": "https://git.kernel.org/stable/c/0162ab3220bac870e43e229e6e3024d1a21c3f26"
}
],
"title": "drm/i915/gt: Check set_default_submission() before deferencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31540",
"datePublished": "2026-04-24T14:33:09.705Z",
"dateReserved": "2026-03-09T15:48:24.114Z",
"dateUpdated": "2026-04-24T14:33:09.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23243 (GCVE-0-2026-23243)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
RDMA/umad: Reject negative data_len in ib_umad_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umad: Reject negative data_len in ib_umad_write
ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().
Add an explicit check to reject negative data_len before creating the
send buffer.
KASAN splat:
[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2be8e3ee8efd6f99ce454115c29d09750915021a , < 1371ef6b1ecf3676b8942f5dfb3634fb0648128e
(git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 362e45fd9069ffa1523f9f1633b606ebf72060d7 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 6eb2919474ca105c5b13d19574e25f0ddcf19ca2 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 9c80d688f402539dfc8f336de1380d6b4ee14316 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 205955f29c26330b1dc7fdeadd5bb97c38e26f56 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/user_mad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1371ef6b1ecf3676b8942f5dfb3634fb0648128e",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "362e45fd9069ffa1523f9f1633b606ebf72060d7",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "6eb2919474ca105c5b13d19574e25f0ddcf19ca2",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "9c80d688f402539dfc8f336de1380d6b4ee14316",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "205955f29c26330b1dc7fdeadd5bb97c38e26f56",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
},
{
"lessThan": "5551b02fdbfd85a325bb857f3a8f9c9f33397ed2",
"status": "affected",
"version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/user_mad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:59.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"
},
{
"url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"
},
{
"url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"
},
{
"url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"
},
{
"url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"
},
{
"url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"
},
{
"url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"
},
{
"url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"
}
],
"title": "RDMA/umad: Reject negative data_len in ib_umad_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23243",
"datePublished": "2026-03-18T10:05:05.826Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-04-13T06:02:59.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31485 (GCVE-0-2026-31485)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
spi: spi-fsl-lpspi: fix teardown order issue (UAF)
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-fsl-lpspi: fix teardown order issue (UAF)
There is a teardown order issue in the driver. The SPI controller is
registered using devm_spi_register_controller(), which delays
unregistration of the SPI controller until after the fsl_lpspi_remove()
function returns.
As the fsl_lpspi_remove() function synchronously tears down the DMA
channels, a running SPI transfer triggers the following NULL pointer
dereference due to use after free:
| fsl_lpspi 42550000.spi: I/O Error in DMA RX
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[...]
| Call trace:
| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]
| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]
| spi_transfer_one_message+0x49c/0x7c8
| __spi_pump_transfer_message+0x120/0x420
| __spi_sync+0x2c4/0x520
| spi_sync+0x34/0x60
| spidev_message+0x20c/0x378 [spidev]
| spidev_ioctl+0x398/0x750 [spidev]
[...]
Switch from devm_spi_register_controller() to spi_register_controller() in
fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in
fsl_lpspi_remove().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5314987de5e5f5e38436ef4a69328bc472bbd63e , < fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6
(git)
Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < ca4483f36ac1b62e69f8b182c5b8f059e0abecfb (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < e3fd54f8b0317fbccc103961ddd660f2a32dcf0b (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < adb25339b66112393fd6892ceff926765feb5b86 (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < d5d01f24bc6fbde40b4e567ef9160194b61267bc (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3 (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < 15650dfbaeeb14bcaaf053b93cf631db8d465300 (git) Affected: 5314987de5e5f5e38436ef4a69328bc472bbd63e , < b341c1176f2e001b3adf0b47154fc31589f7410e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-lpspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "ca4483f36ac1b62e69f8b182c5b8f059e0abecfb",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "e3fd54f8b0317fbccc103961ddd660f2a32dcf0b",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "adb25339b66112393fd6892ceff926765feb5b86",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "d5d01f24bc6fbde40b4e567ef9160194b61267bc",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "15650dfbaeeb14bcaaf053b93cf631db8d465300",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
},
{
"lessThan": "b341c1176f2e001b3adf0b47154fc31589f7410e",
"status": "affected",
"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-lpspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n| spi_transfer_one_message+0x49c/0x7c8\n| __spi_pump_transfer_message+0x120/0x420\n| __spi_sync+0x2c4/0x520\n| spi_sync+0x34/0x60\n| spidev_message+0x20c/0x378 [spidev]\n| spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:10.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"
},
{
"url": "https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb"
},
{
"url": "https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b"
},
{
"url": "https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86"
},
{
"url": "https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc"
},
{
"url": "https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3"
},
{
"url": "https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300"
},
{
"url": "https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e"
}
],
"title": "spi: spi-fsl-lpspi: fix teardown order issue (UAF)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31485",
"datePublished": "2026-04-22T13:54:10.892Z",
"dateReserved": "2026-03-09T15:48:24.101Z",
"dateUpdated": "2026-04-22T13:54:10.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31533 (GCVE-0-2026-31533)
Vulnerability from cvelistv5 – Published: 2026-04-23 15:11 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.
When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.
The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.
Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3ade391adc584f17b5570fd205de3ad029090368 , < 414fc5e5a5aff776c150f1b86770e0a25a35df3a
(git)
Affected: cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 , < 02f3ecadb23558bbe068e6504118f1b712d4ece0 (git) Affected: 13eca403876bbea3716e82cdfe6f1e6febb38754 , < 0e43e0a3c94044acc74b8e0927c27972eb5a59e8 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < aa9facde6c5005205874c37db3fd25799d741baf (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 5d70eb25b41e9b010828cd12818b06a0c3b04412 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 2694d408b0e595024e0fc1d64ff9db0358580f74 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < a9b8b18364fffce4c451e6f6fd218fa4ab646705 (git) Affected: ab6397f072e5097f267abf5cb08a8004e6b17694 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "414fc5e5a5aff776c150f1b86770e0a25a35df3a",
"status": "affected",
"version": "3ade391adc584f17b5570fd205de3ad029090368",
"versionType": "git"
},
{
"lessThan": "02f3ecadb23558bbe068e6504118f1b712d4ece0",
"status": "affected",
"version": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72",
"versionType": "git"
},
{
"lessThan": "0e43e0a3c94044acc74b8e0927c27972eb5a59e8",
"status": "affected",
"version": "13eca403876bbea3716e82cdfe6f1e6febb38754",
"versionType": "git"
},
{
"lessThan": "aa9facde6c5005205874c37db3fd25799d741baf",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "5d70eb25b41e9b010828cd12818b06a0c3b04412",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "2694d408b0e595024e0fc1d64ff9db0358580f74",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "a9b8b18364fffce4c451e6f6fd218fa4ab646705",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"status": "affected",
"version": "ab6397f072e5097f267abf5cb08a8004e6b17694",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "6.1.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge-\u003eoffset, sge-\u003elength) and decrements\nctx-\u003eencrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:54.811Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a"
},
{
"url": "https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0"
},
{
"url": "https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8"
},
{
"url": "https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"
},
{
"url": "https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412"
},
{
"url": "https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74"
},
{
"url": "https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705"
}
],
"title": "net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31533",
"datePublished": "2026-04-23T15:11:06.955Z",
"dateReserved": "2026-03-09T15:48:24.113Z",
"dateUpdated": "2026-04-27T14:03:54.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31450 (GCVE-0-2026-31450)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ext4: publish jinode after initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: publish jinode after initialization
ext4_inode_attach_jinode() publishes ei->jinode to concurrent users.
It used to set ei->jinode before jbd2_journal_init_jbd_inode(),
allowing a reader to observe a non-NULL jinode with i_vfs_inode
still unset.
The fast commit flush path can then pass this jinode to
jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and
may crash.
Below is the crash I observe:
```
BUG: unable to handle page fault for address: 000000010beb47f4
PGD 110e51067 P4D 110e51067 PUD 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
RIP: 0010:xas_find_marked+0x3d/0x2e0
Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02
RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246
RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003
RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10
RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec
R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000
R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88
FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
filemap_get_folios_tag+0x87/0x2a0
__filemap_fdatawait_range+0x5f/0xd0
? srso_alias_return_thunk+0x5/0xfbef5
? __schedule+0x3e7/0x10c0
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
? cap_safe_nice+0x37/0x70
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
filemap_fdatawait_range_keep_errors+0x12/0x40
ext4_fc_commit+0x697/0x8b0
? ext4_file_write_iter+0x64b/0x950
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
? srso_alias_return_thunk+0x5/0xfbef5
? vfs_write+0x356/0x480
? srso_alias_return_thunk+0x5/0xfbef5
? preempt_count_sub+0x5f/0x80
ext4_sync_file+0xf7/0x370
do_fsync+0x3b/0x80
? syscall_trace_enter+0x108/0x1d0
__x64_sys_fdatasync+0x16/0x20
do_syscall_64+0x62/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
```
Fix this by initializing the jbd2_inode first.
Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after
initialization. Readers use READ_ONCE() to fetch the pointer.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a361293f5fedea0016a10599f409631a15d47ee7 , < 2d2b648960147d078b000b9a7494017082024366
(git)
Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < e4325e84727e539c8597bd5b8491349f57f7fb17 (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < be54c0055407a73b60349c093c8ce621cb8fa232 (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < a070d5a872ffe0e0fe5c46eda6386140ded39adb (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < e76bcb727e4874a2f9d0297f8e3f8eced89b0764 (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < 4855a59e21789c79f003a9b5f4135c95a7495c6b (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < 33f486987af21531a7b18973d11795ede3da9ddd (git) Affected: a361293f5fedea0016a10599f409631a15d47ee7 , < 1aec30021edd410b986c156f195f3d23959a9d11 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c",
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d2b648960147d078b000b9a7494017082024366",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "e4325e84727e539c8597bd5b8491349f57f7fb17",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "be54c0055407a73b60349c093c8ce621cb8fa232",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "a070d5a872ffe0e0fe5c46eda6386140ded39adb",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "e76bcb727e4874a2f9d0297f8e3f8eced89b0764",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "4855a59e21789c79f003a9b5f4135c95a7495c6b",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "33f486987af21531a7b18973d11795ede3da9ddd",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
},
{
"lessThan": "1aec30021edd410b986c156f195f3d23959a9d11",
"status": "affected",
"version": "a361293f5fedea0016a10599f409631a15d47ee7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c",
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei-\u003ejinode to concurrent users.\nIt used to set ei-\u003ejinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode-\u003ei_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f \u003c49\u003e 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei-\u003ejinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:16.086Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366"
},
{
"url": "https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17"
},
{
"url": "https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232"
},
{
"url": "https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb"
},
{
"url": "https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764"
},
{
"url": "https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b"
},
{
"url": "https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd"
},
{
"url": "https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11"
}
],
"title": "ext4: publish jinode after initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31450",
"datePublished": "2026-04-22T13:53:45.532Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:16.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31415 (GCVE-0-2026-31415)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
ipv6: avoid overflows in ip6_datagram_send_ctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid overflows in ip6_datagram_send_ctl()
Yiming Qian reported :
<quote>
I believe I found a locally triggerable kernel bug in the IPv6 sendmsg
ancillary-data path that can panic the kernel via `skb_under_panic()`
(local DoS).
The core issue is a mismatch between:
- a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type
`__u16`) and
- a pointer to the *last* provided destination-options header (`opt->dst1opt`)
when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.
- `include/net/ipv6.h`:
- `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).
(lines 291-307, especially 298)
- `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:
- Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`
without rejecting duplicates. (lines 909-933)
- `net/ipv6/ip6_output.c:__ip6_append_data()`:
- Uses `opt->opt_flen + opt->opt_nflen` to compute header
sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)
- `net/ipv6/ip6_output.c:__ip6_make_skb()`:
- Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero.
(lines 1930-1934)
- `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:
- Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the
pointed-to header). (lines 1179-1185 and 1206-1211)
1. `opt_flen` is a 16-bit accumulator:
- `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.
2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs
and increments `opt_flen` each time:
- In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:
- It computes `len = ((hdr->hdrlen + 1) << 3);`
- It checks `CAP_NET_RAW` using `ns_capable(net->user_ns,
CAP_NET_RAW)`. (line 922)
- Then it does:
- `opt->opt_flen += len;` (line 927)
- `opt->dst1opt = hdr;` (line 928)
There is no duplicate rejection here (unlike the legacy
`IPV6_2292DSTOPTS` path which rejects duplicates at
`net/ipv6/datagram.c:901-904`).
If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps
while `dst1opt` still points to a large (2048-byte)
destination-options header.
In the attached PoC (`poc.c`):
- 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048`
- 1 cmsg with `hdrlen=0` => `len = 8`
- Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`
- The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.
3. The transmit path sizes headers using the wrapped `opt_flen`:
- In `net/ipv6/ip6_output.c:1463-1465`:
- `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +
opt->opt_nflen : 0) + ...;`
With wrapped `opt_flen`, `headersize`/headroom decisions underestimate
what will be pushed later.
4. When building the final skb, the actual push length comes from
`dst1opt` and is not limited by wrapped `opt_flen`:
- In `net/ipv6/ip6_output.c:1930-1934`:
- `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`
- In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes
`dst1opt` via `ipv6_push_exthdr()`.
- In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:
- `skb_push(skb, ipv6_optlen(opt));`
- `memcpy(h, opt, ipv6_optlen(opt));`
With insufficient headroom, `skb_push()` underflows and triggers
`skb_under_panic()` -> `BUG()`:
- `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)
- `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)
- The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target
netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`).
- Root (or any task with `CAP_NET_RAW`) can trigger this without user
namespaces.
- An unprivileged `uid=1000` user can trigger this if unprivileged
user namespaces are enabled and it can create a userns+netns to obtain
namespaced `CAP_NET_RAW` (the attached PoC does this).
- Local denial of service: kernel BUG/panic (system crash).
-
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a
(git)
Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4082f9984a694829153115d28c956a3534f52f29 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 5e4ee5dbea134e9257f205e31a96040bed71e83f (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 63fda74885555e6bd1623b5d811feec998740ba4 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 9ed81d692758dfb9471d7799b24bfa7a08224c31 (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 872b74900d5daa37067ac676d9001bb929fc6a2a (git) Affected: 333fad5364d6b457c8d837f7d05802d2aaf8a961 , < 4e453375561fc60820e6b9d8ebeb6b3ee177d42e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/datagram.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "4082f9984a694829153115d28c956a3534f52f29",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "5e4ee5dbea134e9257f205e31a96040bed71e83f",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "63fda74885555e6bd1623b5d811feec998740ba4",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "9ed81d692758dfb9471d7799b24bfa7a08224c31",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "872b74900d5daa37067ac676d9001bb929fc6a2a",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
},
{
"lessThan": "4e453375561fc60820e6b9d8ebeb6b3ee177d42e",
"status": "affected",
"version": "333fad5364d6b457c8d837f7d05802d2aaf8a961",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/datagram.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\u003cquote\u003e\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\n - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\n CAP_NET_RAW)`. (line 922)\n - Then it does:\n - `opt-\u003eopt_flen += len;` (line 927)\n - `opt-\u003edst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\n opt-\u003eopt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n - `skb_push(skb, ipv6_optlen(opt));`\n - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -\u003e `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:28.135Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a"
},
{
"url": "https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29"
},
{
"url": "https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f"
},
{
"url": "https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f"
},
{
"url": "https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4"
},
{
"url": "https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31"
},
{
"url": "https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a"
},
{
"url": "https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e"
}
],
"title": "ipv6: avoid overflows in ip6_datagram_send_ctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31415",
"datePublished": "2026-04-13T13:21:03.284Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-18T08:59:28.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31403 (GCVE-0-2026-31403)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.
Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < 76740c28050dc6db2f5550f1325b00a11bbb3255
(git)
Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < c7f406fb341d6747634b8b1fa5461656e5e56076 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < d1a19217995df9c7e4118f5a2820c5032fef2945 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < e3d77f935639e6ae4b381c80464c31df998d61f4 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < 6a8d70e2ad6aad2c345a5048edcb8168036f97d6 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < e7fcf179b82d3a3730fd8615da01b087cc654d0b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76740c28050dc6db2f5550f1325b00a11bbb3255",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "c7f406fb341d6747634b8b1fa5461656e5e56076",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "d1a19217995df9c7e4118f5a2820c5032fef2945",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e3d77f935639e6ae4b381c80464c31df998d61f4",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "6a8d70e2ad6aad2c345a5048edcb8168036f97d6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e7fcf179b82d3a3730fd8615da01b087cc654d0b",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module\u0027s lifetime. exports_proc_open()\ncaptures the caller\u0027s current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:50.491Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"
},
{
"url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"
},
{
"url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"
},
{
"url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"
},
{
"url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"
},
{
"url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"
},
{
"url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"
}
],
"title": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31403",
"datePublished": "2026-04-03T15:16:06.444Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-04-27T14:02:50.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31552 (GCVE-0-2026-31552)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
before skb_push"), wl1271_tx_allocate() and with it
wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
full. This causes the code to flush the buffer, put the skb back at the
head of the queue, and immediately retry the same skb in a tight while
loop.
Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
immediately with GFP_ATOMIC, this will result in an infinite loop and a
CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
the loop terminates.
The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88295a55fefe5414e64293638b6f7549646e58ed , < 980f793645540ca7a6318165cc12f49d5febeb99
(git)
Affected: cd89a4656c03f8db0c57350aaec69cd3cfaa3522 , < 12f9eef39e49716c763714bfda835a733d5f6dea (git) Affected: 745a0810dbc96a0471e5f5e627ba1e978c3116d4 , < ceb46b40b021d21911ff8608ce4ed33c1264ad2f (git) Affected: b167312390fdd461c81ead516f2b0b44e83a9edb , < a6dc74209462c4fe5a88718d2f3a5286886081c8 (git) Affected: 71de0b6e04bbee5575caf9a1e4d424e7dcc50018 , < cfa64e2b3717be1da7c4c1aff7268a009e8c1610 (git) Affected: 689a7980e4788e13e766763d53569fb78dea2513 , < 46c670ff1ff466e5eccb3940f726586473dc053c (git) Affected: e75665dd096819b1184087ba5718bd93beafff51 , < f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c (git) Affected: e75665dd096819b1184087ba5718bd93beafff51 , < deb353d9bb009638b7762cae2d0b6e8fdbb41a69 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "980f793645540ca7a6318165cc12f49d5febeb99",
"status": "affected",
"version": "88295a55fefe5414e64293638b6f7549646e58ed",
"versionType": "git"
},
{
"lessThan": "12f9eef39e49716c763714bfda835a733d5f6dea",
"status": "affected",
"version": "cd89a4656c03f8db0c57350aaec69cd3cfaa3522",
"versionType": "git"
},
{
"lessThan": "ceb46b40b021d21911ff8608ce4ed33c1264ad2f",
"status": "affected",
"version": "745a0810dbc96a0471e5f5e627ba1e978c3116d4",
"versionType": "git"
},
{
"lessThan": "a6dc74209462c4fe5a88718d2f3a5286886081c8",
"status": "affected",
"version": "b167312390fdd461c81ead516f2b0b44e83a9edb",
"versionType": "git"
},
{
"lessThan": "cfa64e2b3717be1da7c4c1aff7268a009e8c1610",
"status": "affected",
"version": "71de0b6e04bbee5575caf9a1e4d424e7dcc50018",
"versionType": "git"
},
{
"lessThan": "46c670ff1ff466e5eccb3940f726586473dc053c",
"status": "affected",
"version": "689a7980e4788e13e766763d53569fb78dea2513",
"versionType": "git"
},
{
"lessThan": "f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c",
"status": "affected",
"version": "e75665dd096819b1184087ba5718bd93beafff51",
"versionType": "git"
},
{
"lessThan": "deb353d9bb009638b7762cae2d0b6e8fdbb41a69",
"status": "affected",
"version": "e75665dd096819b1184087ba5718bd93beafff51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom\n\nSince upstream commit e75665dd0968 (\"wifi: wlcore: ensure skb headroom\nbefore skb_push\"), wl1271_tx_allocate() and with it\nwl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.\nHowever, in wlcore_tx_work_locked(), a return value of -EAGAIN from\nwl1271_prepare_tx_frame() is interpreted as the aggregation buffer being\nfull. This causes the code to flush the buffer, put the skb back at the\nhead of the queue, and immediately retry the same skb in a tight while\nloop.\n\nBecause wlcore_tx_work_locked() holds wl-\u003emutex, and the retry happens\nimmediately with GFP_ATOMIC, this will result in an infinite loop and a\nCPU soft lockup. Return -ENOMEM instead so the packet is dropped and\nthe loop terminates.\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:00.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/980f793645540ca7a6318165cc12f49d5febeb99"
},
{
"url": "https://git.kernel.org/stable/c/12f9eef39e49716c763714bfda835a733d5f6dea"
},
{
"url": "https://git.kernel.org/stable/c/ceb46b40b021d21911ff8608ce4ed33c1264ad2f"
},
{
"url": "https://git.kernel.org/stable/c/a6dc74209462c4fe5a88718d2f3a5286886081c8"
},
{
"url": "https://git.kernel.org/stable/c/cfa64e2b3717be1da7c4c1aff7268a009e8c1610"
},
{
"url": "https://git.kernel.org/stable/c/46c670ff1ff466e5eccb3940f726586473dc053c"
},
{
"url": "https://git.kernel.org/stable/c/f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c"
},
{
"url": "https://git.kernel.org/stable/c/deb353d9bb009638b7762cae2d0b6e8fdbb41a69"
}
],
"title": "wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31552",
"datePublished": "2026-04-24T14:33:19.065Z",
"dateReserved": "2026-03-09T15:48:24.115Z",
"dateUpdated": "2026-04-27T14:04:00.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31667 (GCVE-0-2026-31667)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
Input: uinput - fix circular locking dependency with ff-core
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - fix circular locking dependency with ff-core
A lockdep circular locking dependency warning can be triggered
reproducibly when using a force-feedback gamepad with uinput (for
example, playing ELDEN RING under Wine with a Flydigi Vader 5
controller):
ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex
The cycle is caused by four lock acquisition paths:
1. ff upload: input_ff_upload() holds ff->mutex and calls
uinput_dev_upload_effect() -> uinput_request_submit() ->
uinput_request_send(), which acquires udev->mutex.
2. device create: uinput_ioctl_handler() holds udev->mutex and calls
uinput_create_device() -> input_register_device(), which acquires
input_mutex.
3. device register: input_register_device() holds input_mutex and
calls kbd_connect() -> input_register_handle(), which acquires
dev->mutex.
4. evdev release: evdev_release() calls input_flush_device() under
dev->mutex, which calls input_ff_flush() acquiring ff->mutex.
Fix this by introducing a new state_lock spinlock to protect
udev->state and udev->dev access in uinput_request_send() instead of
acquiring udev->mutex. The function only needs to atomically check
device state and queue an input event into the ring buffer via
uinput_dev_event() -- both operations are safe under a spinlock
(ktime_get_ts64() and wake_up_interruptible() do not sleep). This
breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in
the lock ordering and cannot form cycles with mutexes.
To keep state transitions visible to uinput_request_send(), protect
writes to udev->state in uinput_create_device() and
uinput_destroy_device() with the same state_lock spinlock.
Additionally, move init_completion(&request->done) from
uinput_request_send() to uinput_request_submit() before
uinput_request_reserve_slot(). Once the slot is allocated,
uinput_flush_requests() may call complete() on it at any time from
the destroy path, so the completion must be initialised before the
request becomes visible.
Lock ordering after the fix:
ff->mutex -> state_lock (spinlock, leaf)
udev->mutex -> state_lock (spinlock, leaf)
udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff462551235d8d7d843a005950bc90924fcedede , < 71a9729f412e2c692a35c542e14b706fb342927f
(git)
Affected: ff462551235d8d7d843a005950bc90924fcedede , < 271ee71a1917b89f6d73ec82dd091c33d92ee617 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 974f7b138c3a96dd5cd53d1b33409cd7b2229dc6 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 546c18a14924eb521fe168d916d7ce28f1e13c1d (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < a3d6c9c053c9c605651508569230ead633b13f76 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 1e09dfbb4f5d20ee111f92325a00f85778a5f328 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 1534661043c434b81cfde26b97a2fb2460329cf0 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a9729f412e2c692a35c542e14b706fb342927f",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "271ee71a1917b89f6d73ec82dd091c33d92ee617",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "974f7b138c3a96dd5cd53d1b33409cd7b2229dc6",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "546c18a14924eb521fe168d916d7ce28f1e13c1d",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "a3d6c9c053c9c605651508569230ead633b13f76",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1e09dfbb4f5d20ee111f92325a00f85778a5f328",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1534661043c434b81cfde26b97a2fb2460329cf0",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "4cda78d6f8bf2b700529f2fbccb994c3e826d7c2",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff-\u003emutex -\u003e udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff-\u003emutex and calls\n uinput_dev_upload_effect() -\u003e uinput_request_submit() -\u003e\n uinput_request_send(), which acquires udev-\u003emutex.\n\n2. device create: uinput_ioctl_handler() holds udev-\u003emutex and calls\n uinput_create_device() -\u003e input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -\u003e input_register_handle(), which acquires\n dev-\u003emutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev-\u003emutex, which calls input_ff_flush() acquiring ff-\u003emutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev-\u003estate and udev-\u003edev access in uinput_request_send() instead of\nacquiring udev-\u003emutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff-\u003emutex -\u003e udev-\u003emutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev-\u003estate in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(\u0026request-\u003edone) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex (no back-edge)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:51.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f"
},
{
"url": "https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617"
},
{
"url": "https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6"
},
{
"url": "https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d"
},
{
"url": "https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"
},
{
"url": "https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328"
},
{
"url": "https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0"
},
{
"url": "https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2"
}
],
"title": "Input: uinput - fix circular locking dependency with ff-core",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31667",
"datePublished": "2026-04-24T14:45:15.937Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:51.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23296 (GCVE-0-2026-23296)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
scsi: core: Fix refcount leak for tagset_refcnt
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix refcount leak for tagset_refcnt
This leak will cause a hang when tearing down the SCSI host. For example,
iscsid hangs with the following call trace:
[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
#0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
#1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
#2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
#3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
#4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
#5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
#6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
#7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
#8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
#9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f818708eeeae793e12dc39f8984ed7732048a7d9 , < 0e274674714427dc578bb99db5b86e312d2b57f8
(git)
Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < 9f5e4abed9248448aa1b45b12ab0bea4d329b56a (git) Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < 7c01b680beaf4d3143866b062b8e770e8b237fb8 (git) Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < ec5c17c687b189dbc09dfdec11b669caa40bc395 (git) Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < 944a333c8e4d42256556c1d2ebb6d773a33e0dcd (git) Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < a03d96598d39fdf605d90731db3ef3b13fb8bdc8 (git) Affected: 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 , < 1ac22c8eae81366101597d48360718dff9b9d980 (git) Affected: 5ce8fad941233e81f2afb5b52a3fcddd3ba8732f (git) Affected: 2e7eb4c1e8af8385de22775bd0be552f59b28c9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e274674714427dc578bb99db5b86e312d2b57f8",
"status": "affected",
"version": "f818708eeeae793e12dc39f8984ed7732048a7d9",
"versionType": "git"
},
{
"lessThan": "9f5e4abed9248448aa1b45b12ab0bea4d329b56a",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"lessThan": "7c01b680beaf4d3143866b062b8e770e8b237fb8",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"lessThan": "ec5c17c687b189dbc09dfdec11b669caa40bc395",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"lessThan": "944a333c8e4d42256556c1d2ebb6d773a33e0dcd",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"lessThan": "a03d96598d39fdf605d90731db3ef3b13fb8bdc8",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"lessThan": "1ac22c8eae81366101597d48360718dff9b9d980",
"status": "affected",
"version": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
"versionType": "git"
},
{
"status": "affected",
"version": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f",
"versionType": "git"
},
{
"status": "affected",
"version": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:44.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e274674714427dc578bb99db5b86e312d2b57f8"
},
{
"url": "https://git.kernel.org/stable/c/9f5e4abed9248448aa1b45b12ab0bea4d329b56a"
},
{
"url": "https://git.kernel.org/stable/c/7c01b680beaf4d3143866b062b8e770e8b237fb8"
},
{
"url": "https://git.kernel.org/stable/c/ec5c17c687b189dbc09dfdec11b669caa40bc395"
},
{
"url": "https://git.kernel.org/stable/c/944a333c8e4d42256556c1d2ebb6d773a33e0dcd"
},
{
"url": "https://git.kernel.org/stable/c/a03d96598d39fdf605d90731db3ef3b13fb8bdc8"
},
{
"url": "https://git.kernel.org/stable/c/1ac22c8eae81366101597d48360718dff9b9d980"
}
],
"title": "scsi: core: Fix refcount leak for tagset_refcnt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23296",
"datePublished": "2026-03-25T10:26:53.509Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:44.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31446 (GCVE-0-2026-31446)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ext4: fix use-after-free in update_super_work when racing with umount
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in update_super_work when racing with umount
Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount
filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work
to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups
reads during unmount. However, this introduced a use-after-free because
update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which
accesses the kobject's kernfs_node after it has been freed by kobject_del()
in ext4_unregister_sysfs():
update_super_work ext4_put_super
----------------- --------------
ext4_unregister_sysfs(sb)
kobject_del(&sbi->s_kobj)
__kobject_del()
sysfs_remove_dir()
kobj->sd = NULL
sysfs_put(sd)
kernfs_put() // RCU free
ext4_notify_error_sysfs(sbi)
sysfs_notify(&sbi->s_kobj)
kn = kobj->sd // stale pointer
kernfs_get(kn) // UAF on freed kernfs_node
ext4_journal_destroy()
flush_work(&sbi->s_sb_upd_work)
Instead of reordering the teardown sequence, fix this by making
ext4_notify_error_sysfs() detect that sysfs has already been torn down
by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call
in that case. A dedicated mutex (s_error_notify_mutex) serializes
ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()
to prevent TOCTOU races where the kobject could be deleted between the
state_in_sysfs check and the sysfs_notify() call.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 , < c8fe17a1b308c3d8c703ebfb049b325f844342c3
(git)
Affected: b98535d091795a79336f520b0708457aacf55c67 , < c4d829737329f2290dd41e290b7d75effdb2a7ff (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 9449f99ba04f5dd1c8423ad8a90b3651d7240d1d (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 034053378dd81837fd6c7a43b37ee2e58d4f0b4e (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < 08b10e6f37fc533a759e9833af0692242e8b3f93 (git) Affected: b98535d091795a79336f520b0708457aacf55c67 , < d15e4b0a418537aafa56b2cb80d44add83e83697 (git) Affected: 585ef03c9e79672781f954daae730dfe24bf3a46 (git) Affected: afe490e48d47df1b3f64012835c1bc2f075a8c8b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/super.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8fe17a1b308c3d8c703ebfb049b325f844342c3",
"status": "affected",
"version": "52c3a04f9ec2a16a4204d6274db338cb8d5b2d74",
"versionType": "git"
},
{
"lessThan": "c4d829737329f2290dd41e290b7d75effdb2a7ff",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "9449f99ba04f5dd1c8423ad8a90b3651d7240d1d",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "034053378dd81837fd6c7a43b37ee2e58d4f0b4e",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "08b10e6f37fc533a759e9833af0692242e8b3f93",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"lessThan": "d15e4b0a418537aafa56b2cb80d44add83e83697",
"status": "affected",
"version": "b98535d091795a79336f520b0708457aacf55c67",
"versionType": "git"
},
{
"status": "affected",
"version": "585ef03c9e79672781f954daae730dfe24bf3a46",
"versionType": "git"
},
{
"status": "affected",
"version": "afe490e48d47df1b3f64012835c1bc2f075a8c8b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ext4.h",
"fs/ext4/super.c",
"fs/ext4/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -\u003e sysfs_notify() which\naccesses the kobject\u0027s kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(\u0026sbi-\u003es_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj-\u003esd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(\u0026sbi-\u003es_kobj)\n kn = kobj-\u003esd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(\u0026sbi-\u003es_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:11.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8fe17a1b308c3d8c703ebfb049b325f844342c3"
},
{
"url": "https://git.kernel.org/stable/c/c4d829737329f2290dd41e290b7d75effdb2a7ff"
},
{
"url": "https://git.kernel.org/stable/c/9449f99ba04f5dd1c8423ad8a90b3651d7240d1d"
},
{
"url": "https://git.kernel.org/stable/c/034053378dd81837fd6c7a43b37ee2e58d4f0b4e"
},
{
"url": "https://git.kernel.org/stable/c/c97e282f7bfd0c3554c63d289964a5ca6a1d2ffe"
},
{
"url": "https://git.kernel.org/stable/c/08b10e6f37fc533a759e9833af0692242e8b3f93"
},
{
"url": "https://git.kernel.org/stable/c/d15e4b0a418537aafa56b2cb80d44add83e83697"
}
],
"title": "ext4: fix use-after-free in update_super_work when racing with umount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31446",
"datePublished": "2026-04-22T13:53:42.751Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:11.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31747 (GCVE-0-2026-31747)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
comedi: me4000: Fix potential overrun of firmware buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: me4000: Fix potential overrun of firmware buffer
`me4000_xilinx_download()` loads the firmware that was requested by
`request_firmware()`. It is possible for it to overrun the source
buffer because it blindly trusts the file format. It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.
Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream. On failure, log an error and
return `-EINVAL`.
Note: The firmware loading was totally broken before commit ac584af59945
("staging: comedi: me4000: fix firmware downloading"), but that is the
most sensible target for this fix.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac584af599452748187cf6d7865b1607c54ee443 , < 8ddfe6495c245226a30d8b36e2f4a7aa7712e8d6
(git)
Affected: ac584af599452748187cf6d7865b1607c54ee443 , < 64b24b713e1a3ea6624480594b4f8c2ff86502f2 (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < f72b5567f7c117b46b4058dc6a0c7554f8565561 (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < 1603dd471f47762e9d1f52304edb3e49a7e62655 (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < 99f31aa98ab6e3805c455b65bcd01b3d48bdf1a5 (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < eae19cab44204537f79146f15a51811b13227c38 (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < de3f923ae7d91480ed3ecea1b1e1fc0dc25b597d (git) Affected: ac584af599452748187cf6d7865b1607c54ee443 , < 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/me4000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ddfe6495c245226a30d8b36e2f4a7aa7712e8d6",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "64b24b713e1a3ea6624480594b4f8c2ff86502f2",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "f72b5567f7c117b46b4058dc6a0c7554f8565561",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "1603dd471f47762e9d1f52304edb3e49a7e62655",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "99f31aa98ab6e3805c455b65bcd01b3d48bdf1a5",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "eae19cab44204537f79146f15a51811b13227c38",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "de3f923ae7d91480ed3ecea1b1e1fc0dc25b597d",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
},
{
"lessThan": "3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7",
"status": "affected",
"version": "ac584af599452748187cf6d7865b1607c54ee443",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/me4000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me4000: Fix potential overrun of firmware buffer\n\n`me4000_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`. It is possible for it to overrun the source\nbuffer because it blindly trusts the file format. It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream. On failure, log an error and\nreturn `-EINVAL`.\n\nNote: The firmware loading was totally broken before commit ac584af59945\n(\"staging: comedi: me4000: fix firmware downloading\"), but that is the\nmost sensible target for this fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:40.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ddfe6495c245226a30d8b36e2f4a7aa7712e8d6"
},
{
"url": "https://git.kernel.org/stable/c/64b24b713e1a3ea6624480594b4f8c2ff86502f2"
},
{
"url": "https://git.kernel.org/stable/c/f72b5567f7c117b46b4058dc6a0c7554f8565561"
},
{
"url": "https://git.kernel.org/stable/c/1603dd471f47762e9d1f52304edb3e49a7e62655"
},
{
"url": "https://git.kernel.org/stable/c/99f31aa98ab6e3805c455b65bcd01b3d48bdf1a5"
},
{
"url": "https://git.kernel.org/stable/c/eae19cab44204537f79146f15a51811b13227c38"
},
{
"url": "https://git.kernel.org/stable/c/de3f923ae7d91480ed3ecea1b1e1fc0dc25b597d"
},
{
"url": "https://git.kernel.org/stable/c/3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7"
}
],
"title": "comedi: me4000: Fix potential overrun of firmware buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31747",
"datePublished": "2026-05-01T14:14:40.844Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-01T14:14:40.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31751 (GCVE-0-2026-31751)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
comedi: dt2815: add hardware detection to prevent crash
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: dt2815: add hardware detection to prevent crash
The dt2815 driver crashes when attached to I/O ports without actual
hardware present. This occurs because syzkaller or users can attach
the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.
When no hardware exists at the specified port, inb() operations return
0xff (floating bus), but outb() operations can trigger page faults due
to undefined behavior, especially under race conditions:
BUG: unable to handle page fault for address: 000000007fffff90
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
RIP: 0010:dt2815_attach+0x6e0/0x1110
Add hardware detection by reading the status register before attempting
any write operations. If the read returns 0xff, assume no hardware is
present and fail the attach with -ENODEV. This prevents crashes from
outb() operations on non-existent hardware.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d6a929b7608ae157cef86d00cc580d1038f0b985 , < 8d63161837f1bf8810dbcd2a583c2bbf5ca6d733
(git)
Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < d2a786efdb9971f2a647724625da5bbecc994dc9 (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < 0dcf33994b8dcf3db36530fb7e2cf9f89e5cbac3 (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < d5d9df8b08d68d083ac57abc2c887dfb1f31af63 (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < 65c528fbeddd88478c210052f6c7b21be4973156 (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < 34c8b3a91bdfbe4573650b4cd750ef639101fdc5 (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < 34b13250c618d7441508c6ef369144aa8a9b9bfa (git) Affected: d6a929b7608ae157cef86d00cc580d1038f0b985 , < 93853512f565e625df2397f0d8050d6aafd7c3ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/dt2815.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d63161837f1bf8810dbcd2a583c2bbf5ca6d733",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "d2a786efdb9971f2a647724625da5bbecc994dc9",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "0dcf33994b8dcf3db36530fb7e2cf9f89e5cbac3",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "d5d9df8b08d68d083ac57abc2c887dfb1f31af63",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "65c528fbeddd88478c210052f6c7b21be4973156",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "34c8b3a91bdfbe4573650b4cd750ef639101fdc5",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "34b13250c618d7441508c6ef369144aa8a9b9bfa",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
},
{
"lessThan": "93853512f565e625df2397f0d8050d6aafd7c3ad",
"status": "affected",
"version": "d6a929b7608ae157cef86d00cc580d1038f0b985",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/dt2815.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: dt2815: add hardware detection to prevent crash\n\nThe dt2815 driver crashes when attached to I/O ports without actual\nhardware present. This occurs because syzkaller or users can attach\nthe driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.\n\nWhen no hardware exists at the specified port, inb() operations return\n0xff (floating bus), but outb() operations can trigger page faults due\nto undefined behavior, especially under race conditions:\n\n BUG: unable to handle page fault for address: 000000007fffff90\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n RIP: 0010:dt2815_attach+0x6e0/0x1110\n\nAdd hardware detection by reading the status register before attempting\nany write operations. If the read returns 0xff, assume no hardware is\npresent and fail the attach with -ENODEV. This prevents crashes from\noutb() operations on non-existent hardware."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:23.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d63161837f1bf8810dbcd2a583c2bbf5ca6d733"
},
{
"url": "https://git.kernel.org/stable/c/d2a786efdb9971f2a647724625da5bbecc994dc9"
},
{
"url": "https://git.kernel.org/stable/c/0dcf33994b8dcf3db36530fb7e2cf9f89e5cbac3"
},
{
"url": "https://git.kernel.org/stable/c/d5d9df8b08d68d083ac57abc2c887dfb1f31af63"
},
{
"url": "https://git.kernel.org/stable/c/65c528fbeddd88478c210052f6c7b21be4973156"
},
{
"url": "https://git.kernel.org/stable/c/34c8b3a91bdfbe4573650b4cd750ef639101fdc5"
},
{
"url": "https://git.kernel.org/stable/c/34b13250c618d7441508c6ef369144aa8a9b9bfa"
},
{
"url": "https://git.kernel.org/stable/c/93853512f565e625df2397f0d8050d6aafd7c3ad"
}
],
"title": "comedi: dt2815: add hardware detection to prevent crash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31751",
"datePublished": "2026-05-01T14:14:43.551Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-02T06:14:23.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31756 (GCVE-0-2026-31756)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.
However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
- spin_unlock on a lock that is not held (undefined behavior)
- The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
causing a deadlock when spin_lock_irqsave() is called later in the
same function.
Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5cb3cb3db317c58d50b68f3ca3bb8343ea9d1acd , < e9fcca3e87463013d595c65c2189ffaa32ad3b50
(git)
Affected: 1ac826cebc2776f91569f2aa9c9c3da2375d2096 , < 8ffe31acb3b77a30ae34d01719a269881569fb7f (git) Affected: 41732f9febdccb4f9b87c13cb915d717d68ccafd , < beab10429439e20708036a66fb0d97ffb79da6a1 (git) Affected: ba78c2b3254c4a458c01776612e8a573e12f8d26 , < 4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4 (git) Affected: af076a41f8a28faf9ceb9dd2d88aef2c202ef39a , < 61937f686290494998236c680ce0836b8dd63a3f (git) Affected: af076a41f8a28faf9ceb9dd2d88aef2c202ef39a , < 51b62286fc668c6eb74dee7624ec0beec3c5a0ed (git) Affected: af076a41f8a28faf9ceb9dd2d88aef2c202ef39a , < 9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a (git) Affected: b39c203690fa1678daecc60f347e43c8b593b969 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc2/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e9fcca3e87463013d595c65c2189ffaa32ad3b50",
"status": "affected",
"version": "5cb3cb3db317c58d50b68f3ca3bb8343ea9d1acd",
"versionType": "git"
},
{
"lessThan": "8ffe31acb3b77a30ae34d01719a269881569fb7f",
"status": "affected",
"version": "1ac826cebc2776f91569f2aa9c9c3da2375d2096",
"versionType": "git"
},
{
"lessThan": "beab10429439e20708036a66fb0d97ffb79da6a1",
"status": "affected",
"version": "41732f9febdccb4f9b87c13cb915d717d68ccafd",
"versionType": "git"
},
{
"lessThan": "4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4",
"status": "affected",
"version": "ba78c2b3254c4a458c01776612e8a573e12f8d26",
"versionType": "git"
},
{
"lessThan": "61937f686290494998236c680ce0836b8dd63a3f",
"status": "affected",
"version": "af076a41f8a28faf9ceb9dd2d88aef2c202ef39a",
"versionType": "git"
},
{
"lessThan": "51b62286fc668c6eb74dee7624ec0beec3c5a0ed",
"status": "affected",
"version": "af076a41f8a28faf9ceb9dd2d88aef2c202ef39a",
"versionType": "git"
},
{
"lessThan": "9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a",
"status": "affected",
"version": "af076a41f8a28faf9ceb9dd2d88aef2c202ef39a",
"versionType": "git"
},
{
"status": "affected",
"version": "b39c203690fa1678daecc60f347e43c8b593b969",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc2/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.187",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.6.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.12.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()\n\ndwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,\nwhich expects hsotg-\u003elock to be held since it does spin_unlock/spin_lock\naround the gadget driver callback invocation.\n\nHowever, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()\nwithout holding the lock. This leads to:\n - spin_unlock on a lock that is not held (undefined behavior)\n - The lock remaining held after dwc2_gadget_exit_clock_gating() returns,\n causing a deadlock when spin_lock_irqsave() is called later in the\n same function.\n\nFix this by acquiring hsotg-\u003elock before calling\ndwc2_gadget_exit_clock_gating() and releasing it afterwards, which\nsatisfies the locking requirement of the call_gadget() macro."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:47.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50"
},
{
"url": "https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f"
},
{
"url": "https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1"
},
{
"url": "https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4"
},
{
"url": "https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f"
},
{
"url": "https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed"
},
{
"url": "https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a"
}
],
"title": "usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31756",
"datePublished": "2026-05-01T14:14:47.000Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:47.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31779 (GCVE-0-2026-31779)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
The memcpy function assumes the dynamic array notif->matches is at least
as large as the number of bytes to copy. Otherwise, results->matches may
contain unwanted data. To guarantee safety, extend the validation in one
of the checks to ensure sufficient packet length.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < f6abac936a0dfd31d6c3e49205ec0ee75a8f887f
(git)
Affected: 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < ffbed27ba15ef80d1c622eeedbfef03e501ae134 (git) Affected: 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < e67d8c626ace80b0fa2b48c8ec0a46b508c93442 (git) Affected: 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < dd90880eb5ec5442b37eb2b95688f4a63f4883e3 (git) Affected: 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2 (git) Affected: 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c , < 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/d3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6abac936a0dfd31d6c3e49205ec0ee75a8f887f",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
},
{
"lessThan": "ffbed27ba15ef80d1c622eeedbfef03e501ae134",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
},
{
"lessThan": "e67d8c626ace80b0fa2b48c8ec0a46b508c93442",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
},
{
"lessThan": "dd90880eb5ec5442b37eb2b95688f4a63f4883e3",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
},
{
"lessThan": "ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
},
{
"lessThan": "744fabc338e87b95c4d1ff7c95bc8c0f834c6d99",
"status": "affected",
"version": "5ac54afd4d97ad8d94fe250c83b1924eb6d2268c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mvm/d3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()\n\nThe memcpy function assumes the dynamic array notif-\u003ematches is at least\nas large as the number of bytes to copy. Otherwise, results-\u003ematches may\ncontain unwanted data. To guarantee safety, extend the validation in one\nof the checks to ensure sufficient packet length.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:56.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6abac936a0dfd31d6c3e49205ec0ee75a8f887f"
},
{
"url": "https://git.kernel.org/stable/c/ffbed27ba15ef80d1c622eeedbfef03e501ae134"
},
{
"url": "https://git.kernel.org/stable/c/e67d8c626ace80b0fa2b48c8ec0a46b508c93442"
},
{
"url": "https://git.kernel.org/stable/c/dd90880eb5ec5442b37eb2b95688f4a63f4883e3"
},
{
"url": "https://git.kernel.org/stable/c/ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2"
},
{
"url": "https://git.kernel.org/stable/c/744fabc338e87b95c4d1ff7c95bc8c0f834c6d99"
}
],
"title": "wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31779",
"datePublished": "2026-05-01T14:15:06.506Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-03T05:45:56.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31399 (GCVE-0-2026-31399)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
nvdimm/bus: Fix potential use after free in asynchronous initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvdimm/bus: Fix potential use after free in asynchronous initialization
Dingisoul with KASAN reports a use after free if device_add() fails in
nd_async_device_register().
Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while
scheduling async init") correctly added a reference on the parent device
to be held until asynchronous initialization was complete. However, if
device_add() results in an allocation failure the ref count of the
device drops to 0 prior to the parent pointer being accessed. Thus
resulting in use after free.
The bug bot AI correctly identified the fix. Save a reference to the
parent pointer to be used to drop the parent reference regardless of the
outcome of device_add().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < 6fc36c2a925ceaba203eb13d75a8f0879a2c121b
(git)
Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < a36cf138500e56f50db9f9a33222df6969b38326 (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < 9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < 2c638259ad750833fd46a0cf57672a618542d84c (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < a226e5b49e5fe8c98b14f8507de670189d191348 (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < 84af19855d1abdee3c9d57c0684e2868e391793c (git) Affected: b6eae0f61db27748606cc00dafcfd1e2c032f0a5 , < a8aec14230322ed8f1e8042b6d656c1631d41163 (git) Affected: 8954771abdea5c34280870e35592c7226a816d95 (git) Affected: 3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab (git) Affected: 1490de2bb0836fc0631c04d0559fdf81545b672f (git) Affected: e31a8418c8df7e6771414f99ed3d95ba8aca4e05 (git) Affected: 4f1a55a4f990016406147cf3e0c9487bf83e50f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6fc36c2a925ceaba203eb13d75a8f0879a2c121b",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "a36cf138500e56f50db9f9a33222df6969b38326",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "2c638259ad750833fd46a0cf57672a618542d84c",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "a226e5b49e5fe8c98b14f8507de670189d191348",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "84af19855d1abdee3c9d57c0684e2868e391793c",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"lessThan": "a8aec14230322ed8f1e8042b6d656c1631d41163",
"status": "affected",
"version": "b6eae0f61db27748606cc00dafcfd1e2c032f0a5",
"versionType": "git"
},
{
"status": "affected",
"version": "8954771abdea5c34280870e35592c7226a816d95",
"versionType": "git"
},
{
"status": "affected",
"version": "3e63a7f25cc85d3d3e174b9b0e3489ebb7eaf4ab",
"versionType": "git"
},
{
"status": "affected",
"version": "1490de2bb0836fc0631c04d0559fdf81545b672f",
"versionType": "git"
},
{
"status": "affected",
"version": "e31a8418c8df7e6771414f99ed3d95ba8aca4e05",
"versionType": "git"
},
{
"status": "affected",
"version": "4f1a55a4f990016406147cf3e0c9487bf83e50f0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.18.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm/bus: Fix potential use after free in asynchronous initialization\n\nDingisoul with KASAN reports a use after free if device_add() fails in\nnd_async_device_register().\n\nCommit b6eae0f61db2 (\"libnvdimm: Hold reference on parent while\nscheduling async init\") correctly added a reference on the parent device\nto be held until asynchronous initialization was complete. However, if\ndevice_add() results in an allocation failure the ref count of the\ndevice drops to 0 prior to the parent pointer being accessed. Thus\nresulting in use after free.\n\nThe bug bot AI correctly identified the fix. Save a reference to the\nparent pointer to be used to drop the parent reference regardless of the\noutcome of device_add()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:18.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fc36c2a925ceaba203eb13d75a8f0879a2c121b"
},
{
"url": "https://git.kernel.org/stable/c/a36cf138500e56f50db9f9a33222df6969b38326"
},
{
"url": "https://git.kernel.org/stable/c/9a0fb16ba5b372465a3a1ecd761c6fa911a4ab4d"
},
{
"url": "https://git.kernel.org/stable/c/e48bf8f1d2b12c1c5ba1f609edbd4cde5dadc20e"
},
{
"url": "https://git.kernel.org/stable/c/2c638259ad750833fd46a0cf57672a618542d84c"
},
{
"url": "https://git.kernel.org/stable/c/a226e5b49e5fe8c98b14f8507de670189d191348"
},
{
"url": "https://git.kernel.org/stable/c/84af19855d1abdee3c9d57c0684e2868e391793c"
},
{
"url": "https://git.kernel.org/stable/c/a8aec14230322ed8f1e8042b6d656c1631d41163"
}
],
"title": "nvdimm/bus: Fix potential use after free in asynchronous initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31399",
"datePublished": "2026-04-03T15:16:03.246Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-04-18T08:59:18.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31748 (GCVE-0-2026-31748)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
comedi: me_daq: Fix potential overrun of firmware buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: me_daq: Fix potential overrun of firmware buffer
`me2600_xilinx_download()` loads the firmware that was requested by
`request_firmware()`. It is possible for it to overrun the source
buffer because it blindly trusts the file format. It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards. Although it checks that the supplied firmware is at least 16
bytes long, it does not check that it is long enough to contain the data
stream.
Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream. On failure, log an error and
return `-EINVAL`.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
85acac61096f946a78cf0c4b65f7cebe580693b6 , < 2fc25a4c2e055cd42ea39a1b42c89bfef70e0319
(git)
Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < 9f39fa07259eb342908e4aa0271dee038a8ce4f8 (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < f3f8ec00cfb8d8e826e30b1138a56355b88e9ba8 (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < c16ac4e173a05011437a2d868f70cc415339065a (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < 1bf8761eb59e94bf7b8c17b2a1ee48f14378b172 (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < a47ae40339c1048f519df33ff8840731720f57cb (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < c8c607a77aab783f2e38cc2e0f24aa6c8f6d200b (git) Affected: 85acac61096f946a78cf0c4b65f7cebe580693b6 , < cc797d4821c754c701d9714b58bea947e31dbbe0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/me_daq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fc25a4c2e055cd42ea39a1b42c89bfef70e0319",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "9f39fa07259eb342908e4aa0271dee038a8ce4f8",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "f3f8ec00cfb8d8e826e30b1138a56355b88e9ba8",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "c16ac4e173a05011437a2d868f70cc415339065a",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "1bf8761eb59e94bf7b8c17b2a1ee48f14378b172",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "a47ae40339c1048f519df33ff8840731720f57cb",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "c8c607a77aab783f2e38cc2e0f24aa6c8f6d200b",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
},
{
"lessThan": "cc797d4821c754c701d9714b58bea947e31dbbe0",
"status": "affected",
"version": "85acac61096f946a78cf0c4b65f7cebe580693b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/me_daq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me_daq: Fix potential overrun of firmware buffer\n\n`me2600_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`. It is possible for it to overrun the source\nbuffer because it blindly trusts the file format. It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards. Although it checks that the supplied firmware is at least 16\nbytes long, it does not check that it is long enough to contain the data\nstream.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream. On failure, log an error and\nreturn `-EINVAL`."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:41.545Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fc25a4c2e055cd42ea39a1b42c89bfef70e0319"
},
{
"url": "https://git.kernel.org/stable/c/9f39fa07259eb342908e4aa0271dee038a8ce4f8"
},
{
"url": "https://git.kernel.org/stable/c/f3f8ec00cfb8d8e826e30b1138a56355b88e9ba8"
},
{
"url": "https://git.kernel.org/stable/c/c16ac4e173a05011437a2d868f70cc415339065a"
},
{
"url": "https://git.kernel.org/stable/c/1bf8761eb59e94bf7b8c17b2a1ee48f14378b172"
},
{
"url": "https://git.kernel.org/stable/c/a47ae40339c1048f519df33ff8840731720f57cb"
},
{
"url": "https://git.kernel.org/stable/c/c8c607a77aab783f2e38cc2e0f24aa6c8f6d200b"
},
{
"url": "https://git.kernel.org/stable/c/cc797d4821c754c701d9714b58bea947e31dbbe0"
}
],
"title": "comedi: me_daq: Fix potential overrun of firmware buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31748",
"datePublished": "2026-05-01T14:14:41.545Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-01T14:14:41.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23245 (GCVE-0-2026-23245)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net/sched: act_gate: snapshot parameters with RCU on replace
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_gate: snapshot parameters with RCU on replace
The gate action can be replaced while the hrtimer callback or dump path is
walking the schedule list.
Convert the parameters to an RCU-protected snapshot and swap updates under
tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits
the entry list, preserve the existing schedule so the effective state is
unchanged.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a51c328df3106663879645680609eb49b3ff6444 , < fc98fd8d214693be91253d9a88cdf8e5e143d124
(git)
Affected: a51c328df3106663879645680609eb49b3ff6444 , < 8b1251bbf0f10ac745ed74bad4d3b433caa1eeae (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < dfc314d7c767e350f78a46a8f8b134f80e8ad432 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 035d0d09d5ab3ed3e93d18cde2b562a6719eea23 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 04d75529dc0f9be78786162ebab7424af4644df2 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 58b162e318d0243ad2d7d92456c0873f2494c351 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 62413a9c3cb183afb9bb6e94dd68caf4e4145f4c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_gate.h",
"net/sched/act_gate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc98fd8d214693be91253d9a88cdf8e5e143d124",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "8b1251bbf0f10ac745ed74bad4d3b433caa1eeae",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "dfc314d7c767e350f78a46a8f8b134f80e8ad432",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "035d0d09d5ab3ed3e93d18cde2b562a6719eea23",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "04d75529dc0f9be78786162ebab7424af4644df2",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "58b162e318d0243ad2d7d92456c0873f2494c351",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
},
{
"lessThan": "62413a9c3cb183afb9bb6e94dd68caf4e4145f4c",
"status": "affected",
"version": "a51c328df3106663879645680609eb49b3ff6444",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_gate.h",
"net/sched/act_gate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:25.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc98fd8d214693be91253d9a88cdf8e5e143d124"
},
{
"url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"
},
{
"url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"
},
{
"url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"
},
{
"url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"
},
{
"url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"
},
{
"url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"
}
],
"title": "net/sched: act_gate: snapshot parameters with RCU on replace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23245",
"datePublished": "2026-03-18T10:05:07.406Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-04-18T08:57:25.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23420 (GCVE-0-2026-23420)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
wifi: wlcore: Fix a locking bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: Fix a locking bug
Make sure that wl->mutex is locked before it is unlocked. This has been
detected by the Clang thread-safety analyzer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 4ae8faf31b24c78653f4433298ee52813a56967a
(git)
Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < fc404390a386404cf9822d4091ccae1f61efcbcd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 7ab511003c5ae3bf5364d7699a2e3ab1db513680 (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < aca4c9e4901b01b8b985993dc7df80bd1d1338bd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 5feeea59ed142e15c3284d0b1a364c6786bf3487 (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < fcef983ad88832f3aa83491a174c345de57afbbd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 1a1c28a08d74716f3f8e3a21c86b30d0ff13521a (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 72c6df8f284b3a49812ce2ac136727ace70acc7c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ae8faf31b24c78653f4433298ee52813a56967a",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "fc404390a386404cf9822d4091ccae1f61efcbcd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "7ab511003c5ae3bf5364d7699a2e3ab1db513680",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "aca4c9e4901b01b8b985993dc7df80bd1d1338bd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "5feeea59ed142e15c3284d0b1a364c6786bf3487",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "fcef983ad88832f3aa83491a174c345de57afbbd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "1a1c28a08d74716f3f8e3a21c86b30d0ff13521a",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "72c6df8f284b3a49812ce2ac136727ace70acc7c",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Fix a locking bug\n\nMake sure that wl-\u003emutex is locked before it is unlocked. This has been\ndetected by the Clang thread-safety analyzer."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:48.786Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ae8faf31b24c78653f4433298ee52813a56967a"
},
{
"url": "https://git.kernel.org/stable/c/fc404390a386404cf9822d4091ccae1f61efcbcd"
},
{
"url": "https://git.kernel.org/stable/c/7ab511003c5ae3bf5364d7699a2e3ab1db513680"
},
{
"url": "https://git.kernel.org/stable/c/aca4c9e4901b01b8b985993dc7df80bd1d1338bd"
},
{
"url": "https://git.kernel.org/stable/c/5feeea59ed142e15c3284d0b1a364c6786bf3487"
},
{
"url": "https://git.kernel.org/stable/c/fcef983ad88832f3aa83491a174c345de57afbbd"
},
{
"url": "https://git.kernel.org/stable/c/1a1c28a08d74716f3f8e3a21c86b30d0ff13521a"
},
{
"url": "https://git.kernel.org/stable/c/72c6df8f284b3a49812ce2ac136727ace70acc7c"
}
],
"title": "wifi: wlcore: Fix a locking bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23420",
"datePublished": "2026-04-03T13:24:29.681Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-18T08:58:48.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23414 (GCVE-0-2026-23414)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
tls: Purge async_hold in tls_decrypt_async_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Purge async_hold in tls_decrypt_async_wait()
The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.
A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.
This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.
[pabeni@redhat.com: added leak comment]
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f83fd0c179e0f458e824e417f9d5ad53443f685 , < ac435be7c7613eb13a5a8ceb5182e10b50c9ce87
(git)
Affected: c61d4368197d65c4809d9271f3b85325a600586a , < 2dcf324855c34e7f934ce978aa19b645a8f3ee71 (git) Affected: 39dec4ea3daf77f684308576baf483b55ca7f160 , < 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 9f557c7eae127b44d2e863917dc986a4b6cb1269 (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < fd8037e1f18ca5336934d0e0e7e1a4fe097e749d (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 84a8335d8300576f1b377ae24abca1d9f197807f (git) Affected: 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac435be7c7613eb13a5a8ceb5182e10b50c9ce87",
"status": "affected",
"version": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"versionType": "git"
},
{
"lessThan": "2dcf324855c34e7f934ce978aa19b645a8f3ee71",
"status": "affected",
"version": "c61d4368197d65c4809d9271f3b85325a600586a",
"versionType": "git"
},
{
"lessThan": "6dc11e0bd0a5466bcc76d275c09e5537bd0597dd",
"status": "affected",
"version": "39dec4ea3daf77f684308576baf483b55ca7f160",
"versionType": "git"
},
{
"lessThan": "9f557c7eae127b44d2e863917dc986a4b6cb1269",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "fd8037e1f18ca5336934d0e0e7e1a4fe097e749d",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "84a8335d8300576f1b377ae24abca1d9f197807f",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(\u0026ctx-\u003easync_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg\u0027s drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:13.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87"
},
{
"url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71"
},
{
"url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd"
},
{
"url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269"
},
{
"url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d"
},
{
"url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f"
}
],
"title": "tls: Purge async_hold in tls_decrypt_async_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23414",
"datePublished": "2026-04-02T11:40:55.746Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-27T14:02:13.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23475 (GCVE-0-2026-23475)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-13 06:08
VLAI?
EPSS
Title
spi: fix statistics allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fix statistics allocation
The controller per-cpu statistics is not allocated until after the
controller has been registered with driver core, which leaves a window
where accessing the sysfs attributes can trigger a NULL-pointer
dereference.
Fix this by moving the statistics allocation to controller allocation
while tying its lifetime to that of the controller (rather than using
implicit devres).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e
(git)
Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < f13100b1f5f111989f0750540a795fdef47492af (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < df30056c78e8bead02d4be020199cabdbec0fef1 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 378b295f67102eef78cf2c28105f60ae1dab5cc1 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 118ce777d39f03cac99231196f820e4f998613a8 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < dee0774bbb2abb172e9069ce5ffef579b12b3ae9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "f13100b1f5f111989f0750540a795fdef47492af",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "df30056c78e8bead02d4be020199cabdbec0fef1",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "378b295f67102eef78cf2c28105f60ae1dab5cc1",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "118ce777d39f03cac99231196f820e4f998613a8",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "dee0774bbb2abb172e9069ce5ffef579b12b3ae9",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres)."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:08:12.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e"
},
{
"url": "https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492af"
},
{
"url": "https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1"
},
{
"url": "https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1"
},
{
"url": "https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8"
},
{
"url": "https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9"
}
],
"title": "spi: fix statistics allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23475",
"datePublished": "2026-04-03T15:15:54.211Z",
"dateReserved": "2026-01-13T15:37:46.022Z",
"dateUpdated": "2026-04-13T06:08:12.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31454 (GCVE-0-2026-31454)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
xfs: save ailp before dropping the AIL lock in push callbacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: save ailp before dropping the AIL lock in push callbacks
In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
is dropped to perform buffer IO. Once the cluster buffer no longer
protects the log item from reclaim, the log item may be freed by
background reclaim or the dquot shrinker. The subsequent spin_lock()
call dereferences lip->li_ailp, which is a use-after-free.
Fix this by saving the ailp pointer in a local variable while the AIL
lock is held and the log item is guaranteed to be valid.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90c60e16401248a4900f3f9387f563d0178dcf34 , < edd1637d4e3911ab6c760f553f2040fe72f61a13
(git)
Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 19437e4f7bb909afde832b39372aa2f3ce3cfd88 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 75669e987137f49c99ca44406bf0200d1892dd16 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 50f5f056807b7bed74f4f307f2ca0ed92f3e556d (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 4c7d50147316cf049462f327c4a3e9dc2b7f1dd0 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 394d70b86fae9fe865e7e6d9540b7696f73aa9b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_dquot_item.c",
"fs/xfs/xfs_inode_item.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "edd1637d4e3911ab6c760f553f2040fe72f61a13",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "19437e4f7bb909afde832b39372aa2f3ce3cfd88",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "75669e987137f49c99ca44406bf0200d1892dd16",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "50f5f056807b7bed74f4f307f2ca0ed92f3e556d",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "4c7d50147316cf049462f327c4a3e9dc2b7f1dd0",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "394d70b86fae9fe865e7e6d9540b7696f73aa9b6",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_dquot_item.c",
"fs/xfs/xfs_inode_item.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: save ailp before dropping the AIL lock in push callbacks\n\nIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock\nis dropped to perform buffer IO. Once the cluster buffer no longer\nprotects the log item from reclaim, the log item may be freed by\nbackground reclaim or the dquot shrinker. The subsequent spin_lock()\ncall dereferences lip-\u003eli_ailp, which is a use-after-free.\n\nFix this by saving the ailp pointer in a local variable while the AIL\nlock is held and the log item is guaranteed to be valid."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:18.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/edd1637d4e3911ab6c760f553f2040fe72f61a13"
},
{
"url": "https://git.kernel.org/stable/c/19437e4f7bb909afde832b39372aa2f3ce3cfd88"
},
{
"url": "https://git.kernel.org/stable/c/6dbe17f19c290a72ce57d5abc70e1fad0c3e14e5"
},
{
"url": "https://git.kernel.org/stable/c/75669e987137f49c99ca44406bf0200d1892dd16"
},
{
"url": "https://git.kernel.org/stable/c/d8fc60bbaf5aea1604bf9f4ed565da6a1ac7a87d"
},
{
"url": "https://git.kernel.org/stable/c/50f5f056807b7bed74f4f307f2ca0ed92f3e556d"
},
{
"url": "https://git.kernel.org/stable/c/4c7d50147316cf049462f327c4a3e9dc2b7f1dd0"
},
{
"url": "https://git.kernel.org/stable/c/394d70b86fae9fe865e7e6d9540b7696f73aa9b6"
}
],
"title": "xfs: save ailp before dropping the AIL lock in push callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31454",
"datePublished": "2026-04-22T13:53:48.242Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:18.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31763 (GCVE-0-2026-31763)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
iio: gyro: mpu3050: Fix incorrect free_irq() variable
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: gyro: mpu3050: Fix incorrect free_irq() variable
The handler for the IRQ part of this driver is mpu3050->trig but,
in the teardown free_irq() is called with handler mpu3050.
Use correct IRQ handler when calling free_irq().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 11f7cd960f05b3f06747abfdc4e56dd0d8b8a157
(git)
Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < fdbe4b5268cd41f9953d25a67d139e47cac34519 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 8001b42fbd5e510dced3a25665019982c99bc708 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < a09171d3f23e13bccd3dc34863186707c6301071 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 8631e755fc07b651b5d158cc3656ef76cc874068 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < ac1233397f4cfe55d71f6aa459b42c256c951531 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 2821f7b62c5b3633c4923c7e4f742380897cd511 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11f7cd960f05b3f06747abfdc4e56dd0d8b8a157",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "fdbe4b5268cd41f9953d25a67d139e47cac34519",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "8001b42fbd5e510dced3a25665019982c99bc708",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "a09171d3f23e13bccd3dc34863186707c6301071",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "8631e755fc07b651b5d158cc3656ef76cc874068",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "ac1233397f4cfe55d71f6aa459b42c256c951531",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "2821f7b62c5b3633c4923c7e4f742380897cd511",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix incorrect free_irq() variable\n\nThe handler for the IRQ part of this driver is mpu3050-\u003etrig but,\nin the teardown free_irq() is called with handler mpu3050.\n\nUse correct IRQ handler when calling free_irq()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:54.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11f7cd960f05b3f06747abfdc4e56dd0d8b8a157"
},
{
"url": "https://git.kernel.org/stable/c/fdbe4b5268cd41f9953d25a67d139e47cac34519"
},
{
"url": "https://git.kernel.org/stable/c/8001b42fbd5e510dced3a25665019982c99bc708"
},
{
"url": "https://git.kernel.org/stable/c/a09171d3f23e13bccd3dc34863186707c6301071"
},
{
"url": "https://git.kernel.org/stable/c/8631e755fc07b651b5d158cc3656ef76cc874068"
},
{
"url": "https://git.kernel.org/stable/c/ac1233397f4cfe55d71f6aa459b42c256c951531"
},
{
"url": "https://git.kernel.org/stable/c/2821f7b62c5b3633c4923c7e4f742380897cd511"
},
{
"url": "https://git.kernel.org/stable/c/edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6"
}
],
"title": "iio: gyro: mpu3050: Fix incorrect free_irq() variable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31763",
"datePublished": "2026-05-01T14:14:54.557Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:54.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23279 (GCVE-0-2026-23279)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
at lines 1638 and 1642 without a prior NULL check:
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
The mesh_matches_local() check above only validates the Mesh ID,
Mesh Configuration, and Supported Rates IEs. It does not verify the
presence of the Mesh Channel Switch Parameters IE (element ID 118).
When a received CSA action frame omits that IE, ieee802_11_parse_elems()
leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
dereference causes a kernel NULL pointer dereference.
A remote mesh peer with an established peer link (PLINK_ESTAB) can
trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
that includes a matching Mesh ID and Mesh Configuration IE but omits the
Mesh Channel Switch Parameters IE. No authentication beyond the default
open mesh peering is required.
Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
CR2: 0000000000000000
Fix by adding a NULL check for mesh_chansw_params_ie after
mesh_matches_local() returns, consistent with how other optional IEs
are guarded throughout the mesh code.
The bug has been present since v3.13 (released 2014-01-19).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f2535b92d685c68db4bc699dd78462a646f6ef9 , < 753ad20dcbe36b67088c7770d8fc357d7cc43e08
(git)
Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < f061336f072ab03fd29270ae61fede46bf8fd69d (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < 2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < 22a9adea7e26d236406edc0ea00b54351dd56b9c (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < f5d8af683410a8c82e48b51291915bd612523d9a (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < cc6d5a3c0a854aeae00915fc5386570c86029c60 (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < be8b82c567fda86f2cbb43b7208825125bb31421 (git) Affected: 8f2535b92d685c68db4bc699dd78462a646f6ef9 , < 017c1792525064a723971f0216e6ef86a8c7af11 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "753ad20dcbe36b67088c7770d8fc357d7cc43e08",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "f061336f072ab03fd29270ae61fede46bf8fd69d",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "22a9adea7e26d236406edc0ea00b54351dd56b9c",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "f5d8af683410a8c82e48b51291915bd612523d9a",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "cc6d5a3c0a854aeae00915fc5386570c86029c60",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "be8b82c567fda86f2cbb43b7208825125bb31421",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
},
{
"lessThan": "017c1792525064a723971f0216e6ef86a8c7af11",
"status": "affected",
"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems-\u003emesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh-\u003echsw_ttl = elems-\u003emesh_chansw_params_ie-\u003emesh_ttl;\n ...\n pre_value = le16_to_cpu(elems-\u003emesh_chansw_params_ie-\u003emesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems-\u003emesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:35.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08"
},
{
"url": "https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d"
},
{
"url": "https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"
},
{
"url": "https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"
},
{
"url": "https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"
},
{
"url": "https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"
},
{
"url": "https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"
},
{
"url": "https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"
}
],
"title": "wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23279",
"datePublished": "2026-03-25T10:26:39.994Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:35.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23370 (GCVE-0-2026-23370)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
set_new_password() hex dumps the entire buffer, which contains plaintext
password data, including current and new passwords. Remove the hex dump
to avoid leaking credentials.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e8a60aa7404bfef37705da5607c97737073ac38d , < 9bbb420f202834363e1e25435e49db0a385c2232
(git)
Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < d9e785bd62d2ac23cf29a75dcfea8c8087fd3870 (git) Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 411ba3cd837f7825c0e648e155bc505641f95854 (git) Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 0e6115c2f2facaed9593c16ad2e5accd487f5c52 (git) Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < 5de34126fb2edf8ab7f25d677b132e92d8bf9ede (git) Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < d78e74adc5cfff7afd9d03b9da8058a7e435f9bc (git) Affected: e8a60aa7404bfef37705da5607c97737073ac38d , < d1a196e0a6dcddd03748468a0e9e3100790fc85c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bbb420f202834363e1e25435e49db0a385c2232",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "d9e785bd62d2ac23cf29a75dcfea8c8087fd3870",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "411ba3cd837f7825c0e648e155bc505641f95854",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "0e6115c2f2facaed9593c16ad2e5accd487f5c52",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "5de34126fb2edf8ab7f25d677b132e92d8bf9ede",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "d78e74adc5cfff7afd9d03b9da8058a7e435f9bc",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
},
{
"lessThan": "d1a196e0a6dcddd03748468a0e9e3100790fc85c",
"status": "affected",
"version": "e8a60aa7404bfef37705da5607c97737073ac38d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Don\u0027t hex dump plaintext password data\n\nset_new_password() hex dumps the entire buffer, which contains plaintext\npassword data, including current and new passwords. Remove the hex dump\nto avoid leaking credentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:17.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bbb420f202834363e1e25435e49db0a385c2232"
},
{
"url": "https://git.kernel.org/stable/c/d9e785bd62d2ac23cf29a75dcfea8c8087fd3870"
},
{
"url": "https://git.kernel.org/stable/c/411ba3cd837f7825c0e648e155bc505641f95854"
},
{
"url": "https://git.kernel.org/stable/c/0e6115c2f2facaed9593c16ad2e5accd487f5c52"
},
{
"url": "https://git.kernel.org/stable/c/5de34126fb2edf8ab7f25d677b132e92d8bf9ede"
},
{
"url": "https://git.kernel.org/stable/c/d78e74adc5cfff7afd9d03b9da8058a7e435f9bc"
},
{
"url": "https://git.kernel.org/stable/c/d1a196e0a6dcddd03748468a0e9e3100790fc85c"
}
],
"title": "platform/x86: dell-wmi-sysman: Don\u0027t hex dump plaintext password data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23370",
"datePublished": "2026-03-25T10:27:51.370Z",
"dateReserved": "2026-01-13T15:37:46.003Z",
"dateUpdated": "2026-04-18T08:58:17.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31427 (GCVE-0-2026-31427)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < faa6ea32797a1847790514ff0da1be1d09771580
(git)
Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 82baeb871e8f04906bc886273fdf0209e1754eb3 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 6e5e3c87b7e6212f1d8414fc2e4d158b01e12025 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 7edca70751b9bdb5b83eed53cde21eccf3c86147 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 01f34a80ac23ae90b1909b94b4ed05343a62f646 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 52fdda318ef2362fc5936385bcb8b3d0328ee629 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 6a2b724460cb67caed500c508c2ae5cf012e4db4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faa6ea32797a1847790514ff0da1be1d09771580",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "82baeb871e8f04906bc886273fdf0209e1754eb3",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6e5e3c87b7e6212f1d8414fc2e4d158b01e12025",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "7edca70751b9bdb5b83eed53cde21eccf3c86147",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "01f34a80ac23ae90b1909b94b4ed05343a62f646",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "52fdda318ef2362fc5936385bcb8b3d0328ee629",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6a2b724460cb67caed500c508c2ae5cf012e4db4",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks-\u003esdp_session()\nwith \u0026rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:42.607Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"
},
{
"url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"
},
{
"url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"
},
{
"url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"
},
{
"url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"
},
{
"url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"
},
{
"url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"
},
{
"url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"
}
],
"title": "netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31427",
"datePublished": "2026-04-13T13:40:30.280Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:42.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71265 (GCVE-0-2025-71265)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.
A malformed NTFS image can cause an infinite loop when an attribute header
indicates an empty run list, while directory entries reference it as
containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way
to represent an empty run list, and run_unpack() correctly handles this by
checking if evcn + 1 equals svcn and returning early without parsing any run
data. However, this creates a problem when there is metadata inconsistency,
where the attribute header claims to be empty (evcn=-1) but the caller
expects to read actual data. When run_unpack() immediately returns success
upon seeing this condition, it leaves the runs_tree uninitialized with
run->runs as a NULL. The calling function attr_load_runs_range() assumes
that a successful return means that the runs were loaded and sets clen to 0,
expecting the next run_lookup_entry() call to succeed. Because runs_tree
remains uninitialized, run_lookup_entry() continues to fail, and the loop
increments vcn by zero (vcn += 0), leading to an infinite loop.
This patch adds a retry counter to detect when run_lookup_entry() fails
consecutively after attr_load_runs_vcn(). If the run is still not found on
the second attempt, it indicates corrupted metadata and returns -EINVAL,
preventing the Denial-of-Service (DoS) vulnerability.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 6f07a590616ff5f57f7c041d98e463fad9e9f763
(git)
Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < a89bc96d5abd8a4a8d5d911884ea347efcdf460b (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < af839013c70a24779f9d1afb1575952009312d38 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 78b61f7eac37a63284774b147f38dd0be6cad43c (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < c0b43c45d45f59e7faad48675a50231a210c379b (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 3c3a6e951b9b53dab2ac460a655313cf04c4a10a (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 4b90f16e4bb5607fb35e7802eb67874038da4640 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/attrib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f07a590616ff5f57f7c041d98e463fad9e9f763",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "a89bc96d5abd8a4a8d5d911884ea347efcdf460b",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "af839013c70a24779f9d1afb1575952009312d38",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "78b61f7eac37a63284774b147f38dd0be6cad43c",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "c0b43c45d45f59e7faad48675a50231a210c379b",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "3c3a6e951b9b53dab2ac460a655313cf04c4a10a",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
},
{
"lessThan": "4b90f16e4bb5607fb35e7802eb67874038da4640",
"status": "affected",
"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/attrib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an attribute header\nindicates an empty run list, while directory entries reference it as\ncontaining actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way\nto represent an empty run list, and run_unpack() correctly handles this by\nchecking if evcn + 1 equals svcn and returning early without parsing any run\ndata. However, this creates a problem when there is metadata inconsistency,\nwhere the attribute header claims to be empty (evcn=-1) but the caller\nexpects to read actual data. When run_unpack() immediately returns success\nupon seeing this condition, it leaves the runs_tree uninitialized with\nrun-\u003eruns as a NULL. The calling function attr_load_runs_range() assumes\nthat a successful return means that the runs were loaded and sets clen to 0,\nexpecting the next run_lookup_entry() call to succeed. Because runs_tree\nremains uninitialized, run_lookup_entry() continues to fail, and the loop\nincrements vcn by zero (vcn += 0), leading to an infinite loop.\n\nThis patch adds a retry counter to detect when run_lookup_entry() fails\nconsecutively after attr_load_runs_vcn(). If the run is still not found on\nthe second attempt, it indicates corrupted metadata and returns -EINVAL,\npreventing the Denial-of-Service (DoS) vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:31.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763"
},
{
"url": "https://git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460b"
},
{
"url": "https://git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38"
},
{
"url": "https://git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43c"
},
{
"url": "https://git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379b"
},
{
"url": "https://git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10a"
},
{
"url": "https://git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640"
}
],
"title": "fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71265",
"datePublished": "2026-03-18T10:05:01.779Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-04-13T06:02:31.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71269 (GCVE-0-2025-71269)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:40 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
btrfs: do not free data reservation in fallback from inline due to -ENOSPC
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not free data reservation in fallback from inline due to -ENOSPC
If we fail to create an inline extent due to -ENOSPC, we will attempt to
go through the normal COW path, reserve an extent, create an ordered
extent, etc. However we were always freeing the reserved qgroup data,
which is wrong since we will use data. Fix this by freeing the reserved
qgroup data in __cow_file_range_inline() only if we are not doing the
fallback (ret is <= 0).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
94ed938aba557aa798acf496f09afb289b619fcd , < 3edd1f6c7c520536b62b2904807033597554dbac
(git)
Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 3a9fd45afadec1fbfec72057b9473d509fa8b68c (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 0a1fbbd780f04d1b6cf48dd327c866ba937de1c4 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 6de3a371a8b9fd095198b1aa68c22cc10a4c6961 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < f8da41de0bff9eb1d774a7253da0c9f637c4470a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3edd1f6c7c520536b62b2904807033597554dbac",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "3a9fd45afadec1fbfec72057b9473d509fa8b68c",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "0a1fbbd780f04d1b6cf48dd327c866ba937de1c4",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "6de3a371a8b9fd095198b1aa68c22cc10a4c6961",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "f8da41de0bff9eb1d774a7253da0c9f637c4470a",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not free data reservation in fallback from inline due to -ENOSPC\n\nIf we fail to create an inline extent due to -ENOSPC, we will attempt to\ngo through the normal COW path, reserve an extent, create an ordered\nextent, etc. However we were always freeing the reserved qgroup data,\nwhich is wrong since we will use data. Fix this by freeing the reserved\nqgroup data in __cow_file_range_inline() only if we are not doing the\nfallback (ret is \u003c= 0)."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:43.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3edd1f6c7c520536b62b2904807033597554dbac"
},
{
"url": "https://git.kernel.org/stable/c/3a9fd45afadec1fbfec72057b9473d509fa8b68c"
},
{
"url": "https://git.kernel.org/stable/c/0a1fbbd780f04d1b6cf48dd327c866ba937de1c4"
},
{
"url": "https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961"
},
{
"url": "https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a"
}
],
"title": "btrfs: do not free data reservation in fallback from inline due to -ENOSPC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71269",
"datePublished": "2026-03-18T17:40:58.949Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-04-11T12:45:43.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31411 (GCVE-0-2026-31411)
Vulnerability from cvelistv5 – Published: 2026-04-08 13:06 – Updated: 2026-04-13 06:08
VLAI?
EPSS
Title
net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
Reproducer available at [1].
The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc
pointer from msg->vcc and uses it directly without any validation. This
pointer comes from userspace via sendmsg() and can be arbitrarily forged:
int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon
struct msghdr msg = { .msg_iov = &iov, ... };
*(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer
sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef
In normal operation, the kernel sends the vcc pointer to the signaling
daemon via sigd_enq() when processing operations like connect(), bind(),
or listen(). The daemon is expected to return the same pointer when
responding. However, a malicious daemon can send arbitrary pointer values.
Fix this by introducing find_get_vcc() which validates the pointer by
searching through vcc_hash (similar to how sigd_close() iterates over
all VCCs), and acquires a reference via sock_hold() if found.
Since struct atm_vcc embeds struct sock as its first member, they share
the same lifetime. Therefore using sock_hold/sock_put is sufficient to
keep the vcc alive while it is being used.
Note that there may be a race with sigd_close() which could mark the vcc
with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.
However, sock_hold() guarantees the memory remains valid, so this race
only affects the logical state, not memory safety.
[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c96549d07dfdd51aadf0722cfb40711574424840
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1c8bda3df028d5e54134077dcd09f46ca8cfceb5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e3f80666c2739296c3b69a127300455c43aa1067 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 21c303fec138c002f90ed33bce60e807d53072bb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 69d3f9ee5489e6e8b66defcfa226e91d82393297 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 440c9a5fc477a8ee259d8bf669531250b8398651 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae88a5d2f29b69819dc7b04086734439d074a643 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/signaling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c96549d07dfdd51aadf0722cfb40711574424840",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c8bda3df028d5e54134077dcd09f46ca8cfceb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e3f80666c2739296c3b69a127300455c43aa1067",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21c303fec138c002f90ed33bce60e807d53072bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "69d3f9ee5489e6e8b66defcfa226e91d82393297",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "440c9a5fc477a8ee259d8bf669531250b8398651",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae88a5d2f29b69819dc7b04086734439d074a643",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/signaling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -\u003e vcc_sendmsg -\u003e sigd_send) reads the vcc\npointer from msg-\u003evcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = \u0026iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, \u0026msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:08:40.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840"
},
{
"url": "https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5"
},
{
"url": "https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2"
},
{
"url": "https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067"
},
{
"url": "https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb"
},
{
"url": "https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297"
},
{
"url": "https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651"
},
{
"url": "https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643"
}
],
"title": "net: atm: fix crash due to unvalidated vcc pointer in sigd_send()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31411",
"datePublished": "2026-04-08T13:06:17.800Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-13T06:08:40.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31503 (GCVE-0-2026-31503)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
udp: Fix wildcard bind conflict check when using hash2
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: Fix wildcard bind conflict check when using hash2
When binding a udp_sock to a local address and port, UDP uses
two hashes (udptable->hash and udptable->hash2) for collision
detection. The current code switches to "hash2" when
hslot->count > 10.
"hash2" is keyed by local address and local port.
"hash" is keyed by local port only.
The issue can be shown in the following bind sequence (pseudo code):
bind(fd1, "[fd00::1]:8888")
bind(fd2, "[fd00::2]:8888")
bind(fd3, "[fd00::3]:8888")
bind(fd4, "[fd00::4]:8888")
bind(fd5, "[fd00::5]:8888")
bind(fd6, "[fd00::6]:8888")
bind(fd7, "[fd00::7]:8888")
bind(fd8, "[fd00::8]:8888")
bind(fd9, "[fd00::9]:8888")
bind(fd10, "[fd00::10]:8888")
/* Correctly return -EADDRINUSE because "hash" is used
* instead of "hash2". udp_lib_lport_inuse() detects the
* conflict.
*/
bind(fail_fd, "[::]:8888")
/* After one more socket is bound to "[fd00::11]:8888",
* hslot->count exceeds 10 and "hash2" is used instead.
*/
bind(fd11, "[fd00::11]:8888")
bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */
The same issue applies to the IPv4 wildcard address "0.0.0.0"
and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For
example, if there are existing sockets bound to
"192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or
"[::ffff:0.0.0.0]:8888" can also miss the conflict when
hslot->count > 10.
TCP inet_csk_get_port() already has the correct check in
inet_use_bhash2_on_bind(). Rename it to
inet_use_hash2_on_bind() and move it to inet_hashtables.h
so udp.c can reuse it in this fix.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
30fff9231fad757c061285e347b33c5149c2c2e4 , < d6ace0dbcbb7fd285738bb87b42b71b01858c952
(git)
Affected: 30fff9231fad757c061285e347b33c5149c2c2e4 , < 2297e38114316b26ae02f2d205c49b5511c5ed55 (git) Affected: 30fff9231fad757c061285e347b33c5149c2c2e4 , < f1bed05a832ae79be5f7a105da56810eaa59a5f1 (git) Affected: 30fff9231fad757c061285e347b33c5149c2c2e4 , < 18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4 (git) Affected: 30fff9231fad757c061285e347b33c5149c2c2e4 , < 0a360f7f73a06ac88f18917055fbcc79694252d7 (git) Affected: 30fff9231fad757c061285e347b33c5149c2c2e4 , < e537dd15d0d4ad989d56a1021290f0c674dd8b28 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_hashtables.h",
"net/ipv4/inet_connection_sock.c",
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6ace0dbcbb7fd285738bb87b42b71b01858c952",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "2297e38114316b26ae02f2d205c49b5511c5ed55",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "f1bed05a832ae79be5f7a105da56810eaa59a5f1",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "0a360f7f73a06ac88f18917055fbcc79694252d7",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
},
{
"lessThan": "e537dd15d0d4ad989d56a1021290f0c674dd8b28",
"status": "affected",
"version": "30fff9231fad757c061285e347b33c5149c2c2e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_hashtables.h",
"net/ipv4/inet_connection_sock.c",
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable-\u003ehash and udptable-\u003ehash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot-\u003ecount \u003e 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1, \"[fd00::1]:8888\")\nbind(fd2, \"[fd00::2]:8888\")\nbind(fd3, \"[fd00::3]:8888\")\nbind(fd4, \"[fd00::4]:8888\")\nbind(fd5, \"[fd00::5]:8888\")\nbind(fd6, \"[fd00::6]:8888\")\nbind(fd7, \"[fd00::7]:8888\")\nbind(fd8, \"[fd00::8]:8888\")\nbind(fd9, \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot-\u003ecount exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\") /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot-\u003ecount \u003e 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:23.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6ace0dbcbb7fd285738bb87b42b71b01858c952"
},
{
"url": "https://git.kernel.org/stable/c/2297e38114316b26ae02f2d205c49b5511c5ed55"
},
{
"url": "https://git.kernel.org/stable/c/f1bed05a832ae79be5f7a105da56810eaa59a5f1"
},
{
"url": "https://git.kernel.org/stable/c/18d84c45def3671d5c89fbdd5d4ab8a3217fe4b4"
},
{
"url": "https://git.kernel.org/stable/c/0a360f7f73a06ac88f18917055fbcc79694252d7"
},
{
"url": "https://git.kernel.org/stable/c/e537dd15d0d4ad989d56a1021290f0c674dd8b28"
}
],
"title": "udp: Fix wildcard bind conflict check when using hash2",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31503",
"datePublished": "2026-04-22T13:54:23.221Z",
"dateReserved": "2026-03-09T15:48:24.105Z",
"dateUpdated": "2026-04-22T13:54:23.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23392 (GCVE-0-2026-23392)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-13 06:06
VLAI?
EPSS
Title
netfilter: nf_tables: release flowtable after rcu grace period on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d2632de96ccb066e0131ad1494241b9c281c60b8
(git)
Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < adee3436ccd29f1e514c028899e400cbc6d84065 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < 7e3955b282eae20d61c75e499c75eade51c20060 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < c8092edb9a11f20f95ccceeb9422b7dd0df337bd (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < e78a2dcc7cfb87b64a631441ca7681492b347ef6 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d73f4b53aaaea4c95f245e491aa5eeb8a21874ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "7e3955b282eae20d61c75e499c75eade51c20060",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:06:29.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"
},
{
"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"
},
{
"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"
},
{
"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"
},
{
"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"
},
{
"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"
}
],
"title": "netfilter: nf_tables: release flowtable after rcu grace period on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23392",
"datePublished": "2026-03-25T10:33:16.647Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-13T06:06:29.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43023 (GCVE-0-2026-43023)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
Bluetooth: SCO: fix race conditions in sco_sock_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: fix race conditions in sco_sock_connect()
sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.
The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:
Thread A (connect): HCI disconnect: Thread B (connect):
sco_sock_connect(sk) sco_sock_connect(sk)
sk_state==BT_OPEN sk_state==BT_OPEN
(pass, no lock) (pass, no lock)
sco_connect(sk): sco_connect(sk):
hci_dev_lock hci_dev_lock
hci_connect_sco <- blocked
-> hcon1
sco_conn_add->conn1
lock_sock(sk)
sco_chan_add:
conn1->sk = sk
sk->conn = conn1
sk_state=BT_CONNECT
release_sock
hci_dev_unlock
hci_dev_lock
sco_conn_del:
lock_sock(sk)
sco_chan_del:
sk->conn=NULL
conn1->sk=NULL
sk_state=
BT_CLOSED
SOCK_ZAPPED
release_sock
hci_dev_unlock
(unblocked)
hci_connect_sco
-> hcon2
sco_conn_add
-> conn2
lock_sock(sk)
sco_chan_add:
sk->conn=conn2
sk_state=
BT_CONNECT
// zombie sk!
release_sock
hci_dev_unlock
Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.
Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
HCI connection leaks
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
70a13b1e25fef37c87c8a1228ddb8900efbca7cf , < dabf22269242e2f2bf44c43fcdc2fa763df7f9cc
(git)
Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 7e296ffdab5bdab718dff7c14288fdcb9154fa27 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < d002bd11024bd231bcb606877e33951ffb7bed14 (git) Affected: 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 , < 8a5b0135d4a5d9683203a3d9a12a711ccec5936b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dabf22269242e2f2bf44c43fcdc2fa763df7f9cc",
"status": "affected",
"version": "70a13b1e25fef37c87c8a1228ddb8900efbca7cf",
"versionType": "git"
},
{
"lessThan": "adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "7e296ffdab5bdab718dff7c14288fdcb9154fa27",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "d002bd11024bd231bcb606877e33951ffb7bed14",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
},
{
"lessThan": "8a5b0135d4a5d9683203a3d9a12a711ccec5936b",
"status": "affected",
"version": "9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.109",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state==BT_OPEN sk_state==BT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco \u003c- blocked\n -\u003e hcon1\n sco_conn_add-\u003econn1\n lock_sock(sk)\n sco_chan_add:\n conn1-\u003esk = sk\n sk-\u003econn = conn1\n sk_state=BT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk-\u003econn=NULL\n conn1-\u003esk=NULL\n sk_state=\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -\u003e hcon2\n sco_conn_add\n -\u003e conn2\n lock_sock(sk)\n sco_chan_add:\n sk-\u003econn=conn2\n sk_state=\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:08.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dabf22269242e2f2bf44c43fcdc2fa763df7f9cc"
},
{
"url": "https://git.kernel.org/stable/c/adb90cd0f9f7a8d438fcb93354040fbafc5ae2a0"
},
{
"url": "https://git.kernel.org/stable/c/7e296ffdab5bdab718dff7c14288fdcb9154fa27"
},
{
"url": "https://git.kernel.org/stable/c/98c8d3bfdaa657d8f472dbbebd7ea8cd816d8a8d"
},
{
"url": "https://git.kernel.org/stable/c/d002bd11024bd231bcb606877e33951ffb7bed14"
},
{
"url": "https://git.kernel.org/stable/c/8a5b0135d4a5d9683203a3d9a12a711ccec5936b"
}
],
"title": "Bluetooth: SCO: fix race conditions in sco_sock_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43023",
"datePublished": "2026-05-01T14:15:25.736Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-03T05:46:08.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43017 (GCVE-0-2026-43017)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
Bluetooth: MGMT: validate mesh send advertising payload length
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate mesh send advertising payload length
mesh_send() currently bounds MGMT_OP_MESH_SEND by total command
length, but it never verifies that the bytes supplied for the
flexible adv_data[] array actually match the embedded adv_data_len
field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a
truncated command can still pass the existing 20..50 byte range
check and later drive the async mesh send path past the end of the
queued command buffer.
Keep rejecting zero-length and oversized advertising payloads, but
validate adv_data_len explicitly and require the command length to
exactly match the flexible array size before queueing the request.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 24fa32369cf15d8fc918bdfe94097b12e6acada0
(git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 244b639e6a3a8e26241e201004a3a9f764476631 (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 0b706fb2294aff3adfd54653bda1b5e356ad4566 (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < edb5898cfa91afe7e8f83eda18d93034c953d632 (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 562ed1954f0c1bff3422b7b752bd3dacf185edbf (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < bda93eec78cdbfe5cda00785cefebd443e56b88b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24fa32369cf15d8fc918bdfe94097b12e6acada0",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "244b639e6a3a8e26241e201004a3a9f764476631",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "0b706fb2294aff3adfd54653bda1b5e356ad4566",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "edb5898cfa91afe7e8f83eda18d93034c953d632",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "562ed1954f0c1bff3422b7b752bd3dacf185edbf",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "bda93eec78cdbfe5cda00785cefebd443e56b88b",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:21.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24fa32369cf15d8fc918bdfe94097b12e6acada0"
},
{
"url": "https://git.kernel.org/stable/c/244b639e6a3a8e26241e201004a3a9f764476631"
},
{
"url": "https://git.kernel.org/stable/c/0b706fb2294aff3adfd54653bda1b5e356ad4566"
},
{
"url": "https://git.kernel.org/stable/c/edb5898cfa91afe7e8f83eda18d93034c953d632"
},
{
"url": "https://git.kernel.org/stable/c/562ed1954f0c1bff3422b7b752bd3dacf185edbf"
},
{
"url": "https://git.kernel.org/stable/c/bda93eec78cdbfe5cda00785cefebd443e56b88b"
}
],
"title": "Bluetooth: MGMT: validate mesh send advertising payload length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43017",
"datePublished": "2026-05-01T14:15:21.561Z",
"dateReserved": "2026-05-01T14:12:55.975Z",
"dateUpdated": "2026-05-01T14:15:21.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43032 (GCVE-0-2026-43032)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
NFC: pn533: bound the UART receive buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: pn533: bound the UART receive buffer
pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.
Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 8bedf1dd5640ac8997bff00bbefe241b438df397
(git)
Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 23e925183db26cd322597679669ad29d70ed2ada (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 3adca9be14bf36b927193f05f5aea35a1a90e913 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 2c1fadd221b21d8038acfe6a0f56291881d5ff76 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < f48ab6ee654ecc350434e4566bc785773f412b7e (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < ad2f60de5045bfb5d20ea468a97c8760c6a3a4f8 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < cf2ff10183204349edfd6b972e189375fc5f1fb0 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 30fe3f5f6494f827d812ff179f295a8e532709d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bedf1dd5640ac8997bff00bbefe241b438df397",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "23e925183db26cd322597679669ad29d70ed2ada",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "3adca9be14bf36b927193f05f5aea35a1a90e913",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "2c1fadd221b21d8038acfe6a0f56291881d5ff76",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "f48ab6ee654ecc350434e4566bc785773f412b7e",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "ad2f60de5045bfb5d20ea468a97c8760c6a3a4f8",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "cf2ff10183204349edfd6b972e189375fc5f1fb0",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "30fe3f5f6494f827d812ff179f295a8e532709d6",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: pn533: bound the UART receive buffer\n\npn532_receive_buf() appends every incoming byte to dev-\u003erecv_skb and\nonly resets the buffer after pn532_uart_rx_is_frame() recognizes a\ncomplete frame. A continuous stream of bytes without a valid PN532 frame\nheader therefore keeps growing the skb until skb_put_u8() hits the tail\nlimit.\n\nDrop the accumulated partial frame once the fixed receive buffer is full\nso malformed UART traffic cannot grow the skb past\nPN532_UART_SKB_BUFF_LEN."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:31.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bedf1dd5640ac8997bff00bbefe241b438df397"
},
{
"url": "https://git.kernel.org/stable/c/23e925183db26cd322597679669ad29d70ed2ada"
},
{
"url": "https://git.kernel.org/stable/c/3adca9be14bf36b927193f05f5aea35a1a90e913"
},
{
"url": "https://git.kernel.org/stable/c/2c1fadd221b21d8038acfe6a0f56291881d5ff76"
},
{
"url": "https://git.kernel.org/stable/c/f48ab6ee654ecc350434e4566bc785773f412b7e"
},
{
"url": "https://git.kernel.org/stable/c/ad2f60de5045bfb5d20ea468a97c8760c6a3a4f8"
},
{
"url": "https://git.kernel.org/stable/c/cf2ff10183204349edfd6b972e189375fc5f1fb0"
},
{
"url": "https://git.kernel.org/stable/c/30fe3f5f6494f827d812ff179f295a8e532709d6"
}
],
"title": "NFC: pn533: bound the UART receive buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43032",
"datePublished": "2026-05-01T14:15:31.921Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-01T14:15:31.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23449 (GCVE-0-2026-23449)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
net/sched: teql: Fix double-free in teql_master_xmit
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: Fix double-free in teql_master_xmit
Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
be called using the seq_lock to avoid racing with the datapath. Failure
to do so may cause crashes like the following:
[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
[ 238.029749][ T318]
[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 238.029910][ T318] Call Trace:
[ 238.029913][ T318] <TASK>
[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
...
[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
...
[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
...
[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
...
[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
[ 238.081469][ T318]
[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
[ 238.085900][ T318] __kasan_slab_free (mm/
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < 4e8ebc4c18ea8213d28e6cb867d18fcc67daca21
(git)
Affected: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < 21c89a0a8de7eadad8d385645a95b3233f23130e (git) Affected: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < afbc79a7770b230a9f24bd39271209d6b3682c5f (git) Affected: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < e9c66d3e7d8557b3308e55c613aa07254fe97611 (git) Affected: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < 4a233447b941db451ea5f5a0942cffd0f7f7eaae (git) Affected: 96009c7d500efdd5534e83b2e3eb2c58d4b137ae , < 66360460cab63c248ca5b1070a01c0c29133b960 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_generic.c",
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e8ebc4c18ea8213d28e6cb867d18fcc67daca21",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "21c89a0a8de7eadad8d385645a95b3233f23130e",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "afbc79a7770b230a9f24bd39271209d6b3682c5f",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "e9c66d3e7d8557b3308e55c613aa07254fe97611",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "4a233447b941db451ea5f5a0942cffd0f7f7eaae",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
},
{
"lessThan": "66360460cab63c248ca5b1070a01c0c29133b960",
"status": "affected",
"version": "96009c7d500efdd5534e83b2e3eb2c58d4b137ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_generic.c",
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[ 238.029749][ T318]\n[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 238.029910][ T318] Call Trace:\n[ 238.029913][ T318] \u003cTASK\u003e\n[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)\n[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)\n[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)\n...\n[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)\n[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)\n[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)\n[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)\n[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)\n[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[ 238.081469][ T318]\n[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:\n[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[ 238.085900][ T318] __kasan_slab_free (mm/\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:28.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e8ebc4c18ea8213d28e6cb867d18fcc67daca21"
},
{
"url": "https://git.kernel.org/stable/c/21c89a0a8de7eadad8d385645a95b3233f23130e"
},
{
"url": "https://git.kernel.org/stable/c/afbc79a7770b230a9f24bd39271209d6b3682c5f"
},
{
"url": "https://git.kernel.org/stable/c/e9c66d3e7d8557b3308e55c613aa07254fe97611"
},
{
"url": "https://git.kernel.org/stable/c/4a233447b941db451ea5f5a0942cffd0f7f7eaae"
},
{
"url": "https://git.kernel.org/stable/c/66360460cab63c248ca5b1070a01c0c29133b960"
}
],
"title": "net/sched: teql: Fix double-free in teql_master_xmit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23449",
"datePublished": "2026-04-03T15:15:32.150Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-27T14:02:28.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23378 (GCVE-0-2026-23378)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:06
VLAI?
EPSS
Title
net/sched: act_ife: Fix metalist update behavior
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ife: Fix metalist update behavior
Whenever an ife action replace changes the metalist, instead of
replacing the old data on the metalist, the current ife code is appending
the new metadata. Aside from being innapropriate behavior, this may lead
to an unbounded addition of metadata to the metalist which might cause an
out of bounds error when running the encode op:
[ 138.423369][ C1] ==================================================================
[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255
[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)
[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 138.425800][ C1] Call Trace:
[ 138.425804][ C1] <IRQ>
[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)
[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))
[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)
[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)
[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))
[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)
[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)
To solve this issue, fix the replace behavior by adding the metalist to
the ife rcu data structure.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < 56ade7ddea6ce605552341785d08e365c3f61861
(git)
Affected: aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < 5b1449301ca070814d866990b46f48d3f39ea4ee (git) Affected: aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < 91a89d3bdc2f63d983adc13d1771631663c5dc1b (git) Affected: aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < cd888c3966672239f2e0707b846a5a936ac9038a (git) Affected: aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < 691866c4cca54dc4df762276b49e89b36e046947 (git) Affected: aa9fd9a325d51fa0b11153b03b8fefff569fa955 , < e2cedd400c3ec0302ffca2490e8751772906ac23 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_ife.h",
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56ade7ddea6ce605552341785d08e365c3f61861",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "5b1449301ca070814d866990b46f48d3f39ea4ee",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "91a89d3bdc2f63d983adc13d1771631663c5dc1b",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "cd888c3966672239f2e0707b846a5a936ac9038a",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "691866c4cca54dc4df762276b49e89b36e046947",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
},
{
"lessThan": "e2cedd400c3ec0302ffca2490e8751772906ac23",
"status": "affected",
"version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_ife.h",
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: Fix metalist update behavior\n\nWhenever an ife action replace changes the metalist, instead of\nreplacing the old data on the metalist, the current ife code is appending\nthe new metadata. Aside from being innapropriate behavior, this may lead\nto an unbounded addition of metadata to the metalist which might cause an\nout of bounds error when running the encode op:\n\n[ 138.423369][ C1] ==================================================================\n[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255\n[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)\n[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 138.425800][ C1] Call Trace:\n[ 138.425804][ C1] \u003cIRQ\u003e\n[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)\n[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))\n[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))\n[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))\n[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)\n[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)\n[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))\n[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)\n[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)\n\nTo solve this issue, fix the replace behavior by adding the metalist to\nthe ife rcu data structure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:06:14.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ade7ddea6ce605552341785d08e365c3f61861"
},
{
"url": "https://git.kernel.org/stable/c/5b1449301ca070814d866990b46f48d3f39ea4ee"
},
{
"url": "https://git.kernel.org/stable/c/91a89d3bdc2f63d983adc13d1771631663c5dc1b"
},
{
"url": "https://git.kernel.org/stable/c/cd888c3966672239f2e0707b846a5a936ac9038a"
},
{
"url": "https://git.kernel.org/stable/c/691866c4cca54dc4df762276b49e89b36e046947"
},
{
"url": "https://git.kernel.org/stable/c/e2cedd400c3ec0302ffca2490e8751772906ac23"
}
],
"title": "net/sched: act_ife: Fix metalist update behavior",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23378",
"datePublished": "2026-03-25T10:27:57.986Z",
"dateReserved": "2026-01-13T15:37:46.006Z",
"dateUpdated": "2026-04-13T06:06:14.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68206 (GCVE-0-2025-68206)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
netfilter: nft_ct: add seqadj extension for natted connections
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+
ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.
Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..
Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 83273af0b60c093ba0085c205864d8542e1b1653
(git)
Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < b19492c25eff04852e0cb58f9bb8238b6695ed2d (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4de80f0dc3868408dd7fe9817e507123c9dd8bb0 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < b477ef7fa612fa45b6b3134d90d1eeb09396500a (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 90918e3b6404c2a37837b8f11692471b4c512de2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83273af0b60c093ba0085c205864d8542e1b1653",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b19492c25eff04852e0cb58f9bb8238b6695ed2d",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4de80f0dc3868408dd7fe9817e507123c9dd8bb0",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "b477ef7fa612fa45b6b3134d90d1eeb09396500a",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "4ab2cd906e4e1a19ddbda6eb532851b0e9cda110",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "90918e3b6404c2a37837b8f11692471b4c512de2",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:10.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653"
},
{
"url": "https://git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2d"
},
{
"url": "https://git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0"
},
{
"url": "https://git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500a"
},
{
"url": "https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110"
},
{
"url": "https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6"
},
{
"url": "https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2"
}
],
"title": "netfilter: nft_ct: add seqadj extension for natted connections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68206",
"datePublished": "2025-12-16T13:48:33.763Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2026-04-18T08:57:10.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43014 (GCVE-0-2026-43014)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net: macb: properly unregister fixed rate clocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: properly unregister fixed rate clocks
The additional resources allocated with clk_register_fixed_rate() need
to be released with clk_unregister_fixed_rate(), otherwise they are lost.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
83a77e9ec4150ee4acc635638f7dedd9da523a26 , < 54c6f0e7682433abed0304ac2f5cb71a92d4b366
(git)
Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < 015aa24d3721a05b40935b8af78b49cadf616b8d (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < ec1be2ce0d94506f11b22066fd6dc5eb4341b14f (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < e1f6f47d6e60d51c3294e5b85787e9aee24c450e (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < e35dbfdb1b7710f04ff5c9972ea04971d823a22d (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < 5392a5174df4f5a2fad2f00e8c617394d0efe031 (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < 6ec567425c057fd850651ee09b31d059ef960e0f (git) Affected: 83a77e9ec4150ee4acc635638f7dedd9da523a26 , < f0f367a4f459cc8118aadc43c6bba53c60d93f8d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54c6f0e7682433abed0304ac2f5cb71a92d4b366",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "015aa24d3721a05b40935b8af78b49cadf616b8d",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "ec1be2ce0d94506f11b22066fd6dc5eb4341b14f",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "e1f6f47d6e60d51c3294e5b85787e9aee24c450e",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "e35dbfdb1b7710f04ff5c9972ea04971d823a22d",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "5392a5174df4f5a2fad2f00e8c617394d0efe031",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "6ec567425c057fd850651ee09b31d059ef960e0f",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
},
{
"lessThan": "f0f367a4f459cc8118aadc43c6bba53c60d93f8d",
"status": "affected",
"version": "83a77e9ec4150ee4acc635638f7dedd9da523a26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: properly unregister fixed rate clocks\n\nThe additional resources allocated with clk_register_fixed_rate() need\nto be released with clk_unregister_fixed_rate(), otherwise they are lost."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:19.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54c6f0e7682433abed0304ac2f5cb71a92d4b366"
},
{
"url": "https://git.kernel.org/stable/c/015aa24d3721a05b40935b8af78b49cadf616b8d"
},
{
"url": "https://git.kernel.org/stable/c/ec1be2ce0d94506f11b22066fd6dc5eb4341b14f"
},
{
"url": "https://git.kernel.org/stable/c/e1f6f47d6e60d51c3294e5b85787e9aee24c450e"
},
{
"url": "https://git.kernel.org/stable/c/e35dbfdb1b7710f04ff5c9972ea04971d823a22d"
},
{
"url": "https://git.kernel.org/stable/c/5392a5174df4f5a2fad2f00e8c617394d0efe031"
},
{
"url": "https://git.kernel.org/stable/c/6ec567425c057fd850651ee09b31d059ef960e0f"
},
{
"url": "https://git.kernel.org/stable/c/f0f367a4f459cc8118aadc43c6bba53c60d93f8d"
}
],
"title": "net: macb: properly unregister fixed rate clocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43014",
"datePublished": "2026-05-01T14:15:19.571Z",
"dateReserved": "2026-05-01T14:12:55.974Z",
"dateUpdated": "2026-05-01T14:15:19.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23291 (GCVE-0-2026-23291)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
nfc: pn533: properly drop the usb interface reference on disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: properly drop the usb interface reference on disconnect
When the device is disconnected from the driver, there is a "dangling"
reference count on the usb interface that was grabbed in the probe
callback. Fix this up by properly dropping the reference after we are
done with it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 6645b030b0c1fc5bf338bffb0044238f24b2f770
(git)
Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 5be8aa2bcfb53158436182db8dee9d0b8e5901e6 (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 7398d6570501edc55a50ece820f369ab3c1df2e7 (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0 (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 7ff14eb070f0efecb2606f8d7aa01b77d188e886 (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 00477cab053dc4816b99141d8fcca7a479cfebeb (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74 (git) Affected: c46ee38620a2aa2b25b16bc9738ace80dbff76a4 , < 12133a483dfa832241fbbf09321109a0ea8a520e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6645b030b0c1fc5bf338bffb0044238f24b2f770",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "5be8aa2bcfb53158436182db8dee9d0b8e5901e6",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "7398d6570501edc55a50ece820f369ab3c1df2e7",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "7ff14eb070f0efecb2606f8d7aa01b77d188e886",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "00477cab053dc4816b99141d8fcca7a479cfebeb",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
},
{
"lessThan": "12133a483dfa832241fbbf09321109a0ea8a520e",
"status": "affected",
"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: properly drop the usb interface reference on disconnect\n\nWhen the device is disconnected from the driver, there is a \"dangling\"\nreference count on the usb interface that was grabbed in the probe\ncallback. Fix this up by properly dropping the reference after we are\ndone with it."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:42.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6645b030b0c1fc5bf338bffb0044238f24b2f770"
},
{
"url": "https://git.kernel.org/stable/c/5be8aa2bcfb53158436182db8dee9d0b8e5901e6"
},
{
"url": "https://git.kernel.org/stable/c/7398d6570501edc55a50ece820f369ab3c1df2e7"
},
{
"url": "https://git.kernel.org/stable/c/d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0"
},
{
"url": "https://git.kernel.org/stable/c/7ff14eb070f0efecb2606f8d7aa01b77d188e886"
},
{
"url": "https://git.kernel.org/stable/c/00477cab053dc4816b99141d8fcca7a479cfebeb"
},
{
"url": "https://git.kernel.org/stable/c/4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74"
},
{
"url": "https://git.kernel.org/stable/c/12133a483dfa832241fbbf09321109a0ea8a520e"
}
],
"title": "nfc: pn533: properly drop the usb interface reference on disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23291",
"datePublished": "2026-03-25T10:26:49.634Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:42.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31720 (GCVE-0-2026-31720)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
usb: gadget: f_uac1_legacy: validate control request size
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_uac1_legacy: validate control request size
f_audio_complete() copies req->length bytes into a 4-byte stack
variable:
u32 data = 0;
memcpy(&data, req->buf, req->length);
req->length is derived from the host-controlled USB request path,
which can lead to a stack out-of-bounds write.
Validate req->actual against the expected payload size for the
supported control selectors and decode only the expected amount
of data.
This avoids copying a host-influenced length into a fixed-size
stack object.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 557d1d4e862eccd0b74cc377b66de3e1e8d49605
(git)
Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 21b11e8581285c6f10ef43d05df349d445f24273 (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 0d41772d98dcaf6c17e875b7d0ea0154ae1191ee (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < c6da4fed7537aec19880c24f6c3a95065adb1406 (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8 (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 8e5eb1d6e6a3d7bbea9c92132d0cda5793176426 (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 26304d124e7f0383f8fe1168b5801a0ac7e16b1c (git) Affected: c6994e6f067cf0fc4c6cca3d164018b1150916f8 , < 6e0e34d85cd46ceb37d16054e97a373a32770f6c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_uac1_legacy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "557d1d4e862eccd0b74cc377b66de3e1e8d49605",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "21b11e8581285c6f10ef43d05df349d445f24273",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "0d41772d98dcaf6c17e875b7d0ea0154ae1191ee",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "c6da4fed7537aec19880c24f6c3a95065adb1406",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "8e5eb1d6e6a3d7bbea9c92132d0cda5793176426",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "26304d124e7f0383f8fe1168b5801a0ac7e16b1c",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
},
{
"lessThan": "6e0e34d85cd46ceb37d16054e97a373a32770f6c",
"status": "affected",
"version": "c6994e6f067cf0fc4c6cca3d164018b1150916f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_uac1_legacy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_uac1_legacy: validate control request size\n\nf_audio_complete() copies req-\u003elength bytes into a 4-byte stack\nvariable:\n\n u32 data = 0;\n memcpy(\u0026data, req-\u003ebuf, req-\u003elength);\n\nreq-\u003elength is derived from the host-controlled USB request path,\nwhich can lead to a stack out-of-bounds write.\n\nValidate req-\u003eactual against the expected payload size for the\nsupported control selectors and decode only the expected amount\nof data.\n\nThis avoids copying a host-influenced length into a fixed-size\nstack object."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:21.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605"
},
{
"url": "https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273"
},
{
"url": "https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee"
},
{
"url": "https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406"
},
{
"url": "https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8"
},
{
"url": "https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426"
},
{
"url": "https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c"
},
{
"url": "https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c"
}
],
"title": "usb: gadget: f_uac1_legacy: validate control request size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31720",
"datePublished": "2026-05-01T14:14:22.832Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-05-02T06:14:21.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23340 (GCVE-0-2026-23340)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
When shrinking the number of real tx queues,
netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush
qdiscs for queues which will no longer be used.
qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with
qdisc_lock(). However, for lockless qdiscs, the dequeue path is
serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so
qdisc_reset() can run concurrently with __qdisc_run() and free skbs
while they are still being dequeued, leading to UAF.
This can easily be reproduced on e.g. virtio-net by imposing heavy
traffic while frequently changing the number of queue pairs:
iperf3 -ub0 -c $peer -t 0 &
while :; do
ethtool -L eth0 combined 1
ethtool -L eth0 combined 2
done
With KASAN enabled, this leads to reports like:
BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760
...
Call Trace:
<TASK>
...
__qdisc_run+0x133f/0x1760
__dev_queue_xmit+0x248f/0x3550
ip_finish_output2+0xa42/0x2110
ip_output+0x1a7/0x410
ip_send_skb+0x2e6/0x480
udp_send_skb+0xb0a/0x1590
udp_sendmsg+0x13c9/0x1fc0
...
</TASK>
Allocated by task 1270 on cpu 5 at 44.558414s:
...
alloc_skb_with_frags+0x84/0x7c0
sock_alloc_send_pskb+0x69a/0x830
__ip_append_data+0x1b86/0x48c0
ip_make_skb+0x1e8/0x2b0
udp_sendmsg+0x13a6/0x1fc0
...
Freed by task 1306 on cpu 3 at 44.558445s:
...
kmem_cache_free+0x117/0x5e0
pfifo_fast_reset+0x14d/0x580
qdisc_reset+0x9e/0x5f0
netif_set_real_num_tx_queues+0x303/0x840
virtnet_set_channels+0x1bf/0x260 [virtio_net]
ethnl_set_channels+0x684/0xae0
ethnl_default_set_doit+0x31a/0x890
...
Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by
taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the
serialization model already used by dev_reset_queue().
Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state
reflects an empty queue, avoiding needless re-scheduling.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < 5bb27ad54d12de67e457d7d251198e361bef835e
(git)
Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < 7594467c49bfc2f4644dee0415ac2290db11fa0d (git) Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750 (git) Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < 5bc4e69306ed7ae02232eb4c0b23ed621a26d504 (git) Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < 8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb (git) Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < c69df4e0524f8de8e176ba389acd83e85f5f49d0 (git) Affected: 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 , < 7f083faf59d14c04e01ec05a7507f036c965acf8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5bb27ad54d12de67e457d7d251198e361bef835e",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "7594467c49bfc2f4644dee0415ac2290db11fa0d",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "5bc4e69306ed7ae02232eb4c0b23ed621a26d504",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "c69df4e0524f8de8e176ba389acd83e85f5f49d0",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
},
{
"lessThan": "7f083faf59d14c04e01ec05a7507f036c965acf8",
"status": "affected",
"version": "6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs\n\nWhen shrinking the number of real tx queues,\nnetif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush\nqdiscs for queues which will no longer be used.\n\nqdisc_reset_all_tx_gt() currently serializes qdisc_reset() with\nqdisc_lock(). However, for lockless qdiscs, the dequeue path is\nserialized by qdisc_run_begin/end() using qdisc-\u003eseqlock instead, so\nqdisc_reset() can run concurrently with __qdisc_run() and free skbs\nwhile they are still being dequeued, leading to UAF.\n\nThis can easily be reproduced on e.g. virtio-net by imposing heavy\ntraffic while frequently changing the number of queue pairs:\n\n iperf3 -ub0 -c $peer -t 0 \u0026\n while :; do\n ethtool -L eth0 combined 1\n ethtool -L eth0 combined 2\n done\n\nWith KASAN enabled, this leads to reports like:\n\n BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n __qdisc_run+0x133f/0x1760\n __dev_queue_xmit+0x248f/0x3550\n ip_finish_output2+0xa42/0x2110\n ip_output+0x1a7/0x410\n ip_send_skb+0x2e6/0x480\n udp_send_skb+0xb0a/0x1590\n udp_sendmsg+0x13c9/0x1fc0\n ...\n \u003c/TASK\u003e\n\n Allocated by task 1270 on cpu 5 at 44.558414s:\n ...\n alloc_skb_with_frags+0x84/0x7c0\n sock_alloc_send_pskb+0x69a/0x830\n __ip_append_data+0x1b86/0x48c0\n ip_make_skb+0x1e8/0x2b0\n udp_sendmsg+0x13a6/0x1fc0\n ...\n\n Freed by task 1306 on cpu 3 at 44.558445s:\n ...\n kmem_cache_free+0x117/0x5e0\n pfifo_fast_reset+0x14d/0x580\n qdisc_reset+0x9e/0x5f0\n netif_set_real_num_tx_queues+0x303/0x840\n virtnet_set_channels+0x1bf/0x260 [virtio_net]\n ethnl_set_channels+0x684/0xae0\n ethnl_default_set_doit+0x31a/0x890\n ...\n\nSerialize qdisc_reset_all_tx_gt() against the lockless dequeue path by\ntaking qdisc-\u003eseqlock for TCQ_F_NOLOCK qdiscs, matching the\nserialization model already used by dev_reset_queue().\n\nAdditionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state\nreflects an empty queue, avoiding needless re-scheduling."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:04.016Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5bb27ad54d12de67e457d7d251198e361bef835e"
},
{
"url": "https://git.kernel.org/stable/c/7594467c49bfc2f4644dee0415ac2290db11fa0d"
},
{
"url": "https://git.kernel.org/stable/c/dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750"
},
{
"url": "https://git.kernel.org/stable/c/5bc4e69306ed7ae02232eb4c0b23ed621a26d504"
},
{
"url": "https://git.kernel.org/stable/c/8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb"
},
{
"url": "https://git.kernel.org/stable/c/c69df4e0524f8de8e176ba389acd83e85f5f49d0"
},
{
"url": "https://git.kernel.org/stable/c/7f083faf59d14c04e01ec05a7507f036c965acf8"
}
],
"title": "net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23340",
"datePublished": "2026-03-25T10:27:28.728Z",
"dateReserved": "2026-01-13T15:37:45.998Z",
"dateUpdated": "2026-04-18T08:58:04.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31512 (GCVE-0-2026-31512)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
l2cap_ecred_data_rcv() reads the SDU length field from skb->data using
get_unaligned_le16() without first verifying that skb contains at least
L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads
past the valid data in the skb.
The ERTM reassembly path correctly calls pskb_may_pull() before reading
the SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the
same validation to the Enhanced Credit Based Flow Control data path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aac23bf636593cc2d67144aed373a46a1a5f76b1 , < cef09691cfb61f6c91cc27c3d69634f81c8ab949
(git)
Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < 3340be2bafdcc806f048273ea6d8e82a6597aa1b (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < e47315b84d0eb188772c3ff5cf073cdbdefca6b4 (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < 477ad4976072056c348937e94f24583321938df4 (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < 40c7f7eea2f4d9cb0b3e924254c8c9053372168f (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < 8c96f3bd4ae0802db90630be8e9851827e9c9209 (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < 5ad981249be52f5e4e92e0e97b436b569071cb86 (git) Affected: aac23bf636593cc2d67144aed373a46a1a5f76b1 , < c65bd945d1c08c3db756821b6bf9f1c4a77b29c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cef09691cfb61f6c91cc27c3d69634f81c8ab949",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "3340be2bafdcc806f048273ea6d8e82a6597aa1b",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "e47315b84d0eb188772c3ff5cf073cdbdefca6b4",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "477ad4976072056c348937e94f24583321938df4",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "40c7f7eea2f4d9cb0b3e924254c8c9053372168f",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "8c96f3bd4ae0802db90630be8e9851827e9c9209",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "5ad981249be52f5e4e92e0e97b436b569071cb86",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
},
{
"lessThan": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6",
"status": "affected",
"version": "aac23bf636593cc2d67144aed373a46a1a5f76b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb-\u003edata using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb-\u003elen is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:30.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cef09691cfb61f6c91cc27c3d69634f81c8ab949"
},
{
"url": "https://git.kernel.org/stable/c/3340be2bafdcc806f048273ea6d8e82a6597aa1b"
},
{
"url": "https://git.kernel.org/stable/c/e47315b84d0eb188772c3ff5cf073cdbdefca6b4"
},
{
"url": "https://git.kernel.org/stable/c/477ad4976072056c348937e94f24583321938df4"
},
{
"url": "https://git.kernel.org/stable/c/40c7f7eea2f4d9cb0b3e924254c8c9053372168f"
},
{
"url": "https://git.kernel.org/stable/c/8c96f3bd4ae0802db90630be8e9851827e9c9209"
},
{
"url": "https://git.kernel.org/stable/c/5ad981249be52f5e4e92e0e97b436b569071cb86"
},
{
"url": "https://git.kernel.org/stable/c/c65bd945d1c08c3db756821b6bf9f1c4a77b29c6"
}
],
"title": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31512",
"datePublished": "2026-04-22T13:54:30.171Z",
"dateReserved": "2026-03-09T15:48:24.107Z",
"dateUpdated": "2026-04-22T13:54:30.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53545 (GCVE-0-2023-53545)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
drm/amdgpu: unmap and remove csa_va properly
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: unmap and remove csa_va properly
Root PD BO should be reserved before unmap and remove
a bo_va from VM otherwise lockdep will complain.
v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)
[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]
[14616.937096] Call Trace:
[14616.937097] <TASK>
[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]
[14616.937187] drm_file_free+0x1d6/0x300 [drm]
[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]
[14616.937220] drm_release+0x5e/0x100 [drm]
[14616.937234] __fput+0x9f/0x280
[14616.937239] ____fput+0xe/0x20
[14616.937241] task_work_run+0x61/0x90
[14616.937246] exit_to_user_mode_prepare+0x215/0x220
[14616.937251] syscall_exit_to_user_mode+0x2a/0x60
[14616.937254] do_syscall_64+0x48/0x90
[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < ae325b245208394279a1dc412c831ebd71befb0d
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 5daff15cd013422bc6d1efcfe82b586800025384 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae325b245208394279a1dc412c831ebd71befb0d",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "5daff15cd013422bc6d1efcfe82b586800025384",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: unmap and remove csa_va properly\n\nRoot PD BO should be reserved before unmap and remove\na bo_va from VM otherwise lockdep will complain.\n\nv2: check fpriv-\u003ecsa_va is not NULL instead of amdgpu_mcbp (christian)\n\n[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]\n[14616.937096] Call Trace:\n[14616.937097] \u003cTASK\u003e\n[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]\n[14616.937187] drm_file_free+0x1d6/0x300 [drm]\n[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]\n[14616.937220] drm_release+0x5e/0x100 [drm]\n[14616.937234] __fput+0x9f/0x280\n[14616.937239] ____fput+0xe/0x20\n[14616.937241] task_work_run+0x61/0x90\n[14616.937246] exit_to_user_mode_prepare+0x215/0x220\n[14616.937251] syscall_exit_to_user_mode+0x2a/0x60\n[14616.937254] do_syscall_64+0x48/0x90\n[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:06.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae325b245208394279a1dc412c831ebd71befb0d"
},
{
"url": "https://git.kernel.org/stable/c/a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0"
},
{
"url": "https://git.kernel.org/stable/c/5daff15cd013422bc6d1efcfe82b586800025384"
}
],
"title": "drm/amdgpu: unmap and remove csa_va properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53545",
"datePublished": "2025-10-04T15:16:53.452Z",
"dateReserved": "2025-10-04T15:14:15.920Z",
"dateUpdated": "2026-03-25T10:19:06.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23395 (GCVE-0-2026-23395)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Currently the code attempts to accept requests regardless of the
command identifier which may cause multiple requests to be marked
as pending (FLAG_DEFER_SETUP) which can cause more than
L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
causing an overflow.
The spec is quite clear that the same identifier shall not be used on
subsequent requests:
'Within each signaling channel a different Identifier shall be used
for each successive request or indication.'
https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d
So this attempts to check if there are any channels pending with the
same identifier and rejects if any are found.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
15f02b91056253e8cdc592888f431da0731337b8 , < 10a7a702542240d5edb2b39450ac951c59ccd009
(git)
Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 46e5b71666fb7652082e4e214a3365f4b14f1dc3 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < fb4a3a26483f3ea2cd21c7a2f7c45d5670600465 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 2124d82fd25e1671bb3ceb37998af5aae5903e06 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 6b949a6b33cbdf621d9fc6f0c48ac00915dbf514 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 8d0d94f8ba5b3a0beec3b0da558b9bea48018117 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < e72ee455297b794b852e5cea8d2d7bb17312172a (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 5b3e2052334f2ff6d5200e952f4aa66994d09899 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10a7a702542240d5edb2b39450ac951c59ccd009",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "46e5b71666fb7652082e4e214a3365f4b14f1dc3",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "fb4a3a26483f3ea2cd21c7a2f7c45d5670600465",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "2124d82fd25e1671bb3ceb37998af5aae5903e06",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "6b949a6b33cbdf621d9fc6f0c48ac00915dbf514",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "8d0d94f8ba5b3a0beec3b0da558b9bea48018117",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "e72ee455297b794b852e5cea8d2d7bb17312172a",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "5b3e2052334f2ff6d5200e952f4aa66994d09899",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n\u0027Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.\u0027\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:29.622Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10a7a702542240d5edb2b39450ac951c59ccd009"
},
{
"url": "https://git.kernel.org/stable/c/46e5b71666fb7652082e4e214a3365f4b14f1dc3"
},
{
"url": "https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"
},
{
"url": "https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"
},
{
"url": "https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"
},
{
"url": "https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"
},
{
"url": "https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"
},
{
"url": "https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"
}
],
"title": "Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23395",
"datePublished": "2026-03-25T10:33:18.936Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-18T08:58:29.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-05-04 07:46
VLAI?
EPSS
Title
xen/privcmd: fix double free via VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d71f513985c22f1050295d1a7e4327cf9fb060da , < dbf862ce9f009128ab86b234d91413a3e450beb4
(git)
Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2b985d3a024b9e8c24e21671b34e855569763808 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 1576ff3869cbd3620717195f971c85b7d7fd62b5 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 402d84ad9e89bd4cbfd07ca8598532b7021daf95 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2894a351fe2ea8684919d36df3188b9a35e3926f (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 71bf829800758a6e3889096e4754ef47ba7fc850 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 24daca4fc07f3ff8cd0e3f629cd982187f48436a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T07:46:41.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-05-04T07:46:41.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23343 (GCVE-0-2026-23343)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:05
VLAI?
EPSS
Title
xdp: produce a warning when calculated tailroom is negative
Summary
In the Linux kernel, the following vulnerability has been resolved:
xdp: produce a warning when calculated tailroom is negative
Many ethernet drivers report xdp Rx queue frag size as being the same as
DMA write size. However, the only user of this field, namely
bpf_xdp_frags_increase_tail(), clearly expects a truesize.
Such difference leads to unspecific memory corruption issues under certain
circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when
running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses
all DMA-writable space in 2 buffers. This would be fine, if only
rxq->frag_size was properly set to 4K, but value of 3K results in a
negative tailroom, because there is a non-zero page offset.
We are supposed to return -EINVAL and be done with it in such case, but due
to tailroom being stored as an unsigned int, it is reported to be somewhere
near UINT_MAX, resulting in a tail being grown, even if the requested
offset is too much (it is around 2K in the abovementioned test). This later
leads to all kinds of unspecific calltraces.
[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6
[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4
[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]
[ 7340.339230] in xskxceiver[42b5,400000+69000]
[ 7340.340300] likely on CPU 6 (core 0, socket 6)
[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe
[ 7340.340888] likely on CPU 3 (core 0, socket 3)
[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7
[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI
[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)
[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80
[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89
[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202
[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010
[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff
[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0
[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0
[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500
[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000
[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0
[ 7340.421237] PKRU: 55555554
[ 7340.421623] Call Trace:
[ 7340.421987] <TASK>
[ 7340.422309] ? softleaf_from_pte+0x77/0xa0
[ 7340.422855] swap_pte_batch+0xa7/0x290
[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270
[ 7340.424102] zap_pte_range+0x281/0x580
[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240
[ 7340.425177] unmap_page_range+0x24d/0x420
[ 7340.425714] unmap_vmas+0xa1/0x180
[ 7340.426185] exit_mmap+0xe1/0x3b0
[ 7340.426644] __mmput+0x41/0x150
[ 7340.427098] exit_mm+0xb1/0x110
[ 7340.427539] do_exit+0x1b2/0x460
[ 7340.427992] do_group_exit+0x2d/0xc0
[ 7340.428477] get_signal+0x79d/0x7e0
[ 7340.428957] arch_do_signal_or_restart+0x34/0x100
[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0
[ 7340.430159] do_syscall_64+0x188/
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bf25146a5595269810b1f47d048f114c5ff9f544 , < 01379540452a02bbc52f639d45dd365cd3624efb
(git)
Affected: bf25146a5595269810b1f47d048f114c5ff9f544 , < a0fb59f527d03c60b2cd547cfae4a842ad84670f (git) Affected: bf25146a5595269810b1f47d048f114c5ff9f544 , < c7c790a07697148c41e2d03eb28efe132adda749 (git) Affected: bf25146a5595269810b1f47d048f114c5ff9f544 , < 98cd8b4d0b836d3edf70161f40efd9cbb8c8f252 (git) Affected: bf25146a5595269810b1f47d048f114c5ff9f544 , < 94b9da7e9f958cb3d115b21eff824ecd8c3217aa (git) Affected: bf25146a5595269810b1f47d048f114c5ff9f544 , < 8821e857759be9db3cde337ad328b71fe5c8a55f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01379540452a02bbc52f639d45dd365cd3624efb",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
},
{
"lessThan": "a0fb59f527d03c60b2cd547cfae4a842ad84670f",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
},
{
"lessThan": "c7c790a07697148c41e2d03eb28efe132adda749",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
},
{
"lessThan": "98cd8b4d0b836d3edf70161f40efd9cbb8c8f252",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
},
{
"lessThan": "94b9da7e9f958cb3d115b21eff824ecd8c3217aa",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
},
{
"lessThan": "8821e857759be9db3cde337ad328b71fe5c8a55f",
"status": "affected",
"version": "bf25146a5595269810b1f47d048f114c5ff9f544",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: produce a warning when calculated tailroom is negative\n\nMany ethernet drivers report xdp Rx queue frag size as being the same as\nDMA write size. However, the only user of this field, namely\nbpf_xdp_frags_increase_tail(), clearly expects a truesize.\n\nSuch difference leads to unspecific memory corruption issues under certain\ncircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when\nrunning xskxceiver\u0027s XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses\nall DMA-writable space in 2 buffers. This would be fine, if only\nrxq-\u003efrag_size was properly set to 4K, but value of 3K results in a\nnegative tailroom, because there is a non-zero page offset.\n\nWe are supposed to return -EINVAL and be done with it in such case, but due\nto tailroom being stored as an unsigned int, it is reported to be somewhere\nnear UINT_MAX, resulting in a tail being grown, even if the requested\noffset is too much (it is around 2K in the abovementioned test). This later\nleads to all kinds of unspecific calltraces.\n\n[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6\n[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4\n[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]\n[ 7340.339230] in xskxceiver[42b5,400000+69000]\n[ 7340.340300] likely on CPU 6 (core 0, socket 6)\n[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 \u003c4c\u003e 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe\n[ 7340.340888] likely on CPU 3 (core 0, socket 3)\n[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff \u003c8b\u003e 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7\n[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI\n[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)\n[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80\n[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 \u003c8b\u003e 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89\n[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202\n[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010\n[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff\n[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0\n[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0\n[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500\n[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000\n[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0\n[ 7340.421237] PKRU: 55555554\n[ 7340.421623] Call Trace:\n[ 7340.421987] \u003cTASK\u003e\n[ 7340.422309] ? softleaf_from_pte+0x77/0xa0\n[ 7340.422855] swap_pte_batch+0xa7/0x290\n[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270\n[ 7340.424102] zap_pte_range+0x281/0x580\n[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240\n[ 7340.425177] unmap_page_range+0x24d/0x420\n[ 7340.425714] unmap_vmas+0xa1/0x180\n[ 7340.426185] exit_mmap+0xe1/0x3b0\n[ 7340.426644] __mmput+0x41/0x150\n[ 7340.427098] exit_mm+0xb1/0x110\n[ 7340.427539] do_exit+0x1b2/0x460\n[ 7340.427992] do_group_exit+0x2d/0xc0\n[ 7340.428477] get_signal+0x79d/0x7e0\n[ 7340.428957] arch_do_signal_or_restart+0x34/0x100\n[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0\n[ 7340.430159] do_syscall_64+0x188/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:05:25.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01379540452a02bbc52f639d45dd365cd3624efb"
},
{
"url": "https://git.kernel.org/stable/c/a0fb59f527d03c60b2cd547cfae4a842ad84670f"
},
{
"url": "https://git.kernel.org/stable/c/c7c790a07697148c41e2d03eb28efe132adda749"
},
{
"url": "https://git.kernel.org/stable/c/98cd8b4d0b836d3edf70161f40efd9cbb8c8f252"
},
{
"url": "https://git.kernel.org/stable/c/94b9da7e9f958cb3d115b21eff824ecd8c3217aa"
},
{
"url": "https://git.kernel.org/stable/c/8821e857759be9db3cde337ad328b71fe5c8a55f"
}
],
"title": "xdp: produce a warning when calculated tailroom is negative",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23343",
"datePublished": "2026-03-25T10:27:31.130Z",
"dateReserved": "2026-01-13T15:37:45.999Z",
"dateUpdated": "2026-04-13T06:05:25.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31680 (GCVE-0-2026-31680)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:05
VLAI?
EPSS
Title
net: ipv6: flowlabel: defer exclusive option free until RCU teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: flowlabel: defer exclusive option free until RCU teardown
`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file
RCU read-side lock and prints `fl->opt->opt_nflen` when an option block
is present.
Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`
drops to zero in `fl_release()`. However, the surrounding
`struct ip6_flowlabel` remains visible in the global hash table until
later garbage collection removes it and `fl_free_rcu()` finally tears it
down.
A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that
early `kfree()` and dereference freed option state, triggering a crash
in `ip6fl_seq_show()`.
Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches
the lifetime already required for the enclosing flowlabel while readers
can still reach it under RCU.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 4b6798024f7b2d535f3db1002c760143cdbd1bd3
(git)
Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 3c54b66c83fb8fcbde8e6a7bf90b65856e39f827 (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 5a6b15f861b7c1304949e3350d23490a5fe429fd (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 6c7fbdb8ffde6413640de7cfbd7c976c353e89f8 (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 8027964931785cb73d520ac70a342a3dc16c249b (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 414726b69921fe6355ae453f5b35e68dd078342a (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 572ce62778519a7d4d1c15f55dd2e45a474133c4 (git) Affected: d3aedd5ebd4b0b925b0bcda548066803e1318499 , < 9ca562bb8e66978b53028fa32b1a190708e6a091 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_flowlabel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b6798024f7b2d535f3db1002c760143cdbd1bd3",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "3c54b66c83fb8fcbde8e6a7bf90b65856e39f827",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "5a6b15f861b7c1304949e3350d23490a5fe429fd",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "6c7fbdb8ffde6413640de7cfbd7c976c353e89f8",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "8027964931785cb73d520ac70a342a3dc16c249b",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "414726b69921fe6355ae453f5b35e68dd078342a",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "572ce62778519a7d4d1c15f55dd2e45a474133c4",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
},
{
"lessThan": "9ca562bb8e66978b53028fa32b1a190708e6a091",
"status": "affected",
"version": "d3aedd5ebd4b0b925b0bcda548066803e1318499",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_flowlabel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: flowlabel: defer exclusive option free until RCU teardown\n\n`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file\nRCU read-side lock and prints `fl-\u003eopt-\u003eopt_nflen` when an option block\nis present.\n\nExclusive flowlabels currently free `fl-\u003eopt` as soon as `fl-\u003eusers`\ndrops to zero in `fl_release()`. However, the surrounding\n`struct ip6_flowlabel` remains visible in the global hash table until\nlater garbage collection removes it and `fl_free_rcu()` finally tears it\ndown.\n\nA concurrent `/proc/net/ip6_flowlabel` reader can therefore race that\nearly `kfree()` and dereference freed option state, triggering a crash\nin `ip6fl_seq_show()`.\n\nFix this by keeping `fl-\u003eopt` alive until `fl_free_rcu()`. That matches\nthe lifetime already required for the enclosing flowlabel while readers\ncan still reach it under RCU."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:05:00.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b6798024f7b2d535f3db1002c760143cdbd1bd3"
},
{
"url": "https://git.kernel.org/stable/c/3c54b66c83fb8fcbde8e6a7bf90b65856e39f827"
},
{
"url": "https://git.kernel.org/stable/c/5a6b15f861b7c1304949e3350d23490a5fe429fd"
},
{
"url": "https://git.kernel.org/stable/c/6c7fbdb8ffde6413640de7cfbd7c976c353e89f8"
},
{
"url": "https://git.kernel.org/stable/c/8027964931785cb73d520ac70a342a3dc16c249b"
},
{
"url": "https://git.kernel.org/stable/c/414726b69921fe6355ae453f5b35e68dd078342a"
},
{
"url": "https://git.kernel.org/stable/c/572ce62778519a7d4d1c15f55dd2e45a474133c4"
},
{
"url": "https://git.kernel.org/stable/c/9ca562bb8e66978b53028fa32b1a190708e6a091"
}
],
"title": "net: ipv6: flowlabel: defer exclusive option free until RCU teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31680",
"datePublished": "2026-04-25T08:46:56.807Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:05:00.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23439 (GCVE-0-2026-23439)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
(success) without actually creating a socket. Callers such as
fou_create() then proceed to dereference the uninitialized socket
pointer, resulting in a NULL pointer dereference.
The captured NULL deref crash:
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
[...]
Call Trace:
<TASK>
genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
[...]
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
__sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
__x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
callers correctly take their error paths. There is only one caller of
the vulnerable function and only privileged users can trigger it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < dfc96ae0074cc47b5478a59e5aa19233e434243f
(git)
Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 66117dbb3dbae82f86735bf727b1d59cc677afa1 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < ba7c9ddcdd077942b798979edb035207374d4096 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < a05a2149386f6dfb4245f522acdbef892acafc84 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 9f036aa0fe46c19e938f03d10e02c23f4fffae5e (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 003343985f26dfefd0c94b1fe1316a2de74428b9 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 12aa4b73a67d95bc739995a2d6943aec2f9785c9 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < b3a6df291fecf5f8a308953b65ca72b7fc9e015d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/udp_tunnel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfc96ae0074cc47b5478a59e5aa19233e434243f",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "66117dbb3dbae82f86735bf727b1d59cc677afa1",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "ba7c9ddcdd077942b798979edb035207374d4096",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "a05a2149386f6dfb4245f522acdbef892acafc84",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "9f036aa0fe46c19e938f03d10e02c23f4fffae5e",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "003343985f26dfefd0c94b1fe1316a2de74428b9",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "12aa4b73a67d95bc739995a2d6943aec2f9785c9",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "b3a6df291fecf5f8a308953b65ca72b7fc9e015d",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/udp_tunnel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n\n\nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0\n(success) without actually creating a socket. Callers such as\nfou_create() then proceed to dereference the uninitialized socket\npointer, resulting in a NULL pointer dereference.\n\nThe captured NULL deref crash:\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)\n [...]\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)\n [...]\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))\n __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)\n\nThis patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so\ncallers correctly take their error paths. There is only one caller of\nthe vulnerable function and only privileged users can trigger it."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:55.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfc96ae0074cc47b5478a59e5aa19233e434243f"
},
{
"url": "https://git.kernel.org/stable/c/66117dbb3dbae82f86735bf727b1d59cc677afa1"
},
{
"url": "https://git.kernel.org/stable/c/ba7c9ddcdd077942b798979edb035207374d4096"
},
{
"url": "https://git.kernel.org/stable/c/a05a2149386f6dfb4245f522acdbef892acafc84"
},
{
"url": "https://git.kernel.org/stable/c/9f036aa0fe46c19e938f03d10e02c23f4fffae5e"
},
{
"url": "https://git.kernel.org/stable/c/003343985f26dfefd0c94b1fe1316a2de74428b9"
},
{
"url": "https://git.kernel.org/stable/c/12aa4b73a67d95bc739995a2d6943aec2f9785c9"
},
{
"url": "https://git.kernel.org/stable/c/b3a6df291fecf5f8a308953b65ca72b7fc9e015d"
}
],
"title": "udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23439",
"datePublished": "2026-04-03T15:15:23.734Z",
"dateReserved": "2026-01-13T15:37:46.017Z",
"dateUpdated": "2026-04-18T08:58:55.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23452 (GCVE-0-2026-23452)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
PM: runtime: Fix a race condition related to device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM: runtime: Fix a race condition related to device removal
The following code in pm_runtime_work() may dereference the dev->parent
pointer after the parent device has been freed:
/* Maybe the parent is now able to suspend. */
if (parent && !parent->power.ignore_children) {
spin_unlock(&dev->power.lock);
spin_lock(&parent->power.lock);
rpm_idle(parent, RPM_ASYNC);
spin_unlock(&parent->power.lock);
spin_lock(&dev->power.lock);
}
Fix this by inserting a flush_work() call in pm_runtime_remove().
Without this patch blktest block/001 triggers the following complaint
sporadically:
BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
Workqueue: pm pm_runtime_work
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x80
print_address_description.constprop.0+0x8b/0x310
print_report+0xfd/0x1d7
kasan_report+0xd8/0x1d0
__kasan_check_byte+0x42/0x60
lock_acquire.part.0+0x38/0x230
lock_acquire+0x70/0x160
_raw_spin_lock+0x36/0x50
rpm_suspend+0xc6a/0xfe0
rpm_idle+0x578/0x770
pm_runtime_work+0xee/0x120
process_one_work+0xde3/0x1410
worker_thread+0x5eb/0xfe0
kthread+0x37b/0x480
ret_from_fork+0x6cb/0x920
ret_from_fork_asm+0x11/0x20
</TASK>
Allocated by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_alloc_info+0x3d/0x50
__kasan_kmalloc+0xa0/0xb0
__kmalloc_noprof+0x311/0x990
scsi_alloc_target+0x122/0xb60 [scsi_mod]
__scsi_scan_target+0x101/0x460 [scsi_mod]
scsi_scan_channel+0x179/0x1c0 [scsi_mod]
scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
store_scan+0x2d2/0x390 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810
do_syscall_64+0xee/0xfc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_free_info+0x3f/0x50
__kasan_slab_free+0x67/0x80
kfree+0x225/0x6c0
scsi_target_dev_release+0x3d/0x60 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_put+0x7f/0xc0 [scsi_mod]
sdev_store_delete+0xa5/0x120 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e928f77a09a07f9dd595bb8a489965d69a83458 , < 20f6e2e22a9c6234113812d5f300d3e952a82721
(git)
Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 5649b46af8b167259e8a8e4e7eb3667ce74554b5 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 39f2d86f2ddde8d1beda05732f30c7cd945e0b5a (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < c6febaacfb8a0aec7d771a0e6c21cd68102d5679 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < bb081fd37f8312651140d7429557258afe51693d (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < cf65a77c0f9531eb6cfb97cc040974d2d8fff043 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 29ab768277617452d88c0607c9299cdc63b6e9ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/power/runtime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20f6e2e22a9c6234113812d5f300d3e952a82721",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "5649b46af8b167259e8a8e4e7eb3667ce74554b5",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "39f2d86f2ddde8d1beda05732f30c7cd945e0b5a",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "c6febaacfb8a0aec7d771a0e6c21cd68102d5679",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "bb081fd37f8312651140d7429557258afe51693d",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "cf65a77c0f9531eb6cfb97cc040974d2d8fff043",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "29ab768277617452d88c0607c9299cdc63b6e9ff",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/power/runtime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: runtime: Fix a race condition related to device removal\n\nThe following code in pm_runtime_work() may dereference the dev-\u003eparent\npointer after the parent device has been freed:\n\n\t/* Maybe the parent is now able to suspend. */\n\tif (parent \u0026\u0026 !parent-\u003epower.ignore_children) {\n\t\tspin_unlock(\u0026dev-\u003epower.lock);\n\n\t\tspin_lock(\u0026parent-\u003epower.lock);\n\t\trpm_idle(parent, RPM_ASYNC);\n\t\tspin_unlock(\u0026parent-\u003epower.lock);\n\n\t\tspin_lock(\u0026dev-\u003epower.lock);\n\t}\n\nFix this by inserting a flush_work() call in pm_runtime_remove().\n\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\n\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x8b/0x310\n print_report+0xfd/0x1d7\n kasan_report+0xd8/0x1d0\n __kasan_check_byte+0x42/0x60\n lock_acquire.part.0+0x38/0x230\n lock_acquire+0x70/0x160\n _raw_spin_lock+0x36/0x50\n rpm_suspend+0xc6a/0xfe0\n rpm_idle+0x578/0x770\n pm_runtime_work+0xee/0x120\n process_one_work+0xde3/0x1410\n worker_thread+0x5eb/0xfe0\n kthread+0x37b/0x480\n ret_from_fork+0x6cb/0x920\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nAllocated by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_alloc_info+0x3d/0x50\n __kasan_kmalloc+0xa0/0xb0\n __kmalloc_noprof+0x311/0x990\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\n __scsi_scan_target+0x101/0x460 [scsi_mod]\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\n store_scan+0x2d2/0x390 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n do_syscall_64+0xee/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFreed by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_free_info+0x3f/0x50\n __kasan_slab_free+0x67/0x80\n kfree+0x225/0x6c0\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_put+0x7f/0xc0 [scsi_mod]\n sdev_store_delete+0xa5/0x120 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:00.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20f6e2e22a9c6234113812d5f300d3e952a82721"
},
{
"url": "https://git.kernel.org/stable/c/b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e"
},
{
"url": "https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5"
},
{
"url": "https://git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a"
},
{
"url": "https://git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679"
},
{
"url": "https://git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d"
},
{
"url": "https://git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043"
},
{
"url": "https://git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff"
}
],
"title": "PM: runtime: Fix a race condition related to device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23452",
"datePublished": "2026-04-03T15:15:34.680Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-18T08:59:00.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23368 (GCVE-0-2026-23368)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and
LED_TRIGGER_PHY are enabled:
[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);
[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234
[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c
[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c
[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0
[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0
[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c
[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78
[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();
[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0
[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c
[ 1362.104022] [<80014504>] syscall_common+0x34/0x58
Here LED_TRIGGER_PHY is registering LED triggers during phy_attach
while holding RTNL and then taking triggers_list_lock.
[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();
[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4
[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);
[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c
[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc
[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c
[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4
[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c
[ 1362.232164] [<80014504>] syscall_common+0x34/0x58
Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes
triggers_list_lock and then RTNL. A classical AB-BA deadlock.
phy_led_triggers_registers() does not require the RTNL, it does not
make any calls into the network stack which require protection. There
is also no requirement the PHY has been attached to a MAC, the
triggers only make use of phydev state. This allows the call to
phy_led_triggers_registers() to be placed elsewhere. PHY probe() and
release() don't hold RTNL, so solving the AB-BA deadlock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < 2b01518eabace18f7ec8b4cafd52082303080dca
(git)
Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < 305afdd02ff3e694c165457793104710ec0728e5 (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < c33523b8fd2d4c504ada18cd93f511f2a8f84217 (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < 241cd64cf2e32b28ead151b1795cd8fef2b6e482 (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < 2764dcb3c35de4410f642afc62cf979727470575 (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757 (git) Affected: 06f502f57d0d7728f9fa0f157ec5e4111ddb98f6 , < c8dbdc6e380e7e96a51706db3e4b7870d8a9402d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b01518eabace18f7ec8b4cafd52082303080dca",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "305afdd02ff3e694c165457793104710ec0728e5",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c33523b8fd2d4c504ada18cd93f511f2a8f84217",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "241cd64cf2e32b28ead151b1795cd8fef2b6e482",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "2764dcb3c35de4410f642afc62cf979727470575",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
},
{
"lessThan": "c8dbdc6e380e7e96a51706db3e4b7870d8a9402d",
"status": "affected",
"version": "06f502f57d0d7728f9fa0f157ec5e4111ddb98f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [\u003c8054e4b8\u003e] led_trigger_register+0x5c/0x1fc \u003c-- Trying to get lock \"triggers_list_lock\" via down_write(\u0026triggers_list_lock);\n[ 1362.054536] [\u003c80662830\u003e] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [\u003c8065e200\u003e] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [\u003c80651fc4\u003e] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [\u003c8066ee18\u003e] mtk_open+0x7c/0xba0\n[ 1362.075849] [\u003c806d714c\u003e] __dev_open+0x280/0x2b0\n[ 1362.080384] [\u003c806d7668\u003e] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [\u003c806d7698\u003e] dev_change_flags+0x28/0x78\n[ 1362.090528] [\u003c807150e4\u003e] dev_ioctl+0x4c0/0x654 \u003c-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [\u003c80694360\u003e] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [\u003c802e9c4c\u003e] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [\u003c806c2640\u003e] register_netdevice_notifier+0x60/0x168 \u003c-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [\u003c805504ac\u003e] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [\u003c8054e28c\u003e] led_trigger_set+0x1d4/0x360 \u003c-- Hold lock \"triggers_list_lock\" by down_read(\u0026triggers_list_lock);\n[ 1362.207511] [\u003c8054eb38\u003e] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [\u003c80381d98\u003e] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [\u003c8037fcd8\u003e] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [\u003c802cbd70\u003e] vfs_write+0x21c/0x3c4\n[ 1362.227712] [\u003c802cc0c4\u003e] ksys_write+0x78/0x12c\n[ 1362.232164] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don\u0027t hold RTNL, so solving the AB-BA deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:16.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b01518eabace18f7ec8b4cafd52082303080dca"
},
{
"url": "https://git.kernel.org/stable/c/305afdd02ff3e694c165457793104710ec0728e5"
},
{
"url": "https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a"
},
{
"url": "https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217"
},
{
"url": "https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482"
},
{
"url": "https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575"
},
{
"url": "https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757"
},
{
"url": "https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d"
}
],
"title": "net: phy: register phy led_triggers during probe to avoid AB-BA deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23368",
"datePublished": "2026-03-25T10:27:49.889Z",
"dateReserved": "2026-01-13T15:37:46.003Z",
"dateUpdated": "2026-04-18T08:58:16.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31668 (GCVE-0-2026-31668)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
Summary
In the Linux kernel, the following vulnerability has been resolved:
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
The seg6 lwtunnel uses a single dst_cache per encap route, shared
between seg6_input_core() and seg6_output_core(). These two paths
can perform the post-encap SID lookup in different routing contexts
(e.g., ip rules matching on the ingress interface, or VRF table
separation). Whichever path runs first populates the cache, and the
other reuses it blindly, bypassing its own lookup.
Fix this by splitting the cache into cache_input and cache_output,
so each path maintains its own cached dst independently.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6c8702c60b88651072460f3f4026c7dfe2521d12 , < 1dec91d3b1cefb82635761b7812154af3ef46449
(git)
Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 750569d6987a0ff46317a4b86eb3907e296287bf (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 57d0374d14fa667dec6952173b93e7e84486d5c9 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 84d458018b147176b259347103fccb7e93abd2b1 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 6305ad032b03d2ea4181b953a66e19a9a6ed053c (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < fb56de5d99218de49d5d43ef3a99e062ecd0f9a1 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < c3812651b522fe8437ebb7063b75ddb95b571643 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dec91d3b1cefb82635761b7812154af3ef46449",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "750569d6987a0ff46317a4b86eb3907e296287bf",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "57d0374d14fa667dec6952173b93e7e84486d5c9",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "84d458018b147176b259347103fccb7e93abd2b1",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "6305ad032b03d2ea4181b953a66e19a9a6ed053c",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "fb56de5d99218de49d5d43ef3a99e062ecd0f9a1",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "c3812651b522fe8437ebb7063b75ddb95b571643",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: separate dst_cache for input and output paths in seg6 lwtunnel\n\nThe seg6 lwtunnel uses a single dst_cache per encap route, shared\nbetween seg6_input_core() and seg6_output_core(). These two paths\ncan perform the post-encap SID lookup in different routing contexts\n(e.g., ip rules matching on the ingress interface, or VRF table\nseparation). Whichever path runs first populates the cache, and the\nother reuses it blindly, bypassing its own lookup.\n\nFix this by splitting the cache into cache_input and cache_output,\nso each path maintains its own cached dst independently."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:52.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dec91d3b1cefb82635761b7812154af3ef46449"
},
{
"url": "https://git.kernel.org/stable/c/750569d6987a0ff46317a4b86eb3907e296287bf"
},
{
"url": "https://git.kernel.org/stable/c/57d0374d14fa667dec6952173b93e7e84486d5c9"
},
{
"url": "https://git.kernel.org/stable/c/84d458018b147176b259347103fccb7e93abd2b1"
},
{
"url": "https://git.kernel.org/stable/c/6305ad032b03d2ea4181b953a66e19a9a6ed053c"
},
{
"url": "https://git.kernel.org/stable/c/fb56de5d99218de49d5d43ef3a99e062ecd0f9a1"
},
{
"url": "https://git.kernel.org/stable/c/17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a"
},
{
"url": "https://git.kernel.org/stable/c/c3812651b522fe8437ebb7063b75ddb95b571643"
}
],
"title": "seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31668",
"datePublished": "2026-04-24T14:45:16.630Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:52.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23319 (GCVE-0-2026-23319)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04
VLAI?
EPSS
Title
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
The root cause of this bug is that when 'bpf_link_put' reduces the
refcount of 'shim_link->link.link' to zero, the resource is considered
released but may still be referenced via 'tr->progs_hlist' in
'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in
'bpf_shim_tramp_link_release' is deferred. During this window, another
process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.
Based on Martin KaFai Lau's suggestions, I have created a simple patch.
To fix this:
Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.
Only increment the refcount if it is not already zero.
Testing:
I verified the fix by adding a delay in
'bpf_shim_tramp_link_release' to make the bug easier to trigger:
static void bpf_shim_tramp_link_release(struct bpf_link *link)
{
/* ... */
if (!shim_link->trampoline)
return;
+ msleep(100);
WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,
shim_link->trampoline, NULL));
bpf_trampoline_put(shim_link->trampoline);
}
Before the patch, running a PoC easily reproduced the crash(almost 100%)
with a call trace similar to KaiyanM's report.
After the patch, the bug no longer occurs even after millions of
iterations.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 529e685e522b9d7fb379dbe6929dcdf520e34c8c
(git)
Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 9b02c5c4147f8af8ed783c8deb5df927a55c3951 (git) Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < cfcfa0ca0212162aa472551266038e8fd6768cff (git) Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2 (git) Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 4e8a0005d633a4adc98e3b65d5080f93b90d356b (git) Affected: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e , < 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "529e685e522b9d7fb379dbe6929dcdf520e34c8c",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
},
{
"lessThan": "9b02c5c4147f8af8ed783c8deb5df927a55c3951",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
},
{
"lessThan": "cfcfa0ca0212162aa472551266038e8fd6768cff",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
},
{
"lessThan": "3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
},
{
"lessThan": "4e8a0005d633a4adc98e3b65d5080f93b90d356b",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
},
{
"lessThan": "56145d237385ca0e7ca9ff7b226aaf2eb8ef368b",
"status": "affected",
"version": "69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/trampoline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\n\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link-\u003etrampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\n\t\tshim_link-\u003etrampoline, NULL));\n\tbpf_trampoline_put(shim_link-\u003etrampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM\u0027s report.\nAfter the patch, the bug no longer occurs even after millions of\niterations."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:04:18.830Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"
},
{
"url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"
},
{
"url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"
},
{
"url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"
},
{
"url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"
},
{
"url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"
}
],
"title": "bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23319",
"datePublished": "2026-03-25T10:27:13.678Z",
"dateReserved": "2026-01-13T15:37:45.995Z",
"dateUpdated": "2026-04-13T06:04:18.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31682 (GCVE-0-2026-31682)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:05
VLAI?
EPSS
Title
bridge: br_nd_send: linearize skb before parsing ND options
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: br_nd_send: linearize skb before parsing ND options
br_nd_send() parses neighbour discovery options from ns->opt[] and
assumes that these options are in the linear part of request.
Its callers only guarantee that the ICMPv6 header and target address
are available, so the option area can still be non-linear. Parsing
ns->opt[] in that case can access data past the linear buffer.
Linearize request before option parsing and derive ns from the linear
network header.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed842faeb2bd49256f00485402f3113205f91d30 , < c68433fd291c9e88c00292095172c62d1997d662
(git)
Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 4f397b950c916e9a1f8a4fce04ea0110206cad47 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < bd91ec85aa4c77d645bd2739fc56784157a88ca2 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 658261898130da620fc3d0fbb0523efb3366cb55 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 2ba4caba423ed94d63006eb1d2227b0332ab7fcd (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 9c55e41c73af5c4511070933b1bd25248521270c (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 3a30f6469b058574f49efde61cd6f5d79e576053 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < a01aee7cafc575bb82f5529e8734e7052f9b16ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_arp_nd_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c68433fd291c9e88c00292095172c62d1997d662",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "4f397b950c916e9a1f8a4fce04ea0110206cad47",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "bd91ec85aa4c77d645bd2739fc56784157a88ca2",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "658261898130da620fc3d0fbb0523efb3366cb55",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "2ba4caba423ed94d63006eb1d2227b0332ab7fcd",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "9c55e41c73af5c4511070933b1bd25248521270c",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "3a30f6469b058574f49efde61cd6f5d79e576053",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "a01aee7cafc575bb82f5529e8734e7052f9b16ea",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_arp_nd_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns-\u003eopt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns-\u003eopt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:05:02.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c68433fd291c9e88c00292095172c62d1997d662"
},
{
"url": "https://git.kernel.org/stable/c/4f397b950c916e9a1f8a4fce04ea0110206cad47"
},
{
"url": "https://git.kernel.org/stable/c/bd91ec85aa4c77d645bd2739fc56784157a88ca2"
},
{
"url": "https://git.kernel.org/stable/c/658261898130da620fc3d0fbb0523efb3366cb55"
},
{
"url": "https://git.kernel.org/stable/c/2ba4caba423ed94d63006eb1d2227b0332ab7fcd"
},
{
"url": "https://git.kernel.org/stable/c/9c55e41c73af5c4511070933b1bd25248521270c"
},
{
"url": "https://git.kernel.org/stable/c/3a30f6469b058574f49efde61cd6f5d79e576053"
},
{
"url": "https://git.kernel.org/stable/c/a01aee7cafc575bb82f5529e8734e7052f9b16ea"
}
],
"title": "bridge: br_nd_send: linearize skb before parsing ND options",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31682",
"datePublished": "2026-04-25T08:46:59.106Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:05:02.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31672 (GCVE-0-2026-31672)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
wifi: rt2x00usb: fix devres lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rt2x00usb: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the USB anchor lifetime so that it is released on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 64a457f6afbf15f984d95201a9a1e71eed3f9dd1
(git)
Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 65518a6965d527c53013947031f26754f6a4f6af (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 15b233e33b35b927bd8d0044c15325564ea1ba24 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 1de5c76bf40e9cdeebf54662f63011fb10fa452f (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < b245db719bc7e57abf48bd5701662b270c3880f7 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < e360d15fcb1e819eef49e3d4434d8050542eed16 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < c99f198841b41735796e2ddfcd573783fb552eb9 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 25369b22223d1c56e42a0cd4ac9137349d5a898e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64a457f6afbf15f984d95201a9a1e71eed3f9dd1",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "65518a6965d527c53013947031f26754f6a4f6af",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "15b233e33b35b927bd8d0044c15325564ea1ba24",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "1de5c76bf40e9cdeebf54662f63011fb10fa452f",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "b245db719bc7e57abf48bd5701662b270c3880f7",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "e360d15fcb1e819eef49e3d4434d8050542eed16",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "c99f198841b41735796e2ddfcd573783fb552eb9",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "25369b22223d1c56e42a0cd4ac9137349d5a898e",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00usb: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the USB anchor lifetime so that it is released on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:19.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64a457f6afbf15f984d95201a9a1e71eed3f9dd1"
},
{
"url": "https://git.kernel.org/stable/c/65518a6965d527c53013947031f26754f6a4f6af"
},
{
"url": "https://git.kernel.org/stable/c/15b233e33b35b927bd8d0044c15325564ea1ba24"
},
{
"url": "https://git.kernel.org/stable/c/1de5c76bf40e9cdeebf54662f63011fb10fa452f"
},
{
"url": "https://git.kernel.org/stable/c/b245db719bc7e57abf48bd5701662b270c3880f7"
},
{
"url": "https://git.kernel.org/stable/c/e360d15fcb1e819eef49e3d4434d8050542eed16"
},
{
"url": "https://git.kernel.org/stable/c/c99f198841b41735796e2ddfcd573783fb552eb9"
},
{
"url": "https://git.kernel.org/stable/c/25369b22223d1c56e42a0cd4ac9137349d5a898e"
}
],
"title": "wifi: rt2x00usb: fix devres lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31672",
"datePublished": "2026-04-24T14:45:19.725Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-24T14:45:19.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43025 (GCVE-0-2026-43025)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
netfilter: ctnetlink: ignore explicit helper on new expectations
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ignore explicit helper on new expectations
Use the existing master conntrack helper, anything else is not really
supported and it just makes validation more complicated, so just ignore
what helper userspace suggests for this expectation.
This was uncovered when validating CTA_EXPECT_CLASS via different helper
provided by userspace than the existing master conntrack helper:
BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0
Read of size 4 at addr ffff8880043fe408 by task poc/102
Call Trace:
nf_ct_expect_related_report+0x2479/0x27c0
ctnetlink_create_expect+0x22b/0x3b0
ctnetlink_new_expect+0x4bd/0x5c0
nfnetlink_rcv_msg+0x67a/0x950
netlink_rcv_skb+0x120/0x350
Allowing to read kernel memory bytes off the expectation boundary.
CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace
via netlink dump.
Severity ?
7.3 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bd0779370588386e4a67ba5d0b176cfded8e6a53 , < e135f8e8212cbed12a03ab8dec77fa1247139897
(git)
Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 2ea0f35f235f70c133ad61fe05ba013753b978c6 (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 187b6ec5229ea93cb04c4f6d3b52efc80f513d0d (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 21a04c31db4057deec85fcd6cc63d720b38819c3 (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 917b61fa2042f11e2af4c428e43f08199586633a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e135f8e8212cbed12a03ab8dec77fa1247139897",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "2ea0f35f235f70c133ad61fe05ba013753b978c6",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "187b6ec5229ea93cb04c4f6d3b52efc80f513d0d",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "21a04c31db4057deec85fcd6cc63d720b38819c3",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "917b61fa2042f11e2af4c428e43f08199586633a",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:09.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897"
},
{
"url": "https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6"
},
{
"url": "https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd"
},
{
"url": "https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d"
},
{
"url": "https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3"
},
{
"url": "https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a"
}
],
"title": "netfilter: ctnetlink: ignore explicit helper on new expectations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43025",
"datePublished": "2026-05-01T14:15:27.103Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-03T05:46:09.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71221 (GCVE-0-2025-71221)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Add proper locking in mmp_pdma_residue() to prevent use-after-free when
accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet
on another CPU is freeing completed descriptors:
CPU 0 CPU 1
----- -----
mmp_pdma_tx_status()
mmp_pdma_residue()
-> NO LOCK held
list_for_each_entry(sw, ..)
DMA interrupt
dma_do_tasklet()
-> spin_lock(&desc_lock)
list_move(sw->node, ...)
spin_unlock(&desc_lock)
| dma_pool_free(sw) <- FREED!
-> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with
multiple threads (threads_per_chan > 1).
Fix by protecting the chain_running list iteration and descriptor access
with the chan->desc_lock spinlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1b38da264674d6a0fe26a63996b8f88b88c3da48 , < dfb5e05227745de43b7fd589721817a4337c970d
(git)
Affected: 1b38da264674d6a0fe26a63996b8f88b88c3da48 , < eba0c75670c022cb1f948600db972524bcfe8166 (git) Affected: 1b38da264674d6a0fe26a63996b8f88b88c3da48 , < fc023b8fab057f0c910856ff36d3e12a30b7af4a (git) Affected: 1b38da264674d6a0fe26a63996b8f88b88c3da48 , < 9f665b3c3d9a168410251f27a5d019b7bf93185c (git) Affected: 1b38da264674d6a0fe26a63996b8f88b88c3da48 , < a143545855bc2c6e1330f6f57ae375ac44af00a7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/mmp_pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfb5e05227745de43b7fd589721817a4337c970d",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
},
{
"lessThan": "eba0c75670c022cb1f948600db972524bcfe8166",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
},
{
"lessThan": "fc023b8fab057f0c910856ff36d3e12a30b7af4a",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
},
{
"lessThan": "9f665b3c3d9a168410251f27a5d019b7bf93185c",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
},
{
"lessThan": "a143545855bc2c6e1330f6f57ae375ac44af00a7",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/mmp_pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()\n\nAdd proper locking in mmp_pdma_residue() to prevent use-after-free when\naccessing descriptor list and descriptor contents.\n\nThe race occurs when multiple threads call tx_status() while the tasklet\non another CPU is freeing completed descriptors:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -\u003e NO LOCK held\n list_for_each_entry(sw, ..)\n DMA interrupt\n dma_do_tasklet()\n -\u003e spin_lock(\u0026desc_lock)\n list_move(sw-\u003enode, ...)\n spin_unlock(\u0026desc_lock)\n | dma_pool_free(sw) \u003c- FREED!\n -\u003e access sw-\u003edesc \u003c- UAF!\n\nThis issue can be reproduced when running dmatest on the same channel with\nmultiple threads (threads_per_chan \u003e 1).\n\nFix by protecting the chain_running list iteration and descriptor access\nwith the chan-\u003edesc_lock spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:09.939Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfb5e05227745de43b7fd589721817a4337c970d"
},
{
"url": "https://git.kernel.org/stable/c/eba0c75670c022cb1f948600db972524bcfe8166"
},
{
"url": "https://git.kernel.org/stable/c/fc023b8fab057f0c910856ff36d3e12a30b7af4a"
},
{
"url": "https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c"
},
{
"url": "https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7"
}
],
"title": "dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71221",
"datePublished": "2026-02-14T16:27:04.631Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-03-25T10:20:09.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31510 (GCVE-0-2026-31510)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
Before using sk pointer, check if it is null.
Fix the following:
KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]
CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025
Workqueue: events l2cap_info_timeout
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
veth0_macvtap: entered promiscuous mode
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40
lock_acquire+0x79/0x2e0
lock_sock_nested+0x48/0x100
? l2cap_sock_ready_cb+0x46/0x160
l2cap_sock_ready_cb+0x46/0x160
l2cap_conn_start+0x779/0xff0
? __pfx_l2cap_conn_start+0x10/0x10
? l2cap_info_timeout+0x60/0xa0
? __pfx___mutex_lock+0x10/0x10
l2cap_info_timeout+0x68/0xa0
? process_scheduled_works+0xa8d/0x18c0
process_scheduled_works+0xb6e/0x18c0
? __pfx_process_scheduled_works+0x10/0x10
? assign_work+0x3d5/0x5e0
worker_thread+0xa53/0xfc0
kthread+0x388/0x470
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x51e/0xb90
? __pfx_ret_from_fork+0x10/0x10
veth1_macvtap: entered promiscuous mode
? __switch_to+0xc7d/0x1450
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
RIP: 0010:kasan_byte_accessible+0x12/0x30
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce
ieee80211 phy39: Selected rate control algorithm 'minstrel_ht'
RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001
RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000
R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
54a59aa2b562872781d6a8fc89f300d360941691 , < d34776c7fa1f2c510f1cdd14823aba701babb4ad
(git)
Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < 03d4eafb0f3788239df63575951f6b4c97bbfda4 (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < 3c821bc0fbeaa27910a20d0b43c6008d099792af (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < a04a760c06bb591989db659439efdf106f0bae76 (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < 0780f9333852971ca77d110019e3a66ce5a7b100 (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < 1dc6db047919ecd59493cd51248b37381bbabcbb (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < 898b89c90ff9496e64b9331040778cc4e1b28c9d (git) Affected: 54a59aa2b562872781d6a8fc89f300d360941691 , < b6552e0503973daf6f23bd6ed9273ef131ee364f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d34776c7fa1f2c510f1cdd14823aba701babb4ad",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "03d4eafb0f3788239df63575951f6b4c97bbfda4",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "3c821bc0fbeaa27910a20d0b43c6008d099792af",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "a04a760c06bb591989db659439efdf106f0bae76",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "0780f9333852971ca77d110019e3a66ce5a7b100",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "1dc6db047919ecd59493cd51248b37381bbabcbb",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "898b89c90ff9496e64b9331040778cc4e1b28c9d",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
},
{
"lessThan": "b6552e0503973daf6f23bd6ed9273ef131ee364f",
"status": "affected",
"version": "54a59aa2b562872781d6a8fc89f300d360941691",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n\nBefore using sk pointer, check if it is null.\n\nFix the following:\n\n KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\n CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\n Workqueue: events l2cap_info_timeout\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n veth0_macvtap: entered promiscuous mode\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n __kasan_check_byte+0x12/0x40\n lock_acquire+0x79/0x2e0\n lock_sock_nested+0x48/0x100\n ? l2cap_sock_ready_cb+0x46/0x160\n l2cap_sock_ready_cb+0x46/0x160\n l2cap_conn_start+0x779/0xff0\n ? __pfx_l2cap_conn_start+0x10/0x10\n ? l2cap_info_timeout+0x60/0xa0\n ? __pfx___mutex_lock+0x10/0x10\n l2cap_info_timeout+0x68/0xa0\n ? process_scheduled_works+0xa8d/0x18c0\n process_scheduled_works+0xb6e/0x18c0\n ? __pfx_process_scheduled_works+0x10/0x10\n ? assign_work+0x3d5/0x5e0\n worker_thread+0xa53/0xfc0\n kthread+0x388/0x470\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x51e/0xb90\n ? __pfx_ret_from_fork+0x10/0x10\n veth1_macvtap: entered promiscuous mode\n ? __switch_to+0xc7d/0x1450\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n batman_adv: batadv0: Interface activated: batadv_slave_0\n batman_adv: batadv0: Interface activated: batadv_slave_1\n netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n ieee80211 phy39: Selected rate control algorithm \u0027minstrel_ht\u0027\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:28.712Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d34776c7fa1f2c510f1cdd14823aba701babb4ad"
},
{
"url": "https://git.kernel.org/stable/c/03d4eafb0f3788239df63575951f6b4c97bbfda4"
},
{
"url": "https://git.kernel.org/stable/c/3c821bc0fbeaa27910a20d0b43c6008d099792af"
},
{
"url": "https://git.kernel.org/stable/c/a04a760c06bb591989db659439efdf106f0bae76"
},
{
"url": "https://git.kernel.org/stable/c/0780f9333852971ca77d110019e3a66ce5a7b100"
},
{
"url": "https://git.kernel.org/stable/c/1dc6db047919ecd59493cd51248b37381bbabcbb"
},
{
"url": "https://git.kernel.org/stable/c/898b89c90ff9496e64b9331040778cc4e1b28c9d"
},
{
"url": "https://git.kernel.org/stable/c/b6552e0503973daf6f23bd6ed9273ef131ee364f"
}
],
"title": "Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31510",
"datePublished": "2026-04-22T13:54:28.712Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-04-22T13:54:28.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23450 (GCVE-0-2026-23450)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
smc_tcp_syn_recv_sock() is called in the TCP receive path
(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
listening socket). It reads sk_user_data to get the smc_sock
pointer. However, when the SMC listen socket is being closed
concurrently, smc_close_active() sets clcsock->sk_user_data
to NULL under sk_callback_lock, and then the smc_sock itself
can be freed via sock_put() in smc_release().
This leads to two issues:
1) NULL pointer dereference: sk_user_data is NULL when
accessed.
2) Use-after-free: sk_user_data is read as non-NULL, but the
smc_sock is freed before its fields (e.g., queued_smc_hs,
ori_af_ops) are accessed.
The race window looks like this (the syzkaller crash [1]
triggers via the SYN cookie path: tcp_get_cookie_sock() ->
smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
has the same race):
CPU A (softirq) CPU B (process ctx)
tcp_v4_rcv()
TCP_NEW_SYN_RECV:
sk = req->rsk_listener
sock_hold(sk)
/* No lock on listener */
smc_close_active():
write_lock_bh(cb_lock)
sk_user_data = NULL
write_unlock_bh(cb_lock)
...
smc_clcsock_release()
sock_put(smc->sk) x2
-> smc_sock freed!
tcp_check_req()
smc_tcp_syn_recv_sock():
smc = user_data(sk)
-> NULL or dangling
smc->queued_smc_hs
-> crash!
Note that the clcsock and smc_sock are two independent objects
with separate refcounts. TCP stack holds a reference on the
clcsock, which keeps it alive, but this does NOT prevent the
smc_sock from being freed.
Fix this by using RCU and refcount_inc_not_zero() to safely
access smc_sock. Since smc_tcp_syn_recv_sock() is called in
the TCP three-way handshake path, taking read_lock_bh on
sk_callback_lock is too heavy and would not survive a SYN
flood attack. Using rcu_read_lock() is much more lightweight.
- Set SOCK_RCU_FREE on the SMC listen socket so that
smc_sock freeing is deferred until after the RCU grace
period. This guarantees the memory is still valid when
accessed inside rcu_read_lock().
- Use rcu_read_lock() to protect reading sk_user_data.
- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
smc_sock. If the refcount has already reached zero (close
path completed), it returns false and we bail out safely.
Note: smc_hs_congested() has a similar lockless read of
sk_user_data without rcu_read_lock(), but it only checks for
NULL and accesses the global smc_hs_wq, never dereferencing
any smc_sock field, so it is not affected.
Reproducer was verified with mdelay injection and smc_run,
the issue no longer occurs with this patch applied.
[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ebfee3e153f67c8b38eb94a7062ee94aa6f92708 , < f315277856caeafcd996c2611afc085ca2d53275
(git)
Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < 1e4f873879e075bbd4eb1c644d6933303ac5eba4 (git) Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < f00fc26c8a06442b225a350fe000c0a11483e6a3 (git) Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < cadf3da46c15523fba90d80c9955f536ee3b4023 (git) Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2 (git) Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < 1fab5ece76fb42a761178dcd0ebcbf578377b0dd (git) Affected: 8270d9c21041470f58348248b9d9dcf3bf79592e , < 6d5e4538364b9ceb1ac2941a4deb86650afb3538 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc.h",
"net/smc/smc_close.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f315277856caeafcd996c2611afc085ca2d53275",
"status": "affected",
"version": "ebfee3e153f67c8b38eb94a7062ee94aa6f92708",
"versionType": "git"
},
{
"lessThan": "1e4f873879e075bbd4eb1c644d6933303ac5eba4",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
},
{
"lessThan": "f00fc26c8a06442b225a350fe000c0a11483e6a3",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
},
{
"lessThan": "cadf3da46c15523fba90d80c9955f536ee3b4023",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
},
{
"lessThan": "fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
},
{
"lessThan": "1fab5ece76fb42a761178dcd0ebcbf578377b0dd",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
},
{
"lessThan": "6d5e4538364b9ceb1ac2941a4deb86650afb3538",
"status": "affected",
"version": "8270d9c21041470f58348248b9d9dcf3bf79592e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c",
"net/smc/smc.h",
"net/smc/smc_close.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()\n\nSyzkaller reported a panic in smc_tcp_syn_recv_sock() [1].\n\nsmc_tcp_syn_recv_sock() is called in the TCP receive path\n(softirq) via icsk_af_ops-\u003esyn_recv_sock on the clcsock (TCP\nlistening socket). It reads sk_user_data to get the smc_sock\npointer. However, when the SMC listen socket is being closed\nconcurrently, smc_close_active() sets clcsock-\u003esk_user_data\nto NULL under sk_callback_lock, and then the smc_sock itself\ncan be freed via sock_put() in smc_release().\n\nThis leads to two issues:\n\n1) NULL pointer dereference: sk_user_data is NULL when\n accessed.\n2) Use-after-free: sk_user_data is read as non-NULL, but the\n smc_sock is freed before its fields (e.g., queued_smc_hs,\n ori_af_ops) are accessed.\n\nThe race window looks like this (the syzkaller crash [1]\ntriggers via the SYN cookie path: tcp_get_cookie_sock() -\u003e\nsmc_tcp_syn_recv_sock(), but the normal tcp_check_req() path\nhas the same race):\n\n CPU A (softirq) CPU B (process ctx)\n\n tcp_v4_rcv()\n TCP_NEW_SYN_RECV:\n sk = req-\u003ersk_listener\n sock_hold(sk)\n /* No lock on listener */\n smc_close_active():\n write_lock_bh(cb_lock)\n sk_user_data = NULL\n write_unlock_bh(cb_lock)\n ...\n smc_clcsock_release()\n sock_put(smc-\u003esk) x2\n -\u003e smc_sock freed!\n tcp_check_req()\n smc_tcp_syn_recv_sock():\n smc = user_data(sk)\n -\u003e NULL or dangling\n smc-\u003equeued_smc_hs\n -\u003e crash!\n\nNote that the clcsock and smc_sock are two independent objects\nwith separate refcounts. TCP stack holds a reference on the\nclcsock, which keeps it alive, but this does NOT prevent the\nsmc_sock from being freed.\n\nFix this by using RCU and refcount_inc_not_zero() to safely\naccess smc_sock. Since smc_tcp_syn_recv_sock() is called in\nthe TCP three-way handshake path, taking read_lock_bh on\nsk_callback_lock is too heavy and would not survive a SYN\nflood attack. Using rcu_read_lock() is much more lightweight.\n\n- Set SOCK_RCU_FREE on the SMC listen socket so that\n smc_sock freeing is deferred until after the RCU grace\n period. This guarantees the memory is still valid when\n accessed inside rcu_read_lock().\n- Use rcu_read_lock() to protect reading sk_user_data.\n- Use refcount_inc_not_zero(\u0026smc-\u003esk.sk_refcnt) to pin the\n smc_sock. If the refcount has already reached zero (close\n path completed), it returns false and we bail out safely.\n\nNote: smc_hs_congested() has a similar lockless read of\nsk_user_data without rcu_read_lock(), but it only checks for\nNULL and accesses the global smc_hs_wq, never dereferencing\nany smc_sock field, so it is not affected.\n\nReproducer was verified with mdelay injection and smc_run,\nthe issue no longer occurs with this patch applied.\n\n[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:29.638Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f315277856caeafcd996c2611afc085ca2d53275"
},
{
"url": "https://git.kernel.org/stable/c/1e4f873879e075bbd4eb1c644d6933303ac5eba4"
},
{
"url": "https://git.kernel.org/stable/c/f00fc26c8a06442b225a350fe000c0a11483e6a3"
},
{
"url": "https://git.kernel.org/stable/c/cadf3da46c15523fba90d80c9955f536ee3b4023"
},
{
"url": "https://git.kernel.org/stable/c/fd7579f0a2c84ba8a7d4f206201b50dc8ddf90c2"
},
{
"url": "https://git.kernel.org/stable/c/1fab5ece76fb42a761178dcd0ebcbf578377b0dd"
},
{
"url": "https://git.kernel.org/stable/c/6d5e4538364b9ceb1ac2941a4deb86650afb3538"
}
],
"title": "net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23450",
"datePublished": "2026-04-03T15:15:33.144Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-27T14:02:29.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31565 (GCVE-0-2026-31565)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-24 14:35
VLAI?
EPSS
Title
RDMA/irdma: Fix deadlock during netdev reset with active connections
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix deadlock during netdev reset with active connections
Resolve deadlock that occurs when user executes netdev reset while RDMA
applications (e.g., rping) are active. The netdev reset causes ice
driver to remove irdma auxiliary driver, triggering device_delete and
subsequent client removal. During client removal, uverbs_client waits
for QP reference count to reach zero while cma_client holds the final
reference, creating circular dependency and indefinite wait in iWARP
mode. Skip QP reference count wait during device reset to prevent
deadlock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b3c392b82cdf867808a8ea7c6760d3c7e6b6627 , < 009831768faeca3fb5950ce63f1b49594ec82389
(git)
Affected: 07322c8a12d6c796450faacb8be9e5e3c278ec84 , < adf0de36e52a48681eb58cbd7cbf6c8d200caa2b (git) Affected: c8f304d75f6c6cc679a73f89591f9a915da38f09 , < acb060bc2609c2eab49263968be59c7d59d497bc (git) Affected: c8f304d75f6c6cc679a73f89591f9a915da38f09 , < a8a1c7621127a15a02494b96ee376406c064237b (git) Affected: c8f304d75f6c6cc679a73f89591f9a915da38f09 , < cd8bcec2de5e24e05c34c9391940fda6f50e79b4 (git) Affected: c8f304d75f6c6cc679a73f89591f9a915da38f09 , < 464bbb844ba5b68e038220c34019069a0a9f1581 (git) Affected: c8f304d75f6c6cc679a73f89591f9a915da38f09 , < 6f52370970ac07d352a7af4089e55e0e6425f827 (git) Affected: 6ee53f82540769a6d6e77e40b901f9b9edfa5ff2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "009831768faeca3fb5950ce63f1b49594ec82389",
"status": "affected",
"version": "0b3c392b82cdf867808a8ea7c6760d3c7e6b6627",
"versionType": "git"
},
{
"lessThan": "adf0de36e52a48681eb58cbd7cbf6c8d200caa2b",
"status": "affected",
"version": "07322c8a12d6c796450faacb8be9e5e3c278ec84",
"versionType": "git"
},
{
"lessThan": "acb060bc2609c2eab49263968be59c7d59d497bc",
"status": "affected",
"version": "c8f304d75f6c6cc679a73f89591f9a915da38f09",
"versionType": "git"
},
{
"lessThan": "a8a1c7621127a15a02494b96ee376406c064237b",
"status": "affected",
"version": "c8f304d75f6c6cc679a73f89591f9a915da38f09",
"versionType": "git"
},
{
"lessThan": "cd8bcec2de5e24e05c34c9391940fda6f50e79b4",
"status": "affected",
"version": "c8f304d75f6c6cc679a73f89591f9a915da38f09",
"versionType": "git"
},
{
"lessThan": "464bbb844ba5b68e038220c34019069a0a9f1581",
"status": "affected",
"version": "c8f304d75f6c6cc679a73f89591f9a915da38f09",
"versionType": "git"
},
{
"lessThan": "6f52370970ac07d352a7af4089e55e0e6425f827",
"status": "affected",
"version": "c8f304d75f6c6cc679a73f89591f9a915da38f09",
"versionType": "git"
},
{
"status": "affected",
"version": "6ee53f82540769a6d6e77e40b901f9b9edfa5ff2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix deadlock during netdev reset with active connections\n\nResolve deadlock that occurs when user executes netdev reset while RDMA\napplications (e.g., rping) are active. The netdev reset causes ice\ndriver to remove irdma auxiliary driver, triggering device_delete and\nsubsequent client removal. During client removal, uverbs_client waits\nfor QP reference count to reach zero while cma_client holds the final\nreference, creating circular dependency and indefinite wait in iWARP\nmode. Skip QP reference count wait during device reset to prevent\ndeadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:35:46.006Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/009831768faeca3fb5950ce63f1b49594ec82389"
},
{
"url": "https://git.kernel.org/stable/c/adf0de36e52a48681eb58cbd7cbf6c8d200caa2b"
},
{
"url": "https://git.kernel.org/stable/c/acb060bc2609c2eab49263968be59c7d59d497bc"
},
{
"url": "https://git.kernel.org/stable/c/a8a1c7621127a15a02494b96ee376406c064237b"
},
{
"url": "https://git.kernel.org/stable/c/cd8bcec2de5e24e05c34c9391940fda6f50e79b4"
},
{
"url": "https://git.kernel.org/stable/c/464bbb844ba5b68e038220c34019069a0a9f1581"
},
{
"url": "https://git.kernel.org/stable/c/6f52370970ac07d352a7af4089e55e0e6425f827"
}
],
"title": "RDMA/irdma: Fix deadlock during netdev reset with active connections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31565",
"datePublished": "2026-04-24T14:35:46.006Z",
"dateReserved": "2026-03-09T15:48:24.117Z",
"dateUpdated": "2026-04-24T14:35:46.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31665 (GCVE-0-2026-31665)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
netfilter: nft_ct: fix use-after-free in timeout object destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: fix use-after-free in timeout object destroy
nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
immediately after nf_ct_untimeout(), without waiting for an RCU grace
period. Concurrent packet processing on other CPUs may still hold
RCU-protected references to the timeout object obtained via
rcu_dereference() in nf_ct_timeout_data().
Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer
freeing until after an RCU grace period, matching the approach already
used in nfnetlink_cttimeout.c.
KASAN report:
BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0
Read of size 4 at addr ffff8881035fe19c by task exploit/80
Call Trace:
nf_conntrack_tcp_packet+0x1381/0x29d0
nf_conntrack_in+0x612/0x8b0
nf_hook_slow+0x70/0x100
__ip_local_out+0x1b2/0x210
tcp_sendmsg_locked+0x722/0x1580
__sys_sendto+0x2d8/0x320
Allocated by task 75:
nft_ct_timeout_obj_init+0xf6/0x290
nft_obj_init+0x107/0x1b0
nf_tables_newobj+0x680/0x9c0
nfnetlink_rcv_batch+0xc29/0xe00
Freed by task 26:
nft_obj_destroy+0x3f/0xa0
nf_tables_trans_destroy_work+0x51c/0x5c0
process_one_work+0x2c4/0x5a0
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e0b2b57f01d183e1c84114f1f2287737358d748 , < c458fc1c278a65ad5381083121d39a479973ebed
(git)
Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < c581e5c8f2b59158f62efe61c1a3dc36189081ff (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < f16fe84879a5280f05ebbcea593a189ba0f3e79a (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < 070abdf1b04325b21a20a2a0c39a2208af107275 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < b42aca3660dc2627a29a38131597ca610dc451f9 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < d0983b48c10d1509fd795c155f8b1e832e1369ff (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < f8dca15a1b190787bbd03285304b569631160eda (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_timeout.h",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c458fc1c278a65ad5381083121d39a479973ebed",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "c581e5c8f2b59158f62efe61c1a3dc36189081ff",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "f16fe84879a5280f05ebbcea593a189ba0f3e79a",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "070abdf1b04325b21a20a2a0c39a2208af107275",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "b42aca3660dc2627a29a38131597ca610dc451f9",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "d0983b48c10d1509fd795c155f8b1e832e1369ff",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "f8dca15a1b190787bbd03285304b569631160eda",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_timeout.h",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:49.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed"
},
{
"url": "https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff"
},
{
"url": "https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a"
},
{
"url": "https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275"
},
{
"url": "https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77"
},
{
"url": "https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9"
},
{
"url": "https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff"
},
{
"url": "https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"
}
],
"title": "netfilter: nft_ct: fix use-after-free in timeout object destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31665",
"datePublished": "2026-04-24T14:45:14.613Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:49.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38659 (GCVE-0-2025-38659)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:01 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
gfs2: No more self recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: No more self recovery
When a node withdraws and it turns out that it is the only node that has
the filesystem mounted, gfs2 currently tries to replay the local journal
to bring the filesystem back into a consistent state. Not only is that
a very bad idea, it has also never worked because gfs2_recover_func()
will refuse to do anything during a withdraw.
However, before even getting to this point, gfs2_recover_func()
dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
and is a NULL pointer dereference since then.
Simply get rid of self recovery to fix that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
601ef0d52e9617588fcff3df26953592f2eb44ac , < 6ebe17b359bead383581f729e43f591c1c36e159
(git)
Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 1a91ba12abef628b43cada87478328274d988e88 (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < f5426ffbec971a8f7346a57392d3a901bdee5a9b (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 6784367b2f3cd7b89103de35764f37f152590dbd (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < 97c94c7dbddc34d353c83b541b3decabf98d04af (git) Affected: 601ef0d52e9617588fcff3df26953592f2eb44ac , < deb016c1669002e48c431d6fd32ea1c20ef41756 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ebe17b359bead383581f729e43f591c1c36e159",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "1a91ba12abef628b43cada87478328274d988e88",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "f5426ffbec971a8f7346a57392d3a901bdee5a9b",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "6784367b2f3cd7b89103de35764f37f152590dbd",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "97c94c7dbddc34d353c83b541b3decabf98d04af",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
},
{
"lessThan": "deb016c1669002e48c431d6fd32ea1c20ef41756",
"status": "affected",
"version": "601ef0d52e9617588fcff3df26953592f2eb44ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: No more self recovery\n\nWhen a node withdraws and it turns out that it is the only node that has\nthe filesystem mounted, gfs2 currently tries to replay the local journal\nto bring the filesystem back into a consistent state. Not only is that\na very bad idea, it has also never worked because gfs2_recover_func()\nwill refuse to do anything during a withdraw.\n\nHowever, before even getting to this point, gfs2_recover_func()\ndereferences sdp-\u003esd_jdesc-\u003ejd_inode. This was a use-after-free before\ncommit 04133b607a78 (\"gfs2: Prevent double iput for journal on error\")\nand is a NULL pointer dereference since then.\n\nSimply get rid of self recovery to fix that."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:34.122Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ebe17b359bead383581f729e43f591c1c36e159"
},
{
"url": "https://git.kernel.org/stable/c/1a91ba12abef628b43cada87478328274d988e88"
},
{
"url": "https://git.kernel.org/stable/c/f5426ffbec971a8f7346a57392d3a901bdee5a9b"
},
{
"url": "https://git.kernel.org/stable/c/6784367b2f3cd7b89103de35764f37f152590dbd"
},
{
"url": "https://git.kernel.org/stable/c/97c94c7dbddc34d353c83b541b3decabf98d04af"
},
{
"url": "https://git.kernel.org/stable/c/deb016c1669002e48c431d6fd32ea1c20ef41756"
}
],
"title": "gfs2: No more self recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38659",
"datePublished": "2025-08-22T16:01:02.448Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2026-03-25T10:19:34.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23157 (GCVE-0-2026-23157)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
btrfs: do not strictly require dirty metadata threshold for metadata writepages
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not strictly require dirty metadata threshold for metadata writepages
[BUG]
There is an internal report that over 1000 processes are
waiting at the io_schedule_timeout() of balance_dirty_pages(), causing
a system hang and trigger a kernel coredump.
The kernel is v6.4 kernel based, but the root problem still applies to
any upstream kernel before v6.18.
[CAUSE]
From Jan Kara for his wisdom on the dirty page balance behavior first.
This cgroup dirty limit was what was actually playing the role here
because the cgroup had only a small amount of memory and so the dirty
limit for it was something like 16MB.
Dirty throttling is responsible for enforcing that nobody can dirty
(significantly) more dirty memory than there's dirty limit. Thus when
a task is dirtying pages it periodically enters into balance_dirty_pages()
and we let it sleep there to slow down the dirtying.
When the system is over dirty limit already (either globally or within
a cgroup of the running task), we will not let the task exit from
balance_dirty_pages() until the number of dirty pages drops below the
limit.
So in this particular case, as I already mentioned, there was a cgroup
with relatively small amount of memory and as a result with dirty limit
set at 16MB. A task from that cgroup has dirtied about 28MB worth of
pages in btrfs btree inode and these were practically the only dirty
pages in that cgroup.
So that means the only way to reduce the dirty pages of that cgroup is
to writeback the dirty pages of btrfs btree inode, and only after that
those processes can exit balance_dirty_pages().
Now back to the btrfs part, btree_writepages() is responsible for
writing back dirty btree inode pages.
The problem here is, there is a btrfs internal threshold that if the
btree inode's dirty bytes are below the 32M threshold, it will not
do any writeback.
This behavior is to batch as much metadata as possible so we won't write
back those tree blocks and then later re-COW them again for another
modification.
This internal 32MiB is higher than the existing dirty page size (28MiB),
meaning no writeback will happen, causing a deadlock between btrfs and
cgroup:
- Btrfs doesn't want to write back btree inode until more dirty pages
- Cgroup/MM doesn't want more dirty pages for btrfs btree inode
Thus any process touching that btree inode is put into sleep until
the number of dirty pages is reduced.
Thanks Jan Kara a lot for the analysis of the root cause.
[ENHANCEMENT]
Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on the
btree_inode"), btrfs btree inode pages will only be charged to the root
cgroup which should have a much larger limit than btrfs' 32MiB
threshold.
So it should not affect newer kernels.
But for all current LTS kernels, they are all affected by this problem,
and backporting the whole AS_KERNEL_FILE may not be a good idea.
Even for newer kernels I still think it's a good idea to get
rid of the internal threshold at btree_writepages(), since for most cases
cgroup/MM has a better view of full system memory usage than btrfs' fixed
threshold.
For internal callers using btrfs_btree_balance_dirty() since that
function is already doing internal threshold check, we don't need to
bother them.
But for external callers of btree_writepages(), just respect their
requests and write back whatever they want, ignoring the internal
btrfs threshold to avoid such deadlock on btree inode dirty page
balancing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
793955bca66c99defdffc857ae6eb7e8431d6bbe , < bb9be3f713652e330df00f3724c18c7a5469e7ac
(git)
Affected: 793955bca66c99defdffc857ae6eb7e8431d6bbe , < 4357e02cafabe01c2d737ceb4c4c6382fc2ee10a (git) Affected: 793955bca66c99defdffc857ae6eb7e8431d6bbe , < 0c3666ec188640c20e254011e7adf4464c32ee58 (git) Affected: 793955bca66c99defdffc857ae6eb7e8431d6bbe , < 629666d20c7dcd740e193ec0631fdff035b1f7d6 (git) Affected: 793955bca66c99defdffc857ae6eb7e8431d6bbe , < 4e159150a9a56d66d247f4b5510bed46fe58aa1c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/extent_io.c",
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb9be3f713652e330df00f3724c18c7a5469e7ac",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
},
{
"lessThan": "4357e02cafabe01c2d737ceb4c4c6382fc2ee10a",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
},
{
"lessThan": "0c3666ec188640c20e254011e7adf4464c32ee58",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
},
{
"lessThan": "629666d20c7dcd740e193ec0631fdff035b1f7d6",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
},
{
"lessThan": "4e159150a9a56d66d247f4b5510bed46fe58aa1c",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/extent_io.c",
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not strictly require dirty metadata threshold for metadata writepages\n\n[BUG]\nThere is an internal report that over 1000 processes are\nwaiting at the io_schedule_timeout() of balance_dirty_pages(), causing\na system hang and trigger a kernel coredump.\n\nThe kernel is v6.4 kernel based, but the root problem still applies to\nany upstream kernel before v6.18.\n\n[CAUSE]\nFrom Jan Kara for his wisdom on the dirty page balance behavior first.\n\n This cgroup dirty limit was what was actually playing the role here\n because the cgroup had only a small amount of memory and so the dirty\n limit for it was something like 16MB.\n\n Dirty throttling is responsible for enforcing that nobody can dirty\n (significantly) more dirty memory than there\u0027s dirty limit. Thus when\n a task is dirtying pages it periodically enters into balance_dirty_pages()\n and we let it sleep there to slow down the dirtying.\n\n When the system is over dirty limit already (either globally or within\n a cgroup of the running task), we will not let the task exit from\n balance_dirty_pages() until the number of dirty pages drops below the\n limit.\n\n So in this particular case, as I already mentioned, there was a cgroup\n with relatively small amount of memory and as a result with dirty limit\n set at 16MB. A task from that cgroup has dirtied about 28MB worth of\n pages in btrfs btree inode and these were practically the only dirty\n pages in that cgroup.\n\nSo that means the only way to reduce the dirty pages of that cgroup is\nto writeback the dirty pages of btrfs btree inode, and only after that\nthose processes can exit balance_dirty_pages().\n\nNow back to the btrfs part, btree_writepages() is responsible for\nwriting back dirty btree inode pages.\n\nThe problem here is, there is a btrfs internal threshold that if the\nbtree inode\u0027s dirty bytes are below the 32M threshold, it will not\ndo any writeback.\n\nThis behavior is to batch as much metadata as possible so we won\u0027t write\nback those tree blocks and then later re-COW them again for another\nmodification.\n\nThis internal 32MiB is higher than the existing dirty page size (28MiB),\nmeaning no writeback will happen, causing a deadlock between btrfs and\ncgroup:\n\n- Btrfs doesn\u0027t want to write back btree inode until more dirty pages\n\n- Cgroup/MM doesn\u0027t want more dirty pages for btrfs btree inode\n Thus any process touching that btree inode is put into sleep until\n the number of dirty pages is reduced.\n\nThanks Jan Kara a lot for the analysis of the root cause.\n\n[ENHANCEMENT]\nSince kernel commit b55102826d7d (\"btrfs: set AS_KERNEL_FILE on the\nbtree_inode\"), btrfs btree inode pages will only be charged to the root\ncgroup which should have a much larger limit than btrfs\u0027 32MiB\nthreshold.\nSo it should not affect newer kernels.\n\nBut for all current LTS kernels, they are all affected by this problem,\nand backporting the whole AS_KERNEL_FILE may not be a good idea.\n\nEven for newer kernels I still think it\u0027s a good idea to get\nrid of the internal threshold at btree_writepages(), since for most cases\ncgroup/MM has a better view of full system memory usage than btrfs\u0027 fixed\nthreshold.\n\nFor internal callers using btrfs_btree_balance_dirty() since that\nfunction is already doing internal threshold check, we don\u0027t need to\nbother them.\n\nBut for external callers of btree_writepages(), just respect their\nrequests and write back whatever they want, ignoring the internal\nbtrfs threshold to avoid such deadlock on btree inode dirty page\nbalancing."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:27.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb9be3f713652e330df00f3724c18c7a5469e7ac"
},
{
"url": "https://git.kernel.org/stable/c/4357e02cafabe01c2d737ceb4c4c6382fc2ee10a"
},
{
"url": "https://git.kernel.org/stable/c/0c3666ec188640c20e254011e7adf4464c32ee58"
},
{
"url": "https://git.kernel.org/stable/c/629666d20c7dcd740e193ec0631fdff035b1f7d6"
},
{
"url": "https://git.kernel.org/stable/c/4e159150a9a56d66d247f4b5510bed46fe58aa1c"
}
],
"title": "btrfs: do not strictly require dirty metadata threshold for metadata writepages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23157",
"datePublished": "2026-02-14T16:01:23.874Z",
"dateReserved": "2026-01-13T15:37:45.978Z",
"dateUpdated": "2026-03-25T10:20:27.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31518 (GCVE-0-2026-31518)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
esp: fix skb leak with espintcp and async crypto
Summary
In the Linux kernel, the following vulnerability has been resolved:
esp: fix skb leak with espintcp and async crypto
When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < aca3ad0c262f54a5b5c95dda80a48365997d1224
(git)
Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 41aafca57de4a4c026701622bd4648f112a9edcd (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 4820847e036ff1035b01b69ad68dfc17e7028fe9 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 6a3ec6efbc4f90e0ccb2e71574f07351f19996f4 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < df6f995358dc1f3c42484f5cfe241d7bd3e1cd15 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 88d386243ed374ac969dabd3bbc1409a31d81818 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 6aa9841d917532d0f2d932d1ff2f3a94305aaf47 (git) Affected: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 , < 0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aca3ad0c262f54a5b5c95dda80a48365997d1224",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "41aafca57de4a4c026701622bd4648f112a9edcd",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "4820847e036ff1035b01b69ad68dfc17e7028fe9",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "6a3ec6efbc4f90e0ccb2e71574f07351f19996f4",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "df6f995358dc1f3c42484f5cfe241d7bd3e1cd15",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "88d386243ed374ac969dabd3bbc1409a31d81818",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "6aa9841d917532d0f2d932d1ff2f3a94305aaf47",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
},
{
"lessThan": "0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2",
"status": "affected",
"version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv6/esp6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:34.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"
},
{
"url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"
},
{
"url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"
},
{
"url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"
},
{
"url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"
},
{
"url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"
},
{
"url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"
},
{
"url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"
}
],
"title": "esp: fix skb leak with espintcp and async crypto",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31518",
"datePublished": "2026-04-22T13:54:34.191Z",
"dateReserved": "2026-03-09T15:48:24.108Z",
"dateUpdated": "2026-04-22T13:54:34.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71266 (GCVE-0-2025-71266)
Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
fs: ntfs3: check return value of indx_find to avoid infinite loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: check return value of indx_find to avoid infinite loop
We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.
A malformed dentry in the ntfs3 filesystem can cause the kernel to hang
during the lookup operations. By setting the HAS_SUB_NODE flag in an
INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the
VCN pointer, an attacker can cause the indx_find() function to repeatedly
read the same block, allocating 4 KB of memory each time. The kernel lacks
VCN loop detection and depth limits, causing memory exhaustion and an OOM
crash.
This patch adds a return value check for fnd_push() to prevent a memory
exhaustion vulnerability caused by infinite loops. When the index exceeds the
size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()
function checks this return value and stops processing, preventing further
memory allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
82cae269cfa953032fbb8980a7d554d60fb00b17 , < 14c3188afbedfd5178bbabb8002487ea14b37b56
(git)
Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 435d34719db0e130f6f0c621d67ed524cc1a7d10 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 68e32694be231c1cdb99b7637a657314e88e1a96 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 398e768d1accd1f5645492ab996005d7aa84a5b0 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < b0ea441f44ce64fa514a415d4a9e6e2b06e7946c (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 0ad7a1be44479503dbe5c699759861ef5b8bd70c (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 1732053c8a6b360e2d5afb1b34fe9779398b072c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14c3188afbedfd5178bbabb8002487ea14b37b56",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "435d34719db0e130f6f0c621d67ed524cc1a7d10",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "68e32694be231c1cdb99b7637a657314e88e1a96",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "398e768d1accd1f5645492ab996005d7aa84a5b0",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "b0ea441f44ce64fa514a415d4a9e6e2b06e7946c",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "0ad7a1be44479503dbe5c699759861ef5b8bd70c",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
},
{
"lessThan": "1732053c8a6b360e2d5afb1b34fe9779398b072c",
"status": "affected",
"version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/index.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory\u0027s INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd-\u003enodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:32.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14c3188afbedfd5178bbabb8002487ea14b37b56"
},
{
"url": "https://git.kernel.org/stable/c/435d34719db0e130f6f0c621d67ed524cc1a7d10"
},
{
"url": "https://git.kernel.org/stable/c/68e32694be231c1cdb99b7637a657314e88e1a96"
},
{
"url": "https://git.kernel.org/stable/c/398e768d1accd1f5645492ab996005d7aa84a5b0"
},
{
"url": "https://git.kernel.org/stable/c/b0ea441f44ce64fa514a415d4a9e6e2b06e7946c"
},
{
"url": "https://git.kernel.org/stable/c/0ad7a1be44479503dbe5c699759861ef5b8bd70c"
},
{
"url": "https://git.kernel.org/stable/c/1732053c8a6b360e2d5afb1b34fe9779398b072c"
}
],
"title": "fs: ntfs3: check return value of indx_find to avoid infinite loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71266",
"datePublished": "2026-03-18T10:05:02.997Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-04-13T06:02:32.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31453 (GCVE-0-2026-31453)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
xfs: avoid dereferencing log items after push callbacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: avoid dereferencing log items after push callbacks
After xfsaild_push_item() calls iop_push(), the log item may have been
freed if the AIL lock was dropped during the push. Background inode
reclaim or the dquot shrinker can free the log item while the AIL lock
is not held, and the tracepoints in the switch statement dereference
the log item after iop_push() returns.
Fix this by capturing the log item type, flags, and LSN before calling
xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
event class that takes these pre-captured values and the ailp pointer
instead of the log item pointer.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90c60e16401248a4900f3f9387f563d0178dcf34 , < c8a2ab339b88d10fc34a3318c92f07d8a467019d
(git)
Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 7121b22b0bac89394cc4c6a54b5aebc15347bdf5 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < c4d603e8e58a3bf35480135ccca2b4f7238abda5 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 95fb5d643cc70959baa54cd17f52f80ffc3295e7 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 451c6329d9afa45862c36fe6677eb7750db60617 (git) Affected: 90c60e16401248a4900f3f9387f563d0178dcf34 , < 79ef34ec0554ec04bdbafafbc9836423734e1bd6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_trace.h",
"fs/xfs/xfs_trans_ail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8a2ab339b88d10fc34a3318c92f07d8a467019d",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "7121b22b0bac89394cc4c6a54b5aebc15347bdf5",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "c4d603e8e58a3bf35480135ccca2b4f7238abda5",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "95fb5d643cc70959baa54cd17f52f80ffc3295e7",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "451c6329d9afa45862c36fe6677eb7750db60617",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
},
{
"lessThan": "79ef34ec0554ec04bdbafafbc9836423734e1bd6",
"status": "affected",
"version": "90c60e16401248a4900f3f9387f563d0178dcf34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_trace.h",
"fs/xfs/xfs_trans_ail.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: avoid dereferencing log items after push callbacks\n\nAfter xfsaild_push_item() calls iop_push(), the log item may have been\nfreed if the AIL lock was dropped during the push. Background inode\nreclaim or the dquot shrinker can free the log item while the AIL lock\nis not held, and the tracepoints in the switch statement dereference\nthe log item after iop_push() returns.\n\nFix this by capturing the log item type, flags, and LSN before calling\nxfsaild_push_item(), and introducing a new xfs_ail_push_class trace\nevent class that takes these pre-captured values and the ailp pointer\ninstead of the log item pointer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:17.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8a2ab339b88d10fc34a3318c92f07d8a467019d"
},
{
"url": "https://git.kernel.org/stable/c/7121b22b0bac89394cc4c6a54b5aebc15347bdf5"
},
{
"url": "https://git.kernel.org/stable/c/c4d603e8e58a3bf35480135ccca2b4f7238abda5"
},
{
"url": "https://git.kernel.org/stable/c/95fb5d643cc70959baa54cd17f52f80ffc3295e7"
},
{
"url": "https://git.kernel.org/stable/c/451c6329d9afa45862c36fe6677eb7750db60617"
},
{
"url": "https://git.kernel.org/stable/c/79ef34ec0554ec04bdbafafbc9836423734e1bd6"
}
],
"title": "xfs: avoid dereferencing log items after push callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31453",
"datePublished": "2026-04-22T13:53:47.577Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:17.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31678 (GCVE-0-2026-31678)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
openvswitch: defer tunnel netdev_put to RCU release
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: defer tunnel netdev_put to RCU release
ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already
detached the device. Dropping the netdev reference in destroy can race
with concurrent readers that still observe vport->dev.
Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let
vport_netdev_free() drop the reference from the RCU callback, matching
the non-tunnel destroy path and avoiding additional synchronization
under RTNL.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a9020fde67a6eb77f8130feff633189f99264db1 , < 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc
(git)
Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 42f0d3d81209654c08ffdde5a34b9b92d2645896 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < bbe7bd722bfaea36aab3da6cc60fb4a05c644643 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 98b726ab5e2a4811e27c28e4d041f75bba147eab (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < b8c56a3fc5d879c0928f207a756b0f067f06c6a8 (git) Affected: a9020fde67a6eb77f8130feff633189f99264db1 , < 6931d21f87bc6d657f145798fad0bf077b82486c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d56aced21fb9c104e8a3f3be9b21fbafe448ffc",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "42f0d3d81209654c08ffdde5a34b9b92d2645896",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "bbe7bd722bfaea36aab3da6cc60fb4a05c644643",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "98b726ab5e2a4811e27c28e4d041f75bba147eab",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "b8c56a3fc5d879c0928f207a756b0f067f06c6a8",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
},
{
"lessThan": "6931d21f87bc6d657f145798fad0bf077b82486c",
"status": "affected",
"version": "a9020fde67a6eb77f8130feff633189f99264db1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport-\u003edev.\n\nDo not release vport-\u003edev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:58.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc"
},
{
"url": "https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896"
},
{
"url": "https://git.kernel.org/stable/c/bbe7bd722bfaea36aab3da6cc60fb4a05c644643"
},
{
"url": "https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab"
},
{
"url": "https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8"
},
{
"url": "https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c"
}
],
"title": "openvswitch: defer tunnel netdev_put to RCU release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31678",
"datePublished": "2026-04-25T08:46:54.476Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:58.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23391 (GCVE-0-2026-23391)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
netfilter: xt_CT: drop pending enqueued packets on template removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_CT: drop pending enqueued packets on template removal
Templates refer to objects that can go away while packets are sitting in
nfqueue refer to:
- helper, this can be an issue on module removal.
- timeout policy, nfnetlink_cttimeout might remove it.
The use of templates with zone and event cache filter are safe, since
this just copies values.
Flush these enqueued packets in case the template rule gets removed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24de58f465165298aaa8f286b2592f0163706cfe , < 55445134d42b84cb0a272e42c98d233ca65eca83
(git)
Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < cc57506dd66555899560b9c0f24e813f034e12ec (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < d2d0bae0c9a2a17b6990a2966f5cdce0813d6256 (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 63b8097cea1923fe82cd598068d0796da8c015ec (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 19a230dec6bb8928e3f96387f9085cf2c79bcef9 (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < cb549925875fa06dd155e49db4ac2c5044c30f9c (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 777d02efe3d630cca4c1b63962cec17c57711325 (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < f62a218a946b19bb59abdd5361da85fa4606b96b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55445134d42b84cb0a272e42c98d233ca65eca83",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "cc57506dd66555899560b9c0f24e813f034e12ec",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "d2d0bae0c9a2a17b6990a2966f5cdce0813d6256",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "63b8097cea1923fe82cd598068d0796da8c015ec",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "19a230dec6bb8928e3f96387f9085cf2c79bcef9",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "cb549925875fa06dd155e49db4ac2c5044c30f9c",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "777d02efe3d630cca4c1b63962cec17c57711325",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "f62a218a946b19bb59abdd5361da85fa4606b96b",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:26.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55445134d42b84cb0a272e42c98d233ca65eca83"
},
{
"url": "https://git.kernel.org/stable/c/cc57506dd66555899560b9c0f24e813f034e12ec"
},
{
"url": "https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256"
},
{
"url": "https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec"
},
{
"url": "https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9"
},
{
"url": "https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c"
},
{
"url": "https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325"
},
{
"url": "https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b"
}
],
"title": "netfilter: xt_CT: drop pending enqueued packets on template removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23391",
"datePublished": "2026-03-25T10:33:15.677Z",
"dateReserved": "2026-01-13T15:37:46.009Z",
"dateUpdated": "2026-04-18T08:58:26.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21676 (GCVE-0-2025-21676)
Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
net: fec: handle page_pool_dev_alloc_pages error
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: handle page_pool_dev_alloc_pages error
The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did
not handle the case when it returned NULL. There was a WARN_ON(!new_page)
but it would still proceed to use the NULL pointer and then crash.
This case does seem somewhat rare but when the system is under memory
pressure it can happen. One case where I can duplicate this with some
frequency is when writing over a smbd share to a SATA HDD attached to an
imx6q.
Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve
the problem for my test case. But it still seems wrong that the fec driver
ignores the memory allocation error and can crash.
This commit handles the allocation error by dropping the current packet.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
95698ff6177b5f1f13f251da60e7348413046ae4 , < eacdcc14f3c8d4c1447565521e792ddb3a67e08d
(git)
Affected: 95698ff6177b5f1f13f251da60e7348413046ae4 , < 8a0097db0544b658c159ac787319737712063a23 (git) Affected: 95698ff6177b5f1f13f251da60e7348413046ae4 , < 1425cb829556398f594658512d49292f988a2ab0 (git) Affected: 95698ff6177b5f1f13f251da60e7348413046ae4 , < 001ba0902046cb6c352494df610718c0763e77a5 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:51:57.870830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:11.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eacdcc14f3c8d4c1447565521e792ddb3a67e08d",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
},
{
"lessThan": "8a0097db0544b658c159ac787319737712063a23",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
},
{
"lessThan": "1425cb829556398f594658512d49292f988a2ab0",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
},
{
"lessThan": "001ba0902046cb6c352494df610718c0763e77a5",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.74",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: handle page_pool_dev_alloc_pages error\n\nThe fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did\nnot handle the case when it returned NULL. There was a WARN_ON(!new_page)\nbut it would still proceed to use the NULL pointer and then crash.\n\nThis case does seem somewhat rare but when the system is under memory\npressure it can happen. One case where I can duplicate this with some\nfrequency is when writing over a smbd share to a SATA HDD attached to an\nimx6q.\n\nSetting /proc/sys/vm/min_free_kbytes to higher values also seems to solve\nthe problem for my test case. But it still seems wrong that the fec driver\nignores the memory allocation error and can crash.\n\nThis commit handles the allocation error by dropping the current packet."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:18.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eacdcc14f3c8d4c1447565521e792ddb3a67e08d"
},
{
"url": "https://git.kernel.org/stable/c/8a0097db0544b658c159ac787319737712063a23"
},
{
"url": "https://git.kernel.org/stable/c/1425cb829556398f594658512d49292f988a2ab0"
},
{
"url": "https://git.kernel.org/stable/c/001ba0902046cb6c352494df610718c0763e77a5"
}
],
"title": "net: fec: handle page_pool_dev_alloc_pages error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21676",
"datePublished": "2025-01-31T11:25:38.126Z",
"dateReserved": "2024-12-29T08:45:45.737Z",
"dateUpdated": "2026-03-25T10:19:18.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23372 (GCVE-0-2026-23372)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
nfc: rawsock: cancel tx_work before socket teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: rawsock: cancel tx_work before socket teardown
In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.
Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23b7869c0fd08d73c9f83a2db88a13312d6198bb , < 9b2d23cd09e1cb56bdf0e4d5614703094159f16c
(git)
Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < cdeed45ce8c92defd057f7d67ee9a69374d8fa16 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < 3ae592ed91bb4b6b51df256b51045c13d2656049 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < 722a28b635ec281bb08a23885223526d8e7d6526 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < 78141b8832e16d80d09cbefb4258612db0777a24 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < edc988613def90c5b558e025b1b423f48007be06 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < da4515fc8263c5933ed605e396af91079806dc45 (git) Affected: 23b7869c0fd08d73c9f83a2db88a13312d6198bb , < d793458c45df2aed498d7f74145eab7ee22d25aa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/rawsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b2d23cd09e1cb56bdf0e4d5614703094159f16c",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "cdeed45ce8c92defd057f7d67ee9a69374d8fa16",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "3ae592ed91bb4b6b51df256b51045c13d2656049",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "722a28b635ec281bb08a23885223526d8e7d6526",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "78141b8832e16d80d09cbefb4258612db0777a24",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "edc988613def90c5b558e025b1b423f48007be06",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "da4515fc8263c5933ed605e396af91079806dc45",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
},
{
"lessThan": "d793458c45df2aed498d7f74145eab7ee22d25aa",
"status": "affected",
"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/rawsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: rawsock: cancel tx_work before socket teardown\n\nIn rawsock_release(), cancel any pending tx_work and purge the write\nqueue before orphaning the socket. rawsock_tx_work runs on the system\nworkqueue and calls nfc_data_exchange which dereferences the NCI\ndevice. Without synchronization, tx_work can race with socket and\ndevice teardown when a process is killed (e.g. by SIGKILL), leading\nto use-after-free or leaked references.\n\nSet SEND_SHUTDOWN first so that if tx_work is already running it will\nsee the flag and skip transmitting, then use cancel_work_sync to wait\nfor any in-progress execution to finish, and finally purge any\nremaining queued skbs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:18.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c"
},
{
"url": "https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16"
},
{
"url": "https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049"
},
{
"url": "https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526"
},
{
"url": "https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24"
},
{
"url": "https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06"
},
{
"url": "https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45"
},
{
"url": "https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa"
}
],
"title": "nfc: rawsock: cancel tx_work before socket teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23372",
"datePublished": "2026-03-25T10:27:53.308Z",
"dateReserved": "2026-01-13T15:37:46.003Z",
"dateUpdated": "2026-04-18T08:58:18.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23100 (GCVE-0-2026-23100)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
mm/hugetlb: fix hugetlb_pmd_shared()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix hugetlb_pmd_shared()
Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using
mmu_gather)", v3.
One functional fix, one performance regression fix, and two related
comment fixes.
I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point.
While doing that I identified the other things.
The goal of this patch set is to be backported to stable trees "fairly"
easily. At least patch #1 and #4.
Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing
Patch #2 + #3 are simple comment fixes that patch #4 interacts with.
Patch #4 is a fix for the reported performance regression due to excessive
IPI broadcasts during fork()+exit().
The last patch is all about TLB flushes, IPIs and mmu_gather.
Read: complicated
There are plenty of cleanups in the future to be had + one reasonable
optimization on x86. But that's all out of scope for this series.
Runtime tested, with a focus on fixing the performance regression using
the original reproducer [2] on x86.
This patch (of 4):
We switched from (wrongly) using the page count to an independent shared
count. Now, shared page tables have a refcount of 1 (excluding
speculative references) and instead use ptdesc->pt_share_count to identify
sharing.
We didn't convert hugetlb_pmd_shared(), so right now, we would never
detect a shared PMD table as such, because sharing/unsharing no longer
touches the refcount of a PMD table.
Page migration, like mbind() or migrate_pages() would allow for migrating
folios mapped into such shared PMD tables, even though the folios are not
exclusive. In smaps we would account them as "private" although they are
"shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the
pagemap interface.
Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133 , < 8ae48255bcb17b32436be97553dca848730d365f
(git)
Affected: 8410996eb6fea116fe1483ed977aacf580eee7b4 , < bf3c2affe245cf831866ddc8f736ae6a22cdc11c (git) Affected: 02333ac1c35370517a19a4a131332a9690c6a5c7 , < 5b2aec77f92265a9028c5f632bdd9af5b57ec3a3 (git) Affected: 56b274473d6e7e7375f2d0a2b4aca11d67c6b52f , < 51dcf459845fd28f5a0d83d408a379b274ec5cc5 (git) Affected: 2e31443a0d18ae43b9d29e02bf0563f07772193d , < 3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e (git) Affected: 59d9094df3d79443937add8700b2ef1a866b1081 , < 69c4e241ff13545d410a8b2a688c932182a858bf (git) Affected: 59d9094df3d79443937add8700b2ef1a866b1081 , < ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ae48255bcb17b32436be97553dca848730d365f",
"status": "affected",
"version": "94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133",
"versionType": "git"
},
{
"lessThan": "bf3c2affe245cf831866ddc8f736ae6a22cdc11c",
"status": "affected",
"version": "8410996eb6fea116fe1483ed977aacf580eee7b4",
"versionType": "git"
},
{
"lessThan": "5b2aec77f92265a9028c5f632bdd9af5b57ec3a3",
"status": "affected",
"version": "02333ac1c35370517a19a4a131332a9690c6a5c7",
"versionType": "git"
},
{
"lessThan": "51dcf459845fd28f5a0d83d408a379b274ec5cc5",
"status": "affected",
"version": "56b274473d6e7e7375f2d0a2b4aca11d67c6b52f",
"versionType": "git"
},
{
"lessThan": "3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e",
"status": "affected",
"version": "2e31443a0d18ae43b9d29e02bf0563f07772193d",
"versionType": "git"
},
{
"lessThan": "69c4e241ff13545d410a8b2a688c932182a858bf",
"status": "affected",
"version": "59d9094df3d79443937add8700b2ef1a866b1081",
"versionType": "git"
},
{
"lessThan": "ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216",
"status": "affected",
"version": "59d9094df3d79443937add8700b2ef1a866b1081",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "6.6.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "6.12.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl. using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that\u0027s all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount. Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc-\u003ept_share_count to identify\nsharing.\n\nWe didn\u0027t convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive. In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:17.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ae48255bcb17b32436be97553dca848730d365f"
},
{
"url": "https://git.kernel.org/stable/c/bf3c2affe245cf831866ddc8f736ae6a22cdc11c"
},
{
"url": "https://git.kernel.org/stable/c/5b2aec77f92265a9028c5f632bdd9af5b57ec3a3"
},
{
"url": "https://git.kernel.org/stable/c/51dcf459845fd28f5a0d83d408a379b274ec5cc5"
},
{
"url": "https://git.kernel.org/stable/c/3a18b452dd5f7f1652c2e92f8ae769aa17a66c9e"
},
{
"url": "https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf"
},
{
"url": "https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216"
}
],
"title": "mm/hugetlb: fix hugetlb_pmd_shared()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23100",
"datePublished": "2026-02-04T16:08:22.592Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-04-18T08:57:17.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31480 (GCVE-0-2026-31480)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
tracing: Fix potential deadlock in cpu hotplug with osnoise
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix potential deadlock in cpu hotplug with osnoise
The following sequence may leads deadlock in cpu hotplug:
task1 task2 task3
----- ----- -----
mutex_lock(&interface_lock)
[CPU GOING OFFLINE]
cpus_write_lock();
osnoise_cpu_die();
kthread_stop(task3);
wait_for_completion();
osnoise_sleep();
mutex_lock(&interface_lock);
cpus_read_lock();
[DEAD LOCK]
Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < cf929c21eeed5bd39873fb14bfdfff963fa6f1da
(git)
Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7aa095ce7d224308cb6979956f0de8607df93d4f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < ef41a85a55022e27cdaebf22a6676910b66f65aa (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 03474a01c199de17a8e2d39b51df6beb9c76e831 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 1f9885732248d22f788e4992c739a98c88ab8a55 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf929c21eeed5bd39873fb14bfdfff963fa6f1da",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7aa095ce7d224308cb6979956f0de8607df93d4f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "ef41a85a55022e27cdaebf22a6676910b66f65aa",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "03474a01c199de17a8e2d39b51df6beb9c76e831",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "1f9885732248d22f788e4992c739a98c88ab8a55",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential deadlock in cpu hotplug with osnoise\n\nThe following sequence may leads deadlock in cpu hotplug:\n\n task1 task2 task3\n ----- ----- -----\n\n mutex_lock(\u0026interface_lock)\n\n [CPU GOING OFFLINE]\n\n cpus_write_lock();\n osnoise_cpu_die();\n kthread_stop(task3);\n wait_for_completion();\n\n osnoise_sleep();\n mutex_lock(\u0026interface_lock);\n\n cpus_read_lock();\n\n [DEAD LOCK]\n\nFix by swap the order of cpus_read_lock() and mutex_lock(\u0026interface_lock)."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:07.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf929c21eeed5bd39873fb14bfdfff963fa6f1da"
},
{
"url": "https://git.kernel.org/stable/c/7aa095ce7d224308cb6979956f0de8607df93d4f"
},
{
"url": "https://git.kernel.org/stable/c/ef41a85a55022e27cdaebf22a6676910b66f65aa"
},
{
"url": "https://git.kernel.org/stable/c/03474a01c199de17a8e2d39b51df6beb9c76e831"
},
{
"url": "https://git.kernel.org/stable/c/f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7"
},
{
"url": "https://git.kernel.org/stable/c/7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f"
},
{
"url": "https://git.kernel.org/stable/c/1f9885732248d22f788e4992c739a98c88ab8a55"
}
],
"title": "tracing: Fix potential deadlock in cpu hotplug with osnoise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31480",
"datePublished": "2026-04-22T13:54:07.566Z",
"dateReserved": "2026-03-09T15:48:24.100Z",
"dateUpdated": "2026-04-22T13:54:07.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31550 (GCVE-0-2026-31550)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
The bcm2835_asb_control() function uses a tight polling loop to wait
for the ASB bridge to acknowledge a request. During intensive workloads,
this handshake intermittently fails for V3D's master ASB on BCM2711,
resulting in "Failed to disable ASB master for v3d" errors during
runtime PM suspend. As a consequence, the failed power-off leaves V3D in
a broken state, leading to bus faults or system hangs on later accesses.
As the timeout is insufficient in some scenarios, increase the polling
timeout from 1us to 5us, which is still negligible in the context of a
power domain transition. Also, replace the open-coded ktime_get_ns()/
cpu_relax() polling loop with readl_poll_timeout_atomic().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
670c672608a1ffcbc7ac0f872734843593bb8b15 , < 0e84e74849d2d7e9b23a09c2d5e0d9357db1ca59
(git)
Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < c5e734f6a0740dce92e7c919e632cb43fa5d4e53 (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < 622ab02e955c35c125ff2b65d8327b2c52db8758 (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < 9443202d91388026dbf7312972a74fbfd27ee82f (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < ea4fa54b83bb2e4a21e9026824bfe271b1a6ee1e (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < 18605b1b936b66b1f34dcf8e9ad4f1fbcf7a7c13 (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < 572f17180f26619809b8e0593d926762aa8660ff (git) Affected: 670c672608a1ffcbc7ac0f872734843593bb8b15 , < b826d2c0b0ecb844c84431ba6b502e744f5d919a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/bcm/bcm2835-power.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e84e74849d2d7e9b23a09c2d5e0d9357db1ca59",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "c5e734f6a0740dce92e7c919e632cb43fa5d4e53",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "622ab02e955c35c125ff2b65d8327b2c52db8758",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "9443202d91388026dbf7312972a74fbfd27ee82f",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "ea4fa54b83bb2e4a21e9026824bfe271b1a6ee1e",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "18605b1b936b66b1f34dcf8e9ad4f1fbcf7a7c13",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "572f17180f26619809b8e0593d926762aa8660ff",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
},
{
"lessThan": "b826d2c0b0ecb844c84431ba6b502e744f5d919a",
"status": "affected",
"version": "670c672608a1ffcbc7ac0f872734843593bb8b15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/bcm/bcm2835-power.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: bcm: bcm2835-power: Increase ASB control timeout\n\nThe bcm2835_asb_control() function uses a tight polling loop to wait\nfor the ASB bridge to acknowledge a request. During intensive workloads,\nthis handshake intermittently fails for V3D\u0027s master ASB on BCM2711,\nresulting in \"Failed to disable ASB master for v3d\" errors during\nruntime PM suspend. As a consequence, the failed power-off leaves V3D in\na broken state, leading to bus faults or system hangs on later accesses.\n\nAs the timeout is insufficient in some scenarios, increase the polling\ntimeout from 1us to 5us, which is still negligible in the context of a\npower domain transition. Also, replace the open-coded ktime_get_ns()/\ncpu_relax() polling loop with readl_poll_timeout_atomic()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:17.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e84e74849d2d7e9b23a09c2d5e0d9357db1ca59"
},
{
"url": "https://git.kernel.org/stable/c/c5e734f6a0740dce92e7c919e632cb43fa5d4e53"
},
{
"url": "https://git.kernel.org/stable/c/622ab02e955c35c125ff2b65d8327b2c52db8758"
},
{
"url": "https://git.kernel.org/stable/c/9443202d91388026dbf7312972a74fbfd27ee82f"
},
{
"url": "https://git.kernel.org/stable/c/ea4fa54b83bb2e4a21e9026824bfe271b1a6ee1e"
},
{
"url": "https://git.kernel.org/stable/c/18605b1b936b66b1f34dcf8e9ad4f1fbcf7a7c13"
},
{
"url": "https://git.kernel.org/stable/c/572f17180f26619809b8e0593d926762aa8660ff"
},
{
"url": "https://git.kernel.org/stable/c/b826d2c0b0ecb844c84431ba6b502e744f5d919a"
}
],
"title": "pmdomain: bcm: bcm2835-power: Increase ASB control timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31550",
"datePublished": "2026-04-24T14:33:17.508Z",
"dateReserved": "2026-03-09T15:48:24.115Z",
"dateUpdated": "2026-04-24T14:33:17.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43043 (GCVE-0-2026-43043)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
crypto: af-alg - fix NULL pointer dereference in scatterwalk
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af-alg - fix NULL pointer dereference in scatterwalk
The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.
This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.
Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < f48d3dd99199180cf37d6253550c55e86372309a
(git)
Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < f9acceae7b004956851fd4268edf9f518a9bce04 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 7195350fb78538c25cd790d703f8f2c73ee0d395 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 7cdf2c6381b21ab5ccf8116750d5582fcd6c0f49 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 44eafa39363e8d5dfda6a8c6eb6b45458ed4b948 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 00cbdec17c15d024a1c5002c7365df7624a18a75 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 4b03ab0a587ec57eb7ddb5c115d84a42896f60f7 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 62397b493e14107ae82d8b80938f293d95425bcb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f48d3dd99199180cf37d6253550c55e86372309a",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "f9acceae7b004956851fd4268edf9f518a9bce04",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "7195350fb78538c25cd790d703f8f2c73ee0d395",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "7cdf2c6381b21ab5ccf8116750d5582fcd6c0f49",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "44eafa39363e8d5dfda6a8c6eb6b45458ed4b948",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "00cbdec17c15d024a1c5002c7365df7624a18a75",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "4b03ab0a587ec57eb7ddb5c115d84a42896f60f7",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "62397b493e14107ae82d8b80938f293d95425bcb",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af-alg - fix NULL pointer dereference in scatterwalk\n\nThe AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)\nwhen chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL\nexactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent\nsendmsg() allocates a new SGL and chains it, but fails to clear the end\nmarker on the previous SGL\u0027s last data entry.\n\nThis causes the crypto scatterwalk to hit a premature end, returning NULL\non sg_next() and leading to a kernel panic during dereference.\n\nFix this by explicitly unmarking the end of the previous SGL when\nperforming sg_chain() in af_alg_alloc_tsgl()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:39.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f48d3dd99199180cf37d6253550c55e86372309a"
},
{
"url": "https://git.kernel.org/stable/c/f9acceae7b004956851fd4268edf9f518a9bce04"
},
{
"url": "https://git.kernel.org/stable/c/7195350fb78538c25cd790d703f8f2c73ee0d395"
},
{
"url": "https://git.kernel.org/stable/c/7cdf2c6381b21ab5ccf8116750d5582fcd6c0f49"
},
{
"url": "https://git.kernel.org/stable/c/44eafa39363e8d5dfda6a8c6eb6b45458ed4b948"
},
{
"url": "https://git.kernel.org/stable/c/00cbdec17c15d024a1c5002c7365df7624a18a75"
},
{
"url": "https://git.kernel.org/stable/c/4b03ab0a587ec57eb7ddb5c115d84a42896f60f7"
},
{
"url": "https://git.kernel.org/stable/c/62397b493e14107ae82d8b80938f293d95425bcb"
}
],
"title": "crypto: af-alg - fix NULL pointer dereference in scatterwalk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43043",
"datePublished": "2026-05-01T14:15:39.576Z",
"dateReserved": "2026-05-01T14:12:55.979Z",
"dateUpdated": "2026-05-01T14:15:39.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31428 (GCVE-0-2026-31428)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.
Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df6fb868d6118686805c2fa566e213a8f31c8e4f , < 7f3e5d72455936f42709116fabeca3bb216cda62
(git)
Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 21d8efda029948d3666b0db5afcc0d36c0984aae (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < fc961dd7272b5e4a462999635e44a4770d7f2482 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < a8365d1064ded323797c5e28e91070c52f44b76c (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < a2f6ff3444b663d6cfa63eadd61327a18592885a (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < c9f6c51d36482805ac3ffadb9663fe775a13e926 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 7eff72968161fb8ddb26113344de3b92fb7d7ef5 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f3e5d72455936f42709116fabeca3bb216cda62",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "21d8efda029948d3666b0db5afcc0d36c0984aae",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "fc961dd7272b5e4a462999635e44a4770d7f2482",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a8365d1064ded323797c5e28e91070c52f44b76c",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a2f6ff3444b663d6cfa63eadd61327a18592885a",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "c9f6c51d36482805ac3ffadb9663fe775a13e926",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "7eff72968161fb8ddb26113344de3b92fb7d7ef5",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:45.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f3e5d72455936f42709116fabeca3bb216cda62"
},
{
"url": "https://git.kernel.org/stable/c/21d8efda029948d3666b0db5afcc0d36c0984aae"
},
{
"url": "https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482"
},
{
"url": "https://git.kernel.org/stable/c/a8365d1064ded323797c5e28e91070c52f44b76c"
},
{
"url": "https://git.kernel.org/stable/c/a2f6ff3444b663d6cfa63eadd61327a18592885a"
},
{
"url": "https://git.kernel.org/stable/c/c9f6c51d36482805ac3ffadb9663fe775a13e926"
},
{
"url": "https://git.kernel.org/stable/c/7eff72968161fb8ddb26113344de3b92fb7d7ef5"
},
{
"url": "https://git.kernel.org/stable/c/52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7"
}
],
"title": "netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31428",
"datePublished": "2026-04-13T13:40:30.987Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-04-18T08:59:45.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23379 (GCVE-0-2026-23379)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net/sched: ets: fix divide by zero in the offload path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: fix divide by zero in the offload path
Offloading ETS requires computing each class' WRR weight: this is done by
averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
int, the same integer size as the individual DRR quanta, can overflow and
even cause division by zero, like it happened in the following splat:
Oops: divide error: 0000 [#1] SMP PTI
CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Call Trace:
<TASK>
ets_qdisc_change+0x870/0xf40 [sch_ets]
qdisc_create+0x12b/0x540
tc_modify_qdisc+0x6d7/0xbd0
rtnetlink_rcv_msg+0x168/0x6b0
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x1d6/0x2b0
netlink_sendmsg+0x22e/0x470
____sys_sendmsg+0x38a/0x3c0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x111/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f440b81c77e
Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
</TASK>
Modules linked in: sch_ets(E) netdevsim(E)
---[ end trace 0000000000000000 ]---
RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < 62015c05878eb9ca448dca7f5a74423d10d40789
(git)
Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < a11ec75a029b3a22b5596f98ce91a3be76a86213 (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < 3912871344d6a0f1f572a7af2716968182d1e536 (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < 7dbffffd5761687e168fb2f4aaa7a2c47e067efc (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < 78b8d2f55a564236435649fbd8bd6a103f30acf5 (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < a6677e23b313cd9fd03690c589c6452cb6fffb97 (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < abe1d5cb7fe135c0862c58db32bc29e04cf1c906 (git) Affected: d35eb52bd2ac7557b62bda52668f2e64dde2cf90 , < e35626f610f3d2b7953ccddf6a77453da22b3a9e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62015c05878eb9ca448dca7f5a74423d10d40789",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "a11ec75a029b3a22b5596f98ce91a3be76a86213",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "3912871344d6a0f1f572a7af2716968182d1e536",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "7dbffffd5761687e168fb2f4aaa7a2c47e067efc",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "78b8d2f55a564236435649fbd8bd6a103f30acf5",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "a6677e23b313cd9fd03690c589c6452cb6fffb97",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "abe1d5cb7fe135c0862c58db32bc29e04cf1c906",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
},
{
"lessThan": "e35626f610f3d2b7953ccddf6a77453da22b3a9e",
"status": "affected",
"version": "d35eb52bd2ac7557b62bda52668f2e64dde2cf90",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: fix divide by zero in the offload path\n\nOffloading ETS requires computing each class\u0027 WRR weight: this is done by\naveraging over the sums of quanta as \u0027q_sum\u0027 and \u0027q_psum\u0027. Using unsigned\nint, the same integer size as the individual DRR quanta, can overflow and\neven cause division by zero, like it happened in the following splat:\n\n Oops: divide error: 0000 [#1] SMP PTI\n CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 \u003c41\u003e f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n ets_qdisc_change+0x870/0xf40 [sch_ets]\n qdisc_create+0x12b/0x540\n tc_modify_qdisc+0x6d7/0xbd0\n rtnetlink_rcv_msg+0x168/0x6b0\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x1d6/0x2b0\n netlink_sendmsg+0x22e/0x470\n ____sys_sendmsg+0x38a/0x3c0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x111/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f440b81c77e\n Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e\n RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003\n RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8\n R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980\n \u003c/TASK\u003e\n Modules linked in: sch_ets(E) netdevsim(E)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 \u003c41\u003e f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n\nFix this using 64-bit integers for \u0027q_sum\u0027 and \u0027q_psum\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:21.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62015c05878eb9ca448dca7f5a74423d10d40789"
},
{
"url": "https://git.kernel.org/stable/c/a11ec75a029b3a22b5596f98ce91a3be76a86213"
},
{
"url": "https://git.kernel.org/stable/c/3912871344d6a0f1f572a7af2716968182d1e536"
},
{
"url": "https://git.kernel.org/stable/c/7dbffffd5761687e168fb2f4aaa7a2c47e067efc"
},
{
"url": "https://git.kernel.org/stable/c/78b8d2f55a564236435649fbd8bd6a103f30acf5"
},
{
"url": "https://git.kernel.org/stable/c/a6677e23b313cd9fd03690c589c6452cb6fffb97"
},
{
"url": "https://git.kernel.org/stable/c/abe1d5cb7fe135c0862c58db32bc29e04cf1c906"
},
{
"url": "https://git.kernel.org/stable/c/e35626f610f3d2b7953ccddf6a77453da22b3a9e"
}
],
"title": "net/sched: ets: fix divide by zero in the offload path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23379",
"datePublished": "2026-03-25T10:27:58.659Z",
"dateReserved": "2026-01-13T15:37:46.006Z",
"dateUpdated": "2026-04-18T08:58:21.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23457 (GCVE-0-2026-23457)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.
For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.
Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < ed81b6a7012485acdb9c6c80735a0b7d8e5e1873
(git)
Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < b75209debb9adab287b3caa982f77788c1e15027 (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < 528b4509c9dfc272e2e92d811915e5211650d383 (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < 75fcaee5170e7dbbee778927134ef2e9568b4659 (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < 865dba58958c3a86786f89a501971ab0e3ec6ba9 (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < d4f17256544cc37f6534a14a27a9dec3540c2015 (git) Affected: f5b321bd37fbec9188feb1f721ab46a5ac0b35da , < fbce58e719a17aa215c724473fd5baaa4a8dc57c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed81b6a7012485acdb9c6c80735a0b7d8e5e1873",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "b75209debb9adab287b3caa982f77788c1e15027",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "528b4509c9dfc272e2e92d811915e5211650d383",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "75fcaee5170e7dbbee778927134ef2e9568b4659",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "865dba58958c3a86786f89a501971ab0e3ec6ba9",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "d4f17256544cc37f6534a14a27a9dec3540c2015",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
},
{
"lessThan": "fbce58e719a17aa215c724473fd5baaa4a8dc57c",
"status": "affected",
"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:35.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873"
},
{
"url": "https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f"
},
{
"url": "https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027"
},
{
"url": "https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383"
},
{
"url": "https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659"
},
{
"url": "https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9"
},
{
"url": "https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015"
},
{
"url": "https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c"
}
],
"title": "netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23457",
"datePublished": "2026-04-03T15:15:38.193Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-27T14:02:35.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23227 (GCVE-0-2026-23227)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
Exynos Virtual Display driver performs memory alloc/free operations
without lock protection, which easily causes concurrency problem.
For example, use-after-free can occur in race scenario like this:
```
CPU0 CPU1 CPU2
---- ---- ----
vidi_connection_ioctl()
if (vidi->connection) // true
drm_edid = drm_edid_alloc(); // alloc drm_edid
...
ctx->raw_edid = drm_edid;
...
drm_mode_getconnector()
drm_helper_probe_single_connector_modes()
vidi_get_modes()
if (ctx->raw_edid) // true
drm_edid_dup(ctx->raw_edid);
if (!drm_edid) // false
...
vidi_connection_ioctl()
if (vidi->connection) // false
drm_edid_free(ctx->raw_edid); // free drm_edid
...
drm_edid_alloc(drm_edid->edid)
kmemdup(edid); // UAF!!
...
```
To prevent these vulns, at least in vidi_context, member variables related
to memory alloc/free should be protected with ctx->lock.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 56966a4cfa925ec24edb68ab652a740a7abe2c4d
(git)
Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 9e1ef9396a1899925911b1729cb65665420268df (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 92dd1f38d7db75374dcdaf54f1d79d67bffd54e5 (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13 (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < abfdf449fb3d7b42e85a1ad1c8694b768b1582f4 (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 60b75407c172e1f341a8a5097c5cbc97dbbdd893 (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385 (git) Affected: d3b62dbfc7b9bb013926f56db79b60f6c18c392f , < 52b330799e2d6f825ae2bb74662ec1b10eb954bb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/exynos/exynos_drm_vidi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56966a4cfa925ec24edb68ab652a740a7abe2c4d",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "9e1ef9396a1899925911b1729cb65665420268df",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "92dd1f38d7db75374dcdaf54f1d79d67bffd54e5",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "abfdf449fb3d7b42e85a1ad1c8694b768b1582f4",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "60b75407c172e1f341a8a5097c5cbc97dbbdd893",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
},
{
"lessThan": "52b330799e2d6f825ae2bb74662ec1b10eb954bb",
"status": "affected",
"version": "d3b62dbfc7b9bb013926f56db79b60f6c18c392f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/exynos/exynos_drm_vidi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.11",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx-\u003elock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n vidi_connection_ioctl()\n if (vidi-\u003econnection) // true\n drm_edid = drm_edid_alloc(); // alloc drm_edid\n ...\n ctx-\u003eraw_edid = drm_edid;\n ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t vidi_get_modes()\n\t\t\t\t\t\t\t\t if (ctx-\u003eraw_edid) // true\n\t\t\t\t\t\t\t\t drm_edid_dup(ctx-\u003eraw_edid);\n\t\t\t\t\t\t\t\t if (!drm_edid) // false\n\t\t\t\t\t\t\t\t ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t if (vidi-\u003econnection) // false\n\t\t\t\t drm_edid_free(ctx-\u003eraw_edid); // free drm_edid\n\t\t\t\t ...\n\t\t\t\t\t\t\t\t drm_edid_alloc(drm_edid-\u003eedid)\n\t\t\t\t\t\t\t\t kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx-\u003elock."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:24.022Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56966a4cfa925ec24edb68ab652a740a7abe2c4d"
},
{
"url": "https://git.kernel.org/stable/c/9e1ef9396a1899925911b1729cb65665420268df"
},
{
"url": "https://git.kernel.org/stable/c/92dd1f38d7db75374dcdaf54f1d79d67bffd54e5"
},
{
"url": "https://git.kernel.org/stable/c/1b24d3e8792bcc050c70e8e0dea6b49c4fc63b13"
},
{
"url": "https://git.kernel.org/stable/c/abfdf449fb3d7b42e85a1ad1c8694b768b1582f4"
},
{
"url": "https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893"
},
{
"url": "https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385"
},
{
"url": "https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb"
}
],
"title": "drm/exynos: vidi: use ctx-\u003elock to protect struct vidi_context member variables related to memory alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23227",
"datePublished": "2026-02-18T14:53:30.784Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-04-18T08:57:24.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31495 (GCVE-0-2026-31495)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
netfilter: ctnetlink: use netlink policy range checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: use netlink policy range checks
Replace manual range and mask validations with netlink policy
annotations in ctnetlink code paths, so that the netlink core rejects
invalid values early and can generate extack errors.
- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at
policy level, removing the manual >= TCP_CONNTRACK_MAX check.
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE
(14). The normal TCP option parsing path already clamps to this value,
but the ctnetlink path accepted 0-255, causing undefined behavior when
used as a u32 shift count.
- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with
CTA_FILTER_F_ALL, removing the manual mask checks.
- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding
a new mask define grouping all valid expect flags.
Extracted from a broader nf-next patch by Florian Westphal, scoped to
ctnetlink for the fixes tree.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 435b576cd2faa75154777868f8cbb73bf71644d3
(git)
Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 2ef71307c86a9f866d6e28f1a0c06e2e9d794474 (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 4f7d25f3f0786402ba48ff7d13b6241d77d975f5 (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < fcec5ce2d73a41668b24e3f18c803541602a59f6 (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 675c913b940488a84effdeeac5a1cfb657b59804 (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < c6cb41eaae875501eaaa487b8db6539feb092292 (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 45c33e79ae705b7af97e3117672b6cd258dd0b1b (git) Affected: c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 , < 8f15b5071b4548b0aafc03b366eb45c9c6566704 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/uapi/linux/netfilter/nf_conntrack_common.h",
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "435b576cd2faa75154777868f8cbb73bf71644d3",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "2ef71307c86a9f866d6e28f1a0c06e2e9d794474",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "4f7d25f3f0786402ba48ff7d13b6241d77d975f5",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "fcec5ce2d73a41668b24e3f18c803541602a59f6",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "675c913b940488a84effdeeac5a1cfb657b59804",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "c6cb41eaae875501eaaa487b8db6539feb092292",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "45c33e79ae705b7af97e3117672b6cd258dd0b1b",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
},
{
"lessThan": "8f15b5071b4548b0aafc03b366eb45c9c6566704",
"status": "affected",
"version": "c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/uapi/linux/netfilter/nf_conntrack_common.h",
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use netlink policy range checks\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values \u003e TCP_CONNTRACK_SYN_SENT2 at\n policy level, removing the manual \u003e= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values \u003e TCP_MAX_WSCALE\n (14). The normal TCP option parsing path already clamps to this value,\n but the ctnetlink path accepted 0-255, causing undefined behavior when\n used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:17.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/435b576cd2faa75154777868f8cbb73bf71644d3"
},
{
"url": "https://git.kernel.org/stable/c/2ef71307c86a9f866d6e28f1a0c06e2e9d794474"
},
{
"url": "https://git.kernel.org/stable/c/4f7d25f3f0786402ba48ff7d13b6241d77d975f5"
},
{
"url": "https://git.kernel.org/stable/c/fcec5ce2d73a41668b24e3f18c803541602a59f6"
},
{
"url": "https://git.kernel.org/stable/c/675c913b940488a84effdeeac5a1cfb657b59804"
},
{
"url": "https://git.kernel.org/stable/c/c6cb41eaae875501eaaa487b8db6539feb092292"
},
{
"url": "https://git.kernel.org/stable/c/45c33e79ae705b7af97e3117672b6cd258dd0b1b"
},
{
"url": "https://git.kernel.org/stable/c/8f15b5071b4548b0aafc03b366eb45c9c6566704"
}
],
"title": "netfilter: ctnetlink: use netlink policy range checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31495",
"datePublished": "2026-04-22T13:54:17.591Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-04-22T13:54:17.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31551 (GCVE-0-2026-31551)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
The problem is that aql_enable_write() does not serialise concurrent
write()s to the debugfs.
aql_enable_write() checks static_key_false(&aql_disable.key) and
later calls static_branch_inc() or static_branch_dec(), but the
state may change between the two calls.
aql_disable does not need to track inc/dec.
Let's use static_branch_enable() and static_branch_disable().
[0]:
val == 0
WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
Modules linked in:
CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
Tainted: [U]=USER, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
Call Trace:
<TASK>
__static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
__static_key_slow_dec kernel/jump_label.c:321 [inline]
static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
vfs_write+0x2aa/0x1070 fs/read_write.c:684
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f530cf9aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
</TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < 787152497ac763deab16f6f4b7ce79aaeb3eb7e8
(git)
Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < 8bb90ff77326c34e75b573b1febdd9586fec5aba (git) Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < 256f7d4c11235d0569f78413c41dc89d2dc1557c (git) Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < 29a1a350afcd28a2150bd73b8bd83eac3480f13e (git) Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < 5ba05436f15d16ae7ab04b880e8bf8d440be892b (git) Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < b24763d32d5b4ada766deca4b42d6766272fef0c (git) Affected: e908435e402aff23c9b0b3c59c7cd12b08b681b0 , < b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "787152497ac763deab16f6f4b7ce79aaeb3eb7e8",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "8bb90ff77326c34e75b573b1febdd9586fec5aba",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "256f7d4c11235d0569f78413c41dc89d2dc1557c",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "29a1a350afcd28a2150bd73b8bd83eac3480f13e",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "5ba05436f15d16ae7ab04b880e8bf8d440be892b",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "b24763d32d5b4ada766deca4b42d6766272fef0c",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
},
{
"lessThan": "b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828",
"status": "affected",
"version": "e908435e402aff23c9b0b3c59c7cd12b08b681b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix static_branch_dec() underflow for aql_disable.\n\nsyzbot reported static_branch_dec() underflow in aql_enable_write(). [0]\n\nThe problem is that aql_enable_write() does not serialise concurrent\nwrite()s to the debugfs.\n\naql_enable_write() checks static_key_false(\u0026aql_disable.key) and\nlater calls static_branch_inc() or static_branch_dec(), but the\nstate may change between the two calls.\n\naql_disable does not need to track inc/dec.\n\nLet\u0027s use static_branch_enable() and static_branch_disable().\n\n[0]:\nval == 0\nWARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288\nModules linked in:\nCPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)\nTainted: [U]=USER, [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026\nRIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311\nCode: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 \u003c0f\u003e 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00\nRSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4\nRDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000\nRBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a\nR13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98\nFS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]\n __static_key_slow_dec kernel/jump_label.c:321 [inline]\n static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336\n aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343\n short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383\n vfs_write+0x2aa/0x1070 fs/read_write.c:684\n ksys_pwrite64 fs/read_write.c:793 [inline]\n __do_sys_pwrite64 fs/read_write.c:801 [inline]\n __se_sys_pwrite64 fs/read_write.c:798 [inline]\n __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f530cf9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012\nRAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9\nRDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010\nRBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:18.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/787152497ac763deab16f6f4b7ce79aaeb3eb7e8"
},
{
"url": "https://git.kernel.org/stable/c/8bb90ff77326c34e75b573b1febdd9586fec5aba"
},
{
"url": "https://git.kernel.org/stable/c/256f7d4c11235d0569f78413c41dc89d2dc1557c"
},
{
"url": "https://git.kernel.org/stable/c/29a1a350afcd28a2150bd73b8bd83eac3480f13e"
},
{
"url": "https://git.kernel.org/stable/c/5ba05436f15d16ae7ab04b880e8bf8d440be892b"
},
{
"url": "https://git.kernel.org/stable/c/b24763d32d5b4ada766deca4b42d6766272fef0c"
},
{
"url": "https://git.kernel.org/stable/c/b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828"
}
],
"title": "wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31551",
"datePublished": "2026-04-24T14:33:18.230Z",
"dateReserved": "2026-03-09T15:48:24.115Z",
"dateUpdated": "2026-04-24T14:33:18.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23359 (GCVE-0-2026-23359)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
bpf: Fix stack-out-of-bounds write in devmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stack-out-of-bounds write in devmap
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aeea1b86f9363f3feabb496534d886f082a89f21 , < 88df604f0d16a692867582350ce3f2fcd22243f1
(git)
Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 5000e40acc8d0c36ab709662e32120986ac22e7e (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 8a95fb9df1105b1618872c2846a6c01e3ba20b45 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < d2c31d8e03d05edc16656e5ffe187f0d1da763d7 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < 75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < ca831567908fd3f73cf97d8a6c09a5054697a182 (git) Affected: aeea1b86f9363f3feabb496534d886f082a89f21 , < b7bf516c3ecd9a2aae2dc2635178ab87b734fef1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/devmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88df604f0d16a692867582350ce3f2fcd22243f1",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "5000e40acc8d0c36ab709662e32120986ac22e7e",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "8a95fb9df1105b1618872c2846a6c01e3ba20b45",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "d2c31d8e03d05edc16656e5ffe187f0d1da763d7",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "ca831567908fd3f73cf97d8a6c09a5054697a182",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
},
{
"lessThan": "b7bf516c3ecd9a2aae2dc2635178ab87b734fef1",
"status": "affected",
"version": "aeea1b86f9363f3feabb496534d886f082a89f21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/devmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:10.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88df604f0d16a692867582350ce3f2fcd22243f1"
},
{
"url": "https://git.kernel.org/stable/c/5000e40acc8d0c36ab709662e32120986ac22e7e"
},
{
"url": "https://git.kernel.org/stable/c/8a95fb9df1105b1618872c2846a6c01e3ba20b45"
},
{
"url": "https://git.kernel.org/stable/c/d2c31d8e03d05edc16656e5ffe187f0d1da763d7"
},
{
"url": "https://git.kernel.org/stable/c/75d474702b2ba8b6bcb26eb3004dbc5e95ffd5d2"
},
{
"url": "https://git.kernel.org/stable/c/ca831567908fd3f73cf97d8a6c09a5054697a182"
},
{
"url": "https://git.kernel.org/stable/c/b7bf516c3ecd9a2aae2dc2635178ab87b734fef1"
}
],
"title": "bpf: Fix stack-out-of-bounds write in devmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23359",
"datePublished": "2026-03-25T10:27:43.070Z",
"dateReserved": "2026-01-13T15:37:46.000Z",
"dateUpdated": "2026-04-18T08:58:10.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31396 (GCVE-0-2026-31396)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
net: macb: fix use-after-free access to PTP clock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix use-after-free access to PTP clock
PTP clock is registered on every opening of the interface and destroyed on
every closing. However it may be accessed via get_ts_info ethtool call
which is possible while the interface is just present in the kernel.
BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
Read of size 4 at addr ffff8880194345cc by task syz.0.6/948
CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x17f/0x496 mm/kasan/report.c:420
kasan_report+0xd9/0x180 mm/kasan/report.c:524
ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426
gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349
macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371
__ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558
ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]
__dev_ethtool net/ethtool/ioctl.c:3017 [inline]
dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095
dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
sock_ioctl+0x577/0x6d0 net/socket.c:1320
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
</TASK>
Allocated by task 457:
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:699 [inline]
ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235
gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375
macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920
__dev_open+0x2ce/0x500 net/core/dev.c:1501
__dev_change_flags+0x56a/0x740 net/core/dev.c:8651
dev_change_flags+0x92/0x170 net/core/dev.c:8722
do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833
__rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608
rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655
rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150
netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x14b/0x180 net/socket.c:730
__sys_sendto+0x320/0x3b0 net/socket.c:2152
__do_sys_sendto net/socket.c:2164 [inline]
__se_sys_sendto net/socket.c:2160 [inline]
__x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 938:
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook mm/slub.c:1755 [inline]
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xbc/0x320 mm/slub.c:3700
device_release+0xa0/0x240 drivers/base/core.c:2507
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1cd/0x350 lib/kobject.c:729
put_device+0x1b/0x30 drivers/base/core.c:3805
ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391
gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404
macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966
__dev_close_many+0x1b9/0x310 net/core/dev.c:1585
__dev_close net/core/dev.c:1597 [inline]
__dev_change_flags+0x2bb/0x740 net/core/dev.c:8649
dev_change_fl
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c2594d804d5c8033861d44840673d852d98508c1 , < 8820ffe0975fd2efbe50453e9179c8e1c33a13d3
(git)
Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 6b757f345eeea87ed5d8afd6de35b927a1a57a2f (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 341d01087f821aa0f165fb1ffc8bfe4e50776da7 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 5653af416a48f6c18f9626ae9df96f814f45ff34 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 0bb848d8c64938024e45780f8032f1f67d3a3607 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 1f4714065b2bcbb0a4013fd355b84b848e6cc345 (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < eb652535e9ec795ef5c1078f7578eaaed755268b (git) Affected: c2594d804d5c8033861d44840673d852d98508c1 , < 8da13e6d63c1a97f7302d342c89c4a56a55c7015 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8820ffe0975fd2efbe50453e9179c8e1c33a13d3",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "6b757f345eeea87ed5d8afd6de35b927a1a57a2f",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "341d01087f821aa0f165fb1ffc8bfe4e50776da7",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "5653af416a48f6c18f9626ae9df96f814f45ff34",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "0bb848d8c64938024e45780f8032f1f67d3a3607",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "1f4714065b2bcbb0a4013fd355b84b848e6cc345",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "eb652535e9ec795ef5c1078f7578eaaed755268b",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
},
{
"lessThan": "8da13e6d63c1a97f7302d342c89c4a56a55c7015",
"status": "affected",
"version": "c2594d804d5c8033861d44840673d852d98508c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix use-after-free access to PTP clock\n\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\n\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\n\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x17f/0x496 mm/kasan/report.c:420\n kasan_report+0xd9/0x180 mm/kasan/report.c:524\n ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\n gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\n macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\n ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n __dev_ethtool net/ethtool/ioctl.c:3017 [inline]\n dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \u003c/TASK\u003e\n\nAllocated by task 457:\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:699 [inline]\n ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\n gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\n macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n __dev_open+0x2ce/0x500 net/core/dev.c:1501\n __dev_change_flags+0x56a/0x740 net/core/dev.c:8651\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\n rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\n rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\n netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x14b/0x180 net/socket.c:730\n __sys_sendto+0x320/0x3b0 net/socket.c:2152\n __do_sys_sendto net/socket.c:2164 [inline]\n __se_sys_sendto net/socket.c:2160 [inline]\n __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 938:\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1729 [inline]\n slab_free_freelist_hook mm/slub.c:1755 [inline]\n slab_free mm/slub.c:3687 [inline]\n __kmem_cache_free+0xbc/0x320 mm/slub.c:3700\n device_release+0xa0/0x240 drivers/base/core.c:2507\n kobject_cleanup lib/kobject.c:681 [inline]\n kobject_release lib/kobject.c:712 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1cd/0x350 lib/kobject.c:729\n put_device+0x1b/0x30 drivers/base/core.c:3805\n ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\n gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\n macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n __dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n __dev_close net/core/dev.c:1597 [inline]\n __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\n dev_change_fl\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:45.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8820ffe0975fd2efbe50453e9179c8e1c33a13d3"
},
{
"url": "https://git.kernel.org/stable/c/6b757f345eeea87ed5d8afd6de35b927a1a57a2f"
},
{
"url": "https://git.kernel.org/stable/c/341d01087f821aa0f165fb1ffc8bfe4e50776da7"
},
{
"url": "https://git.kernel.org/stable/c/5653af416a48f6c18f9626ae9df96f814f45ff34"
},
{
"url": "https://git.kernel.org/stable/c/0bb848d8c64938024e45780f8032f1f67d3a3607"
},
{
"url": "https://git.kernel.org/stable/c/1f4714065b2bcbb0a4013fd355b84b848e6cc345"
},
{
"url": "https://git.kernel.org/stable/c/eb652535e9ec795ef5c1078f7578eaaed755268b"
},
{
"url": "https://git.kernel.org/stable/c/8da13e6d63c1a97f7302d342c89c4a56a55c7015"
}
],
"title": "net: macb: fix use-after-free access to PTP clock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31396",
"datePublished": "2026-04-03T15:16:00.579Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-04-27T14:02:45.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23462 (GCVE-0-2026-23462)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
Bluetooth: HIDP: Fix possible UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: HIDP: Fix possible UAF
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 97.809947] Call Trace:
[ 97.809954] <TASK>
[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[ 97.810404] __fput (fs/file_table.c:470)
[ 97.810430] task_work_run (kernel/task_work.c:235)
[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[ 97.810527] do_exit (kernel/exit.c:972)
[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 97.810721] do_group_exit (kernel/exit.c:1093)
[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810826] ? vfs_read (fs/read_write.c:555)
[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810960] arch_do_signal_or_restart (arch/
---truncated---
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < d955ccbf91ab74d76fe9e4eab2846a7d8a173075
(git)
Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 18b1263ece6431bd78fa6b61faaef5281203741c (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 21a47a119f33df9bb157326846390d7e8e1b45ba (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 45ebe5b900200ac3e01f3470506a44a447825721 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 7c805b7d1e580eececcc92470292e3dbc42bc3f5 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < f8b6ed2f06d3baa44f347a0fa2af52433f386463 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 4d37fa7582aa960ba23e10a7a2596a29f37ad281 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < dbf666e4fc9bdd975a61bf682b3f75cb0145eedd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d955ccbf91ab74d76fe9e4eab2846a7d8a173075",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "18b1263ece6431bd78fa6b61faaef5281203741c",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "21a47a119f33df9bb157326846390d7e8e1b45ba",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "45ebe5b900200ac3e01f3470506a44a447825721",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "7c805b7d1e580eececcc92470292e3dbc42bc3f5",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "f8b6ed2f06d3baa44f347a0fa2af52433f386463",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "4d37fa7582aa960ba23e10a7a2596a29f37ad281",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "dbf666e4fc9bdd975a61bf682b3f75cb0145eedd",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user-\u003eremove callback is called:\n\n[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 97.809947] Call Trace:\n[ 97.809954] \u003cTASK\u003e\n[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)\n[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[ 97.810404] __fput (fs/file_table.c:470)\n[ 97.810430] task_work_run (kernel/task_work.c:235)\n[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)\n[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[ 97.810527] do_exit (kernel/exit.c:972)\n[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)\n[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 97.810721] do_group_exit (kernel/exit.c:1093)\n[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))\n[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810826] ? vfs_read (fs/read_write.c:555)\n[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)\n[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)\n[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810960] arch_do_signal_or_restart (arch/\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:39.935Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075"
},
{
"url": "https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c"
},
{
"url": "https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba"
},
{
"url": "https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721"
},
{
"url": "https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5"
},
{
"url": "https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463"
},
{
"url": "https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281"
},
{
"url": "https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd"
}
],
"title": "Bluetooth: HIDP: Fix possible UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23462",
"datePublished": "2026-04-03T15:15:41.718Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-04-27T14:02:39.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31523 (GCVE-0-2026-31523)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
nvme-pci: ensure we're polling a polled queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: ensure we're polling a polled queue
A user can change the polled queue count at run time. There's a brief
window during a reset where a hipri task may try to poll that queue
before the block layer has updated the queue maps, which would race with
the now interrupt driven queue and may cause double completions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4b04cc6a8f86c4842314def22332de1f15de8523 , < 965e2c943f065122f14282a88d70a8a92e12a4da
(git)
Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < ba167d5982e2eb6ff9356d409eca592ce99555da (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < 0685dd9cb855ab77fcf3577b4702ba1d6df1c98d (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < 6f12734c4b619f923a4df0b1a46b8098b187d324 (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < acbc72dd1a09df53cafcf577259f4678be6afd6d (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3 (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < b222680ba55e018426c4535067a008f1d81a5d21 (git) Affected: 4b04cc6a8f86c4842314def22332de1f15de8523 , < 166e31d7dbf6aa44829b98aa446bda5c9580f12a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "965e2c943f065122f14282a88d70a8a92e12a4da",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "ba167d5982e2eb6ff9356d409eca592ce99555da",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "0685dd9cb855ab77fcf3577b4702ba1d6df1c98d",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "6f12734c4b619f923a4df0b1a46b8098b187d324",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "acbc72dd1a09df53cafcf577259f4678be6afd6d",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "b222680ba55e018426c4535067a008f1d81a5d21",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
},
{
"lessThan": "166e31d7dbf6aa44829b98aa446bda5c9580f12a",
"status": "affected",
"version": "4b04cc6a8f86c4842314def22332de1f15de8523",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: ensure we\u0027re polling a polled queue\n\nA user can change the polled queue count at run time. There\u0027s a brief\nwindow during a reset where a hipri task may try to poll that queue\nbefore the block layer has updated the queue maps, which would race with\nthe now interrupt driven queue and may cause double completions."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:41.171Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/965e2c943f065122f14282a88d70a8a92e12a4da"
},
{
"url": "https://git.kernel.org/stable/c/ba167d5982e2eb6ff9356d409eca592ce99555da"
},
{
"url": "https://git.kernel.org/stable/c/0685dd9cb855ab77fcf3577b4702ba1d6df1c98d"
},
{
"url": "https://git.kernel.org/stable/c/6f12734c4b619f923a4df0b1a46b8098b187d324"
},
{
"url": "https://git.kernel.org/stable/c/acbc72dd1a09df53cafcf577259f4678be6afd6d"
},
{
"url": "https://git.kernel.org/stable/c/b96c7b25eb1b748f3e3b1832ebf028b0b223d7e3"
},
{
"url": "https://git.kernel.org/stable/c/b222680ba55e018426c4535067a008f1d81a5d21"
},
{
"url": "https://git.kernel.org/stable/c/166e31d7dbf6aa44829b98aa446bda5c9580f12a"
}
],
"title": "nvme-pci: ensure we\u0027re polling a polled queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31523",
"datePublished": "2026-04-22T13:54:37.568Z",
"dateReserved": "2026-03-09T15:48:24.110Z",
"dateUpdated": "2026-04-23T15:18:41.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31555 (GCVE-0-2026-31555)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-24 14:35
VLAI?
EPSS
Title
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Clear stale exiting pointer in futex_lock_pi() retry path
Fuzzying/stressing futexes triggered:
WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.
After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().
CPU0 CPU1 CPU2
futex_lock_pi(uaddr)
// acquires the PI futex
exit()
futex_cleanup_begin()
futex_state = EXITING;
futex_lock_pi(uaddr)
futex_lock_pi_atomic()
attach_to_pi_owner()
// observes EXITING
*exiting = owner; // takes ref
return -EBUSY
wait_for_owner_exiting(-EBUSY, owner)
put_task_struct(); // drops ref
// exiting still points to owner
goto retry;
futex_lock_pi_atomic()
lock_pi_update_atomic()
cmpxchg(uaddr)
*uaddr ^= WAITERS // whatever
// value changed
return -EAGAIN;
wait_for_owner_exiting(-EAGAIN, exiting) // stale
WARN_ON_ONCE(exiting)
Fix this by resetting upon retry, essentially aligning it with requeue_pi.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
(git)
Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < e7824ec168d2ac883a213cd1f4d6cc0816002a85 (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 5e8e06bf8909e79b4acd950cf578cfc2f10bbefa (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < de7c0c04ad868f2cee6671b11c0a6d20421af1da (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 7475dfad10a05a5bfadebf5f2499bd61b19ed293 (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 92e47ad03e03dbb5515bdf06444bf6b1e147310d (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 71112e62807d1925dc3ae6188b11f8cfc85aec23 (git) Affected: 3ef240eaff36b8119ac9e2ea17cbf41179c930ba , < 210d36d892de5195e6766c45519dfb1e65f3eb83 (git) Affected: f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463 (git) Affected: cf16e42709aa86aa3e37f3acc3d13d5715d90096 (git) Affected: 61fa9f167caaa73d0a7c88f498eceeb12c6fa3db (git) Affected: 7874eee0130adf9bee28e8720bb5dd051089def3 (git) Affected: fc3b55ef2c840bb2746b2d8121a0788de84f7fac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/pi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "e7824ec168d2ac883a213cd1f4d6cc0816002a85",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "5e8e06bf8909e79b4acd950cf578cfc2f10bbefa",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "de7c0c04ad868f2cee6671b11c0a6d20421af1da",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "7475dfad10a05a5bfadebf5f2499bd61b19ed293",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "92e47ad03e03dbb5515bdf06444bf6b1e147310d",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "71112e62807d1925dc3ae6188b11f8cfc85aec23",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"lessThan": "210d36d892de5195e6766c45519dfb1e65f3eb83",
"status": "affected",
"version": "3ef240eaff36b8119ac9e2ea17cbf41179c930ba",
"versionType": "git"
},
{
"status": "affected",
"version": "f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463",
"versionType": "git"
},
{
"status": "affected",
"version": "cf16e42709aa86aa3e37f3acc3d13d5715d90096",
"versionType": "git"
},
{
"status": "affected",
"version": "61fa9f167caaa73d0a7c88f498eceeb12c6fa3db",
"versionType": "git"
},
{
"status": "affected",
"version": "7874eee0130adf9bee28e8720bb5dd051089def3",
"versionType": "git"
},
{
"status": "affected",
"version": "fc3b55ef2c840bb2746b2d8121a0788de84f7fac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/pi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in \u0027exiting\u0027.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:35:39.211Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa"
},
{
"url": "https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85"
},
{
"url": "https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa"
},
{
"url": "https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da"
},
{
"url": "https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293"
},
{
"url": "https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d"
},
{
"url": "https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23"
},
{
"url": "https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83"
}
],
"title": "futex: Clear stale exiting pointer in futex_lock_pi() retry path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31555",
"datePublished": "2026-04-24T14:35:39.211Z",
"dateReserved": "2026-03-09T15:48:24.115Z",
"dateUpdated": "2026-04-24T14:35:39.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23286 (GCVE-0-2026-23286)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
syzkaller reported a null-ptr-deref in lec_arp_clear_vccs().
This issue can be easily reproduced using the syzkaller reproducer.
In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by
multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).
When the underlying VCC is closed, lec_vcc_close() iterates over all
ARP entries and calls lec_arp_clear_vccs() for each matched entry.
For example, when lec_vcc_close() iterates through the hlists in
priv->lec_arp_empty_ones or other ARP tables:
1. In the first iteration, for the first matched ARP entry sharing the VCC,
lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)
and sets vcc->user_back to NULL.
2. In the second iteration, for the next matched ARP entry sharing the same
VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from
vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it
via `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.
Fix this by adding a null check for vpriv before dereferencing
it. If vpriv is already NULL, it means the VCC has been cleared
by a previous call, so we can safely skip the cleanup and just
clear the entry's vcc/recv_vcc pointers.
The entire cleanup block (including vcc_release_async()) is placed inside
the vpriv guard because a NULL vpriv indicates the VCC has already been
fully released by a prior iteration — repeating the teardown would
redundantly set flags and trigger callbacks on an already-closing socket.
The Fixes tag points to the initial commit because the entry->vcc path has
been vulnerable since the original code. The entry->recv_vcc path was later
added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")
with the same pattern, and both paths are fixed here.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8aff65a82b6389ec674d46e5b3d3ae6f07db5e3e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 30c9744a989feb22cfbb84170eb0e038a7a2c1da (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e9665986eb127290ceb535bd5d04d7a84265d94f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 622062f24644b4536d3f437e0cf7a8c4bb421665 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d9f57ea29a1f1772373b98a509b44d49fda609e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7ea92ab075d809ec8a96669a5ecf00f752057875 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5f1cfea7921f5c126a441d973690eeba52677b64 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8aff65a82b6389ec674d46e5b3d3ae6f07db5e3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30c9744a989feb22cfbb84170eb0e038a7a2c1da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e9665986eb127290ceb535bd5d04d7a84265d94f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "622062f24644b4536d3f437e0cf7a8c4bb421665",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d9f57ea29a1f1772373b98a509b44d49fda609e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ea92ab075d809ec8a96669a5ecf00f752057875",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f1cfea7921f5c126a441d973690eeba52677b64",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix null-ptr-deref in lec_arp_clear_vccs\n\nsyzkaller reported a null-ptr-deref in lec_arp_clear_vccs().\nThis issue can be easily reproduced using the syzkaller reproducer.\n\nIn the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by\nmultiple lec_arp_table entries (e.g., via entry-\u003evcc or entry-\u003erecv_vcc).\nWhen the underlying VCC is closed, lec_vcc_close() iterates over all\nARP entries and calls lec_arp_clear_vccs() for each matched entry.\n\nFor example, when lec_vcc_close() iterates through the hlists in\npriv-\u003elec_arp_empty_ones or other ARP tables:\n\n1. In the first iteration, for the first matched ARP entry sharing the VCC,\nlec_arp_clear_vccs() frees the associated vpriv (which is vcc-\u003euser_back)\nand sets vcc-\u003euser_back to NULL.\n2. In the second iteration, for the next matched ARP entry sharing the same\nVCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from\nvcc-\u003euser_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it\nvia `vcc-\u003epop = vpriv-\u003eold_pop`, leading to a null-ptr-deref crash.\n\nFix this by adding a null check for vpriv before dereferencing\nit. If vpriv is already NULL, it means the VCC has been cleared\nby a previous call, so we can safely skip the cleanup and just\nclear the entry\u0027s vcc/recv_vcc pointers.\n\nThe entire cleanup block (including vcc_release_async()) is placed inside\nthe vpriv guard because a NULL vpriv indicates the VCC has already been\nfully released by a prior iteration \u2014 repeating the teardown would\nredundantly set flags and trigger callbacks on an already-closing socket.\n\nThe Fixes tag points to the initial commit because the entry-\u003evcc path has\nbeen vulnerable since the original code. The entry-\u003erecv_vcc path was later\nadded by commit 8d9f73c0ad2f (\"atm: fix a memory leak of vcc-\u003euser_back\")\nwith the same pattern, and both paths are fixed here."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:38.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8aff65a82b6389ec674d46e5b3d3ae6f07db5e3e"
},
{
"url": "https://git.kernel.org/stable/c/30c9744a989feb22cfbb84170eb0e038a7a2c1da"
},
{
"url": "https://git.kernel.org/stable/c/e9665986eb127290ceb535bd5d04d7a84265d94f"
},
{
"url": "https://git.kernel.org/stable/c/622062f24644b4536d3f437e0cf7a8c4bb421665"
},
{
"url": "https://git.kernel.org/stable/c/2d9f57ea29a1f1772373b98a509b44d49fda609e"
},
{
"url": "https://git.kernel.org/stable/c/7ea92ab075d809ec8a96669a5ecf00f752057875"
},
{
"url": "https://git.kernel.org/stable/c/5f1cfea7921f5c126a441d973690eeba52677b64"
},
{
"url": "https://git.kernel.org/stable/c/101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb"
}
],
"title": "atm: lec: fix null-ptr-deref in lec_arp_clear_vccs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23286",
"datePublished": "2026-03-25T10:26:45.531Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:38.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23365 (GCVE-0-2026-23365)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: usb: kalmia: validate USB endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: kalmia: validate USB endpoints
The kalmia driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d40261236e8e278cb1936cb5e934262971692b10 , < ff675bc5b3e8c356f9d993d65d0bae6ed0dc7459
(git)
Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 185050b47df3d41e49f20ad01beea2e7b9cddaa7 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 28a380bfa5bc7f6a9380b85e8eab919ee6ac1701 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 12c0243de0aee0ab27cc00932fd5edae65c1e3a2 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 51c20ea5f1555a984c041b0dbf56f00d41b9e652 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 011684cd18349aa4c52167c8ac37a0524169f48c (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 7bfda1a0be4caec3263753d567678451cef73a85 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < c58b6c29a4c9b8125e8ad3bca0637e00b71e2693 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kalmia.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff675bc5b3e8c356f9d993d65d0bae6ed0dc7459",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "185050b47df3d41e49f20ad01beea2e7b9cddaa7",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "28a380bfa5bc7f6a9380b85e8eab919ee6ac1701",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "12c0243de0aee0ab27cc00932fd5edae65c1e3a2",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "51c20ea5f1555a984c041b0dbf56f00d41b9e652",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "011684cd18349aa4c52167c8ac37a0524169f48c",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "7bfda1a0be4caec3263753d567678451cef73a85",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "c58b6c29a4c9b8125e8ad3bca0637e00b71e2693",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kalmia.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kalmia: validate USB endpoints\n\nThe kalmia driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:13.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff675bc5b3e8c356f9d993d65d0bae6ed0dc7459"
},
{
"url": "https://git.kernel.org/stable/c/185050b47df3d41e49f20ad01beea2e7b9cddaa7"
},
{
"url": "https://git.kernel.org/stable/c/28a380bfa5bc7f6a9380b85e8eab919ee6ac1701"
},
{
"url": "https://git.kernel.org/stable/c/12c0243de0aee0ab27cc00932fd5edae65c1e3a2"
},
{
"url": "https://git.kernel.org/stable/c/51c20ea5f1555a984c041b0dbf56f00d41b9e652"
},
{
"url": "https://git.kernel.org/stable/c/011684cd18349aa4c52167c8ac37a0524169f48c"
},
{
"url": "https://git.kernel.org/stable/c/7bfda1a0be4caec3263753d567678451cef73a85"
},
{
"url": "https://git.kernel.org/stable/c/c58b6c29a4c9b8125e8ad3bca0637e00b71e2693"
}
],
"title": "net: usb: kalmia: validate USB endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23365",
"datePublished": "2026-03-25T10:27:47.609Z",
"dateReserved": "2026-01-13T15:37:46.002Z",
"dateUpdated": "2026-04-18T08:58:13.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53510 (GCVE-0-2023-53510)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
scsi: ufs: core: Fix handling of lrbp->cmd
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix handling of lrbp->cmd
ufshcd_queuecommand() may be called two times in a row for a SCSI command
before it is completed. Hence make the following changes:
- In the functions that submit a command, do not check the old value of
lrbp->cmd nor clear lrbp->cmd in error paths.
- In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.
See also scsi_send_eh_cmnd().
This commit prevents that the following appears if a command times out:
WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8
Call trace:
ufshcd_queuecommand+0x6f8/0x9a8
scsi_send_eh_cmnd+0x2c0/0x960
scsi_eh_test_devices+0x100/0x314
scsi_eh_ready_devs+0xd90/0x114c
scsi_error_handler+0x2b4/0xb70
kthread+0x16c/0x1e0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5a0b0cb9bee767ef10ff9ce2fb4141af06416288 , < b6d76d63c6d21d5d26c301a46853a2aee72397d5
(git)
Affected: 5a0b0cb9bee767ef10ff9ce2fb4141af06416288 , < f3ee24af62681b942bbd799ac77b90a6d7e1fdb1 (git) Affected: 5a0b0cb9bee767ef10ff9ce2fb4141af06416288 , < 49234a401e161a2f2698f4612ab792c49b3cad1b (git) Affected: 5a0b0cb9bee767ef10ff9ce2fb4141af06416288 , < 549e91a9bbaa0ee480f59357868421a61d369770 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6d76d63c6d21d5d26c301a46853a2aee72397d5",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "f3ee24af62681b942bbd799ac77b90a6d7e1fdb1",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "49234a401e161a2f2698f4612ab792c49b3cad1b",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
},
{
"lessThan": "549e91a9bbaa0ee480f59357868421a61d369770",
"status": "affected",
"version": "5a0b0cb9bee767ef10ff9ce2fb4141af06416288",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix handling of lrbp-\u003ecmd\n\nufshcd_queuecommand() may be called two times in a row for a SCSI command\nbefore it is completed. Hence make the following changes:\n\n - In the functions that submit a command, do not check the old value of\n lrbp-\u003ecmd nor clear lrbp-\u003ecmd in error paths.\n\n - In ufshcd_release_scsi_cmd(), do not clear lrbp-\u003ecmd.\n\nSee also scsi_send_eh_cmnd().\n\nThis commit prevents that the following appears if a command times out:\n\nWARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8\nCall trace:\n ufshcd_queuecommand+0x6f8/0x9a8\n scsi_send_eh_cmnd+0x2c0/0x960\n scsi_eh_test_devices+0x100/0x314\n scsi_eh_ready_devs+0xd90/0x114c\n scsi_error_handler+0x2b4/0xb70\n kthread+0x16c/0x1e0"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:05.492Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6d76d63c6d21d5d26c301a46853a2aee72397d5"
},
{
"url": "https://git.kernel.org/stable/c/f3ee24af62681b942bbd799ac77b90a6d7e1fdb1"
},
{
"url": "https://git.kernel.org/stable/c/49234a401e161a2f2698f4612ab792c49b3cad1b"
},
{
"url": "https://git.kernel.org/stable/c/549e91a9bbaa0ee480f59357868421a61d369770"
}
],
"title": "scsi: ufs: core: Fix handling of lrbp-\u003ecmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53510",
"datePublished": "2025-10-01T11:45:59.421Z",
"dateReserved": "2025-10-01T11:39:39.405Z",
"dateUpdated": "2026-03-25T10:19:05.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31476 (GCVE-0-2026-31476)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ksmbd: do not expire session on binding failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: do not expire session on binding failure
When a multichannel session binding request fails (e.g. wrong password),
the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
However, during binding, sess points to the target session looked up via
ksmbd_session_lookup_slowpath() -- which belongs to another connection's
user. This allows a remote attacker to invalidate any active session by
simply sending a binding request with a wrong password (DoS).
Fix this by skipping session expiration when the failed request was
a binding attempt, since the session does not belong to the current
connection. The reference taken by ksmbd_session_lookup_slowpath() is
still correctly released via ksmbd_user_session_put().
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5a544e3bab78142207e0242d22442db85ba1eff , < f5300690c23c5ac860499bb37dbc09cf43fd62e6
(git)
Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 6fafc4c4238e538969f1375f9ecdc6587c53f1cc (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1d1888b4a7aec518b707f6eca0bf08992c0e8da3 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < a897064a457056acb976e20e3007cdf553de340f (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < e0e5edc81b241c70355217de7e120c97c3429deb (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5300690c23c5ac860499bb37dbc09cf43fd62e6",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "6fafc4c4238e538969f1375f9ecdc6587c53f1cc",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1d1888b4a7aec518b707f6eca0bf08992c0e8da3",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "a897064a457056acb976e20e3007cdf553de340f",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "e0e5edc81b241c70355217de7e120c97c3429deb",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "9bbb19d21ded7d78645506f20d8c44895e3d0fb9",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: do not expire session on binding failure\n\nWhen a multichannel session binding request fails (e.g. wrong password),\nthe error path unconditionally sets sess-\u003estate = SMB2_SESSION_EXPIRED.\nHowever, during binding, sess points to the target session looked up via\nksmbd_session_lookup_slowpath() -- which belongs to another connection\u0027s\nuser. This allows a remote attacker to invalidate any active session by\nsimply sending a binding request with a wrong password (DoS).\n\nFix this by skipping session expiration when the failed request was\na binding attempt, since the session does not belong to the current\nconnection. The reference taken by ksmbd_session_lookup_slowpath() is\nstill correctly released via ksmbd_user_session_put()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:30.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5300690c23c5ac860499bb37dbc09cf43fd62e6"
},
{
"url": "https://git.kernel.org/stable/c/6fafc4c4238e538969f1375f9ecdc6587c53f1cc"
},
{
"url": "https://git.kernel.org/stable/c/1d1888b4a7aec518b707f6eca0bf08992c0e8da3"
},
{
"url": "https://git.kernel.org/stable/c/a897064a457056acb976e20e3007cdf553de340f"
},
{
"url": "https://git.kernel.org/stable/c/e0e5edc81b241c70355217de7e120c97c3429deb"
},
{
"url": "https://git.kernel.org/stable/c/9bbb19d21ded7d78645506f20d8c44895e3d0fb9"
}
],
"title": "ksmbd: do not expire session on binding failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31476",
"datePublished": "2026-04-22T13:54:04.779Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-04-27T14:03:30.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31515 (GCVE-0-2026-31515)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
af_key: validate families in pfkey_send_migrate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_key: validate families in pfkey_send_migrate()
syzbot was able to trigger a crash in skb_put() [1]
Issue is that pfkey_send_migrate() does not check old/new families,
and that set_ipsecrequest() @family argument was truncated,
thus possibly overfilling the skb.
Validate families early, do not wait set_ipsecrequest().
[1]
skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>
kernel BUG at net/core/skbuff.c:214 !
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:219 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2655
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest net/key/af_key.c:3532 [inline]
pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848
xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705
xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
08de61beab8a21c8e0b3906a97defda5f1f66ece , < d0c5aa8dd38887714f1aad04236a3620b56a5e4e
(git)
Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < e06b596fc4eb01936a2e5dccad17c946d660bab8 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < 8ddf8de7e758f6888988467af9ffc8adf589fb16 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < d3225e6b9bd51ec177970a628fe4b11237ce87d5 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < 7b18692c59afb8e5c364c8e3ac01e51dd6b52028 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < 83f644ea92987c100b82d8481ae2230faeed3d34 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < ee836e820a40e2ca4da8af7310bff92d586772d4 (git) Affected: 08de61beab8a21c8e0b3906a97defda5f1f66ece , < eb2d16a7d599dc9d4df391b5e660df9949963786 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c5aa8dd38887714f1aad04236a3620b56a5e4e",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "e06b596fc4eb01936a2e5dccad17c946d660bab8",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "8ddf8de7e758f6888988467af9ffc8adf589fb16",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "d3225e6b9bd51ec177970a628fe4b11237ce87d5",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "7b18692c59afb8e5c364c8e3ac01e51dd6b52028",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "83f644ea92987c100b82d8481ae2230faeed3d34",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "ee836e820a40e2ca4da8af7310bff92d586772d4",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
},
{
"lessThan": "eb2d16a7d599dc9d4df391b5e660df9949963786",
"status": "affected",
"version": "08de61beab8a21c8e0b3906a97defda5f1f66ece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.21"
},
{
"lessThan": "2.6.21",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:\u003cNULL\u003e\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n \u003cTASK\u003e\n skb_over_panic net/core/skbuff.c:219 [inline]\n skb_put+0x159/0x210 net/core/skbuff.c:2655\n skb_put_zero include/linux/skbuff.h:2788 [inline]\n set_ipsecrequest net/key/af_key.c:3532 [inline]\n pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:32.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c5aa8dd38887714f1aad04236a3620b56a5e4e"
},
{
"url": "https://git.kernel.org/stable/c/e06b596fc4eb01936a2e5dccad17c946d660bab8"
},
{
"url": "https://git.kernel.org/stable/c/8ddf8de7e758f6888988467af9ffc8adf589fb16"
},
{
"url": "https://git.kernel.org/stable/c/d3225e6b9bd51ec177970a628fe4b11237ce87d5"
},
{
"url": "https://git.kernel.org/stable/c/7b18692c59afb8e5c364c8e3ac01e51dd6b52028"
},
{
"url": "https://git.kernel.org/stable/c/83f644ea92987c100b82d8481ae2230faeed3d34"
},
{
"url": "https://git.kernel.org/stable/c/ee836e820a40e2ca4da8af7310bff92d586772d4"
},
{
"url": "https://git.kernel.org/stable/c/eb2d16a7d599dc9d4df391b5e660df9949963786"
}
],
"title": "af_key: validate families in pfkey_send_migrate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31515",
"datePublished": "2026-04-22T13:54:32.194Z",
"dateReserved": "2026-03-09T15:48:24.107Z",
"dateUpdated": "2026-04-22T13:54:32.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31754 (GCVE-0-2026-31754)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: cdns3: gadget: fix state inconsistency on gadget init failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: fix state inconsistency on gadget init failure
When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode
while software state remains INACTIVE, creating hardware/software state
inconsistency.
When switching to host mode via sysfs:
echo host > /sys/class/usb_role/13180000.usb-role-switch/role
The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,
so cdns_role_stop() skips cleanup because state is still INACTIVE.
This violates the DRD controller design specification (Figure22),
which requires returning to idle state before switching roles.
This leads to a synchronous external abort in xhci_gen_setup() when
setting up the host controller:
[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19
[ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget
[ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed
...
[ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP
[ 1301.382485] pc : xhci_gen_setup+0xa4/0x408
[ 1301.393391] backtrace:
...
xhci_gen_setup+0xa4/0x408 <-- CRASH
xhci_plat_setup+0x44/0x58
usb_add_hcd+0x284/0x678
...
cdns_role_set+0x9c/0xbc <-- Role switch
Fix by calling cdns_drd_gadget_off() in the error path to properly
clean up the DRD gadget state.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7733f6c32e36ff9d7adadf40001039bf219b1cbe , < fb7110a052467098967284ef14d306810b354937
(git)
Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 9b1d301fbae837bf6979a19030b81d869bb15f7a (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < cfca84f5986afceb63a3adf39d4a98e915aebbc2 (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < 5a85599ca4d2584d89dc69f4fc49303b75a42338 (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f (git) Affected: 7733f6c32e36ff9d7adadf40001039bf219b1cbe , < c32f8748d70c8fc77676ad92ed76cede17bf2c48 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb7110a052467098967284ef14d306810b354937",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "9b1d301fbae837bf6979a19030b81d869bb15f7a",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "cfca84f5986afceb63a3adf39d4a98e915aebbc2",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "5a85599ca4d2584d89dc69f4fc49303b75a42338",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
},
{
"lessThan": "c32f8748d70c8fc77676ad92ed76cede17bf2c48",
"status": "affected",
"version": "7733f6c32e36ff9d7adadf40001039bf219b1cbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdns3-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix state inconsistency on gadget init failure\n\nWhen cdns3_gadget_start() fails, the DRD hardware is left in gadget mode\nwhile software state remains INACTIVE, creating hardware/software state\ninconsistency.\n\nWhen switching to host mode via sysfs:\n echo host \u003e /sys/class/usb_role/13180000.usb-role-switch/role\n\nThe role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,\nso cdns_role_stop() skips cleanup because state is still INACTIVE.\nThis violates the DRD controller design specification (Figure22),\nwhich requires returning to idle state before switching roles.\n\nThis leads to a synchronous external abort in xhci_gen_setup() when\nsetting up the host controller:\n\n[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19\n[ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget\n[ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed\n...\n[ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller\n[ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP\n[ 1301.382485] pc : xhci_gen_setup+0xa4/0x408\n[ 1301.393391] backtrace:\n ...\n xhci_gen_setup+0xa4/0x408 \u003c-- CRASH\n xhci_plat_setup+0x44/0x58\n usb_add_hcd+0x284/0x678\n ...\n cdns_role_set+0x9c/0xbc \u003c-- Role switch\n\nFix by calling cdns_drd_gadget_off() in the error path to properly\nclean up the DRD gadget state."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:45.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937"
},
{
"url": "https://git.kernel.org/stable/c/9b1d301fbae837bf6979a19030b81d869bb15f7a"
},
{
"url": "https://git.kernel.org/stable/c/cfca84f5986afceb63a3adf39d4a98e915aebbc2"
},
{
"url": "https://git.kernel.org/stable/c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f"
},
{
"url": "https://git.kernel.org/stable/c/5a85599ca4d2584d89dc69f4fc49303b75a42338"
},
{
"url": "https://git.kernel.org/stable/c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f"
},
{
"url": "https://git.kernel.org/stable/c/c32f8748d70c8fc77676ad92ed76cede17bf2c48"
}
],
"title": "usb: cdns3: gadget: fix state inconsistency on gadget init failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31754",
"datePublished": "2026-05-01T14:14:45.628Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:45.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31649 (GCVE-0-2026-31649)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
net: stmmac: fix integer underflow in chain mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix integer underflow in chain mode
The jumbo_frm() chain-mode implementation unconditionally computes
len = nopaged_len - bmax;
where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()
decides to invoke jumbo_frm() based on skb->len (total length including
page fragments):
is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);
When a packet has a small linear portion (nopaged_len <= bmax) but a
large total length due to page fragments (skb->len > bmax), the
subtraction wraps as an unsigned integer, producing a huge len value
(~0xFFFFxxxx). This causes the while (len != 0) loop to execute
hundreds of thousands of iterations, passing skb->data + bmax * i
pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less
SoCs (the typical deployment for stmmac), this maps arbitrary kernel
memory to the DMA engine, constituting a kernel memory disclosure and
potential memory corruption from hardware.
Fix this by introducing a buf_len local variable clamped to
min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then
always safe: it is zero when the linear portion fits within a single
descriptor, causing the while (len != 0) loop to be skipped naturally,
and the fragment loop in stmmac_xmit() handles page fragments afterward.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
286a837217204b1ef105e3a554d0757e4fdfaac1 , < 513e06735f5be575b409d195822195348b164e48
(git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 275bdf762e82082f064e60a92448fa2ac43cf95b (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < b7b8012193fd98236d7ae05d4b553f010a77b2ef (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 2c91b39912278d0878f9ba60ba04d2518b18a08d (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 6fca757c20396dc2e604dcc61922264e9e3dc803 (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 10d12b9240ebf96c785f0e2e4228318cd5f3a3eb (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "513e06735f5be575b409d195822195348b164e48",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "275bdf762e82082f064e60a92448fa2ac43cf95b",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "b7b8012193fd98236d7ae05d4b553f010a77b2ef",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "2c91b39912278d0878f9ba60ba04d2518b18a08d",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "6fca757c20396dc2e604dcc61922264e9e3dc803",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:42.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
},
{
"url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
},
{
"url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
},
{
"url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
},
{
"url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
},
{
"url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
},
{
"url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
},
{
"url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
}
],
"title": "net: stmmac: fix integer underflow in chain mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31649",
"datePublished": "2026-04-24T14:45:02.520Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-04-27T14:04:42.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31761 (GCVE-0-2026-31761)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
iio: gyro: mpu3050: Move iio_device_register() to correct location
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: gyro: mpu3050: Move iio_device_register() to correct location
iio_device_register() should be at the end of the probe function to
prevent race conditions.
Place iio_device_register() at the end of the probe function and place
iio_device_unregister() accordingly.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 22487ef85f6dd9499ddf49b85a08afc50a3f1992
(git)
Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < caec338f91469f0a70b68165185afa3abc994545 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 051ca43b0e0e4b66bfd349cd53ccf231ad1d69b7 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 2a4537653d200fda2a8516083459f8ff6194f8fc (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 92f18aa86302fe83e0726a1191015f427d4ff056 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < cc3de12a5612ee25df7fb549cb7b3e4cc8bfaf9c (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 59a317f8215674c8330817770497301bfb2c1b99 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 4c05799449108fb0e0a6bd30e65fffc71e60db4d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22487ef85f6dd9499ddf49b85a08afc50a3f1992",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "caec338f91469f0a70b68165185afa3abc994545",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "051ca43b0e0e4b66bfd349cd53ccf231ad1d69b7",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "2a4537653d200fda2a8516083459f8ff6194f8fc",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "92f18aa86302fe83e0726a1191015f427d4ff056",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "cc3de12a5612ee25df7fb549cb7b3e4cc8bfaf9c",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "59a317f8215674c8330817770497301bfb2c1b99",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "4c05799449108fb0e0a6bd30e65fffc71e60db4d",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Move iio_device_register() to correct location\n\niio_device_register() should be at the end of the probe function to\nprevent race conditions.\n\nPlace iio_device_register() at the end of the probe function and place\niio_device_unregister() accordingly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:47.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22487ef85f6dd9499ddf49b85a08afc50a3f1992"
},
{
"url": "https://git.kernel.org/stable/c/caec338f91469f0a70b68165185afa3abc994545"
},
{
"url": "https://git.kernel.org/stable/c/051ca43b0e0e4b66bfd349cd53ccf231ad1d69b7"
},
{
"url": "https://git.kernel.org/stable/c/2a4537653d200fda2a8516083459f8ff6194f8fc"
},
{
"url": "https://git.kernel.org/stable/c/92f18aa86302fe83e0726a1191015f427d4ff056"
},
{
"url": "https://git.kernel.org/stable/c/cc3de12a5612ee25df7fb549cb7b3e4cc8bfaf9c"
},
{
"url": "https://git.kernel.org/stable/c/59a317f8215674c8330817770497301bfb2c1b99"
},
{
"url": "https://git.kernel.org/stable/c/4c05799449108fb0e0a6bd30e65fffc71e60db4d"
}
],
"title": "iio: gyro: mpu3050: Move iio_device_register() to correct location",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31761",
"datePublished": "2026-05-01T14:14:53.223Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-03T05:45:47.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31423 (GCVE-0-2026-31423)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
m2sm() converts a u32 slope to a u64 scaled value. For large inputs
(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores
the difference of two such u64 values in a u32 variable `dsm` and
uses it as a divisor. When the difference is exactly 2^32 the
truncation yields zero, causing a divide-by-zero oops in the
concave-curve intersection path:
Oops: divide error: 0000
RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
Call Trace:
init_ed (net/sched/sch_hfsc.c:629)
hfsc_enqueue (net/sched/sch_hfsc.c:1569)
[...]
Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
difference is preserved.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ad8e8fec40290a8c8cf145c0deaadf76f80c5163
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25b6821884713a31e2b49fb67b0ebd765b33e0a9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c56f78614e7781aaceca9bd3cb2128bf7d45c3bd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9e6431cbea8bb1fae8069ed099b4ee100499835 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17c1b9807b8a67d676b6dcf749ee932ebaa7f568 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4576100b8cd03118267513cafacde164b498b322 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad8e8fec40290a8c8cf145c0deaadf76f80c5163",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25b6821884713a31e2b49fb67b0ebd765b33e0a9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c56f78614e7781aaceca9bd3cb2128bf7d45c3bd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9e6431cbea8bb1fae8069ed099b4ee100499835",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17c1b9807b8a67d676b6dcf749ee932ebaa7f568",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4576100b8cd03118267513cafacde164b498b322",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value. For large inputs\n(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor. When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n Oops: divide error: 0000\n RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n Call Trace:\n init_ed (net/sched/sch_hfsc.c:629)\n hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:36.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad8e8fec40290a8c8cf145c0deaadf76f80c5163"
},
{
"url": "https://git.kernel.org/stable/c/ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f"
},
{
"url": "https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9"
},
{
"url": "https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd"
},
{
"url": "https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835"
},
{
"url": "https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568"
},
{
"url": "https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5"
},
{
"url": "https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322"
}
],
"title": "net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31423",
"datePublished": "2026-04-13T13:40:26.567Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:36.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23277 (GCVE-0-2026-23277)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 68bc067 P4D 68bc067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
Call Trace:
<TASK>
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
__gre_xmit (net/ipv4/ip_gre.c:478)
gre_tap_xmit (net/ipv4/ip_gre.c:779)
teql_master_xmit (net/sched/sch_teql.c:319)
dev_hard_start_xmit (net/core/dev.c:3887)
sch_direct_xmit (net/sched/sch_generic.c:347)
__dev_queue_xmit (net/core/dev.c:4802)
neigh_direct_output (net/core/neighbour.c:1660)
ip_finish_output2 (net/ipv4/ip_output.c:237)
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
ip_mc_output (net/ipv4/ip_output.c:369)
ip_send_skb (net/ipv4/ip_output.c:1508)
udp_send_skb (net/ipv4/udp.c:1195)
udp_sendmsg (net/ipv4/udp.c:1485)
inet_sendmsg (net/ipv4/af_inet.c:859)
__sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
039f50629b7f860f36644ed1f34b27da9aa62f43 , < 383493b9940e3d1b5517424081b3e072e20ec43c
(git)
Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 6b1f563d670162e188a0f2aec39c24b67b106e17 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 57c153249143333bbf4ecf927bdf8aa2696ee397 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 59b06d8b9bdb6b64b3c534c18da68bce5ccd31be (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 81a43e8005366f16e629d8c95dfe05beaa8d36a7 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 0bad9c86edd22dec4df83c2b29872d66fd8a2ff4 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 21ea283c2750c8307aa35ee832b0951cc993c27d (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "383493b9940e3d1b5517424081b3e072e20ec43c",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "6b1f563d670162e188a0f2aec39c24b67b106e17",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "57c153249143333bbf4ecf927bdf8aa2696ee397",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "59b06d8b9bdb6b64b3c534c18da68bce5ccd31be",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "81a43e8005366f16e629d8c95dfe05beaa8d36a7",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "0bad9c86edd22dec4df83c2b29872d66fd8a2ff4",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "21ea283c2750c8307aa35ee832b0951cc993c27d",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
},
{
"lessThan": "0cc0c2e661af418bbf7074179ea5cfffc0a5c466",
"status": "affected",
"version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_teql.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit\n\nteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit\nthrough slave devices, but does not update skb-\u003edev to the slave device\nbeforehand.\n\nWhen a gretap tunnel is a TEQL slave, the transmit path reaches\niptunnel_xmit() which saves dev = skb-\u003edev (still pointing to teql0\nmaster) and later calls iptunnel_xmit_stats(dev, pkt_len). This\nfunction does:\n\n get_cpu_ptr(dev-\u003etstats)\n\nSince teql_master_setup() does not set dev-\u003epcpu_stat_type to\nNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats\nfor teql0, so dev-\u003etstats is NULL. get_cpu_ptr(NULL) computes\nNULL + __per_cpu_offset[cpu], resulting in a page fault.\n\n BUG: unable to handle page fault for address: ffff8880e6659018\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 68bc067 P4D 68bc067 PUD 0\n Oops: Oops: 0002 [#1] SMP KASAN PTI\n RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)\n Call Trace:\n \u003cTASK\u003e\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n __gre_xmit (net/ipv4/ip_gre.c:478)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n teql_master_xmit (net/sched/sch_teql.c:319)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n neigh_direct_output (net/core/neighbour.c:1660)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n __ip_finish_output.part.0 (net/ipv4/ip_output.c:315)\n ip_mc_output (net/ipv4/ip_output.c:369)\n ip_send_skb (net/ipv4/ip_output.c:1508)\n udp_send_skb (net/ipv4/udp.c:1195)\n udp_sendmsg (net/ipv4/udp.c:1485)\n inet_sendmsg (net/ipv4/af_inet.c:859)\n __sys_sendto (net/socket.c:2206)\n\nFix this by setting skb-\u003edev = slave before calling\nnetdev_start_xmit(), so that tunnel xmit functions see the correct\nslave device with properly allocated tstats."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:33.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/383493b9940e3d1b5517424081b3e072e20ec43c"
},
{
"url": "https://git.kernel.org/stable/c/6b1f563d670162e188a0f2aec39c24b67b106e17"
},
{
"url": "https://git.kernel.org/stable/c/57c153249143333bbf4ecf927bdf8aa2696ee397"
},
{
"url": "https://git.kernel.org/stable/c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31be"
},
{
"url": "https://git.kernel.org/stable/c/81a43e8005366f16e629d8c95dfe05beaa8d36a7"
},
{
"url": "https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4"
},
{
"url": "https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d"
},
{
"url": "https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466"
}
],
"title": "net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23277",
"datePublished": "2026-03-20T08:08:57.394Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-18T08:57:33.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31566 (GCVE-0-2026-31566)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence
from amdgpu_ib_schedule(). This fence is used to wait for job
completion.
Currently, the code drops the fence reference using dma_fence_put()
before calling dma_fence_wait().
If dma_fence_put() releases the last reference, the fence may be
freed before dma_fence_wait() is called. This can lead to a
use-after-free.
Fix this by waiting on the fence first and releasing the reference
only after dma_fence_wait() completes.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)
(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9ae55f030dc523fc4dc6069557e4a887ea815453 , < bc7760c107dc08ef3e231d72c492e67b0a86848b
(git)
Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < e23602eb0779760544314ed3905fa6a89a4e4070 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 138e42be35ff2ce6572ae744de851ea286cf3c69 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 39820864eacd886f1a6f817414fb8f9ea3e9a2b4 (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 42d248726a0837640452b71c5a202ca3d35239ec (git) Affected: 9ae55f030dc523fc4dc6069557e4a887ea815453 , < 7150850146ebfa4ca998f653f264b8df6f7f85be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc7760c107dc08ef3e231d72c492e67b0a86848b",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "e23602eb0779760544314ed3905fa6a89a4e4070",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "138e42be35ff2ce6572ae744de851ea286cf3c69",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "39820864eacd886f1a6f817414fb8f9ea3e9a2b4",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "42d248726a0837640452b71c5a202ca3d35239ec",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
},
{
"lessThan": "7150850146ebfa4ca998f653f264b8df6f7f85be",
"status": "affected",
"version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory \u0027f\u0027 (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:06.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b"
},
{
"url": "https://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070"
},
{
"url": "https://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69"
},
{
"url": "https://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4"
},
{
"url": "https://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec"
},
{
"url": "https://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be"
}
],
"title": "drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31566",
"datePublished": "2026-04-24T14:35:46.740Z",
"dateReserved": "2026-03-09T15:48:24.117Z",
"dateUpdated": "2026-04-27T14:04:06.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31656 (GCVE-0-2026-31656)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
A use-after-free / refcount underflow is possible when the heartbeat
worker and intel_engine_park_heartbeat() race to release the same
engine->heartbeat.systole request.
The heartbeat worker reads engine->heartbeat.systole and calls
i915_request_put() on it when the request is complete, but clears
the pointer in a separate, non-atomic step. Concurrently, a request
retirement on another CPU can drop the engine wakeref to zero, triggering
__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat
timer is pending at that point, cancel_delayed_work() returns true and
intel_engine_park_heartbeat() reads the stale non-NULL systole pointer
and calls i915_request_put() on it again, causing a refcount underflow:
```
<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
...
<4> [487.222707] Call Trace:
<4> [487.222711] <TASK>
<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]
<4> [487.223566] __engine_park+0xb9/0x650 [i915]
<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]
<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]
<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]
<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]
<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]
<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]
<4> [487.226625] engine_retire+0x122/0x180 [i915]
<4> [487.227037] process_one_work+0x239/0x760
<4> [487.227060] worker_thread+0x200/0x3f0
<4> [487.227068] ? __pfx_worker_thread+0x10/0x10
<4> [487.227075] kthread+0x10d/0x150
<4> [487.227083] ? __pfx_kthread+0x10/0x10
<4> [487.227092] ret_from_fork+0x3d4/0x480
<4> [487.227099] ? __pfx_kthread+0x10/0x10
<4> [487.227107] ret_from_fork_asm+0x1a/0x30
<4> [487.227141] </TASK>
```
Fix this by replacing the non-atomic pointer read + separate clear with
xchg() in both racing paths. xchg() is a single indivisible hardware
instruction that atomically reads the old pointer and writes NULL. This
guarantees only one of the two concurrent callers obtains the non-NULL
pointer and performs the put, the other gets NULL and skips it.
(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 70d3e622b10092fc483e28e57b4e8c49d9cc7f68
(git)
Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 8ce44d28a84fd5e053a88b04872a89d95c0779d4 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < ca3f48c3567dd49efdc55b80029ae74659c682ee (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < a00e92bf6583d019a4fb2c2df7007e6c9b269ce7 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 2af8b200cae3fdd0e917ecc2753b28bb40c876c1 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 455d98ed527fc94eed90406f90ab2391464ca657 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 4c71fd099513bfa8acab529b626e1f0097b76061 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70d3e622b10092fc483e28e57b4e8c49d9cc7f68",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "8ce44d28a84fd5e053a88b04872a89d95c0779d4",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "ca3f48c3567dd49efdc55b80029ae74659c682ee",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "a00e92bf6583d019a4fb2c2df7007e6c9b269ce7",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "2af8b200cae3fdd0e917ecc2753b28bb40c876c1",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "455d98ed527fc94eed90406f90ab2391464ca657",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "4c71fd099513bfa8acab529b626e1f0097b76061",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine-\u003eheartbeat.systole request.\n\nThe heartbeat worker reads engine-\u003eheartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -\u003e intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n\u003c4\u003e [487.221889] Workqueue: i915-unordered engine_retire [i915]\n\u003c4\u003e [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n\u003c4\u003e [487.222707] Call Trace:\n\u003c4\u003e [487.222711] \u003cTASK\u003e\n\u003c4\u003e [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n\u003c4\u003e [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n\u003c4\u003e [487.223566] __engine_park+0xb9/0x650 [i915]\n\u003c4\u003e [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n\u003c4\u003e [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n\u003c4\u003e [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n\u003c4\u003e [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n\u003c4\u003e [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n\u003c4\u003e [487.226178] i915_request_retire+0x1c/0x40 [i915]\n\u003c4\u003e [487.226625] engine_retire+0x122/0x180 [i915]\n\u003c4\u003e [487.227037] process_one_work+0x239/0x760\n\u003c4\u003e [487.227060] worker_thread+0x200/0x3f0\n\u003c4\u003e [487.227068] ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e [487.227075] kthread+0x10d/0x150\n\u003c4\u003e [487.227083] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227092] ret_from_fork+0x3d4/0x480\n\u003c4\u003e [487.227099] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227107] ret_from_fork_asm+0x1a/0x30\n\u003c4\u003e [487.227141] \u003c/TASK\u003e\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:43.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68"
},
{
"url": "https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4"
},
{
"url": "https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee"
},
{
"url": "https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7"
},
{
"url": "https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1"
},
{
"url": "https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657"
},
{
"url": "https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061"
}
],
"title": "drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31656",
"datePublished": "2026-04-24T14:45:07.738Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:43.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23231 (GCVE-0-2026-23231)
Vulnerability from cvelistv5 – Published: 2026-03-04 12:58 – Updated: 2026-04-13 06:02
VLAI?
EPSS
Title
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2a6586ecfa4ce1413daaafee250d2590e05f1a33
(git)
Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 7017745068a9068904e1e7a1b170a5785647cc81 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < f3fe58ce37926a10115ede527d59b91bcc05400a (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < dbd0af8083dd201f07c49110b2ee93710abdff28 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 71e99ee20fc3f662555118cf1159443250647533 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a6586ecfa4ce1413daaafee250d2590e05f1a33",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "7017745068a9068904e1e7a1b170a5785647cc81",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "f3fe58ce37926a10115ede527d59b91bcc05400a",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "dbd0af8083dd201f07c49110b2ee93710abdff28",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "71e99ee20fc3f662555118cf1159443250647533",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain-\u003eblob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:02:48.144Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33"
},
{
"url": "https://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81"
},
{
"url": "https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400a"
},
{
"url": "https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28"
},
{
"url": "https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b"
},
{
"url": "https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533"
}
],
"title": "netfilter: nf_tables: fix use-after-free in nf_tables_addchain()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23231",
"datePublished": "2026-03-04T12:58:42.029Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-04-13T06:02:48.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23274 (GCVE-0-2026-23274)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
IDLETIMER revision 0 rules reuse existing timers by label and always call
mod_timer() on timer->timer.
If the label was created first by revision 1 with XT_IDLETIMER_ALARM,
the object uses alarm timer semantics and timer->timer is never initialized.
Reusing that object from revision 0 causes mod_timer() on an uninitialized
timer_list, triggering debugobjects warnings and possible panic when
panic_on_warn=1.
Fix this by rejecting revision 0 rule insertion when an existing timer with
the same label is of ALARM type.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
68983a354a655c35d3fb204489d383a2a051fda7 , < 32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44
(git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 144f88054ba0180467356f40895bd660b5dceeec (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 28c7cfaf0c0ab17cbd7754092116fd1af45271f9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 54080355999381fed4a26129579a5765bab87491 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 5e7ece24c5cb75a60402aad4d803c7898ea40aa9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f228b9ae2a7e84d1153616d8e71c4236cb1f1309 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "144f88054ba0180467356f40895bd660b5dceeec",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "28c7cfaf0c0ab17cbd7754092116fd1af45271f9",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "54080355999381fed4a26129579a5765bab87491",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "5e7ece24c5cb75a60402aad4d803c7898ea40aa9",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
},
{
"lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf",
"status": "affected",
"version": "68983a354a655c35d3fb204489d383a2a051fda7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_IDLETIMER.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:32.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"
},
{
"url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"
},
{
"url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"
},
{
"url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"
},
{
"url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"
},
{
"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"
},
{
"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"
},
{
"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"
}
],
"title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23274",
"datePublished": "2026-03-20T08:08:54.918Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-18T08:57:32.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31389 (GCVE-0-2026-31389)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
spi: fix use-after-free on controller registration failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fix use-after-free on controller registration failure
Make sure to deregister from driver core also in the unlikely event that
per-cpu statistics allocation fails during controller registration to
avoid use-after-free (of driver resources) and unclocked register
accesses.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 0e23f50086da7d0b183dfeac26021acfcdee086b
(git)
Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 6bbd385b30c7fb6c7ee0669e9ada91490938c051 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < afe27c1f43aa57530011f419be6ddf71306565d2 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 80f3e8cd2b4ad355b2ad2024cf423f6d183404f7 (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 23b51bad2eb8787aa74324cfccefb258515ae5ba (git) Affected: 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 , < 8634e05b08ead636e926022f4a98416e13440df9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e23f50086da7d0b183dfeac26021acfcdee086b",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "6bbd385b30c7fb6c7ee0669e9ada91490938c051",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "afe27c1f43aa57530011f419be6ddf71306565d2",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "80f3e8cd2b4ad355b2ad2024cf423f6d183404f7",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "23b51bad2eb8787aa74324cfccefb258515ae5ba",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
},
{
"lessThan": "8634e05b08ead636e926022f4a98416e13440df9",
"status": "affected",
"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:41.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"
},
{
"url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"
},
{
"url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"
},
{
"url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"
},
{
"url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"
},
{
"url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"
}
],
"title": "spi: fix use-after-free on controller registration failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31389",
"datePublished": "2026-04-03T15:15:55.068Z",
"dateReserved": "2026-03-09T15:48:24.084Z",
"dateUpdated": "2026-04-27T14:02:41.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31768 (GCVE-0-2026-31768)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
Add a DMA-safe buffer and use it for spi_read() instead of a stack
memory. All SPI buffers must be DMA-safe.
Since we only need up to 3 bytes, we just use a u8[] instead of __be16
and __be32 and change the conversion functions appropriately.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d671b71beefbfc145b971a11e0c3cabde94b673 , < b3bb8faeca1a2ef7be95ee8a512b639f9ffce947
(git)
Affected: 4d671b71beefbfc145b971a11e0c3cabde94b673 , < fa64aab25aba47296aa8d12bb4c88ec3fecb2054 (git) Affected: 4d671b71beefbfc145b971a11e0c3cabde94b673 , < 67b3a91bdc48220bfb67155ab528121b9c822782 (git) Affected: 4d671b71beefbfc145b971a11e0c3cabde94b673 , < 014c6d27878d3883f7bb065610768fd021de1a96 (git) Affected: 4d671b71beefbfc145b971a11e0c3cabde94b673 , < d2d031b0786ea66ab0577c9d2d71435068d32199 (git) Affected: 4d671b71beefbfc145b971a11e0c3cabde94b673 , < 768461517a28d80fe81ea4d5d03a90cd184ea6ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ti-adc161s626.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3bb8faeca1a2ef7be95ee8a512b639f9ffce947",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
},
{
"lessThan": "fa64aab25aba47296aa8d12bb4c88ec3fecb2054",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
},
{
"lessThan": "67b3a91bdc48220bfb67155ab528121b9c822782",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
},
{
"lessThan": "014c6d27878d3883f7bb065610768fd021de1a96",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
},
{
"lessThan": "d2d031b0786ea66ab0577c9d2d71435068d32199",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
},
{
"lessThan": "768461517a28d80fe81ea4d5d03a90cd184ea6ad",
"status": "affected",
"version": "4d671b71beefbfc145b971a11e0c3cabde94b673",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ti-adc161s626.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-adc161s626: use DMA-safe memory for spi_read()\n\nAdd a DMA-safe buffer and use it for spi_read() instead of a stack\nmemory. All SPI buffers must be DMA-safe.\n\nSince we only need up to 3 bytes, we just use a u8[] instead of __be16\nand __be32 and change the conversion functions appropriately."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:49.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3bb8faeca1a2ef7be95ee8a512b639f9ffce947"
},
{
"url": "https://git.kernel.org/stable/c/fa64aab25aba47296aa8d12bb4c88ec3fecb2054"
},
{
"url": "https://git.kernel.org/stable/c/67b3a91bdc48220bfb67155ab528121b9c822782"
},
{
"url": "https://git.kernel.org/stable/c/014c6d27878d3883f7bb065610768fd021de1a96"
},
{
"url": "https://git.kernel.org/stable/c/d2d031b0786ea66ab0577c9d2d71435068d32199"
},
{
"url": "https://git.kernel.org/stable/c/768461517a28d80fe81ea4d5d03a90cd184ea6ad"
}
],
"title": "iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31768",
"datePublished": "2026-05-01T14:14:57.971Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-03T05:45:49.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31414 (GCVE-0-2026-31414)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
netfilter: nf_conntrack_expect: use expect->helper
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_expect: use expect->helper
Use expect->helper in ctnetlink and /proc to dump the helper name.
Using nfct_help() without holding a reference to the master conntrack
is unsafe.
Use exp->master->helper in ctnetlink path if userspace does not provide
an explicit helper when creating an expectation to retain the existing
behaviour. The ctnetlink expectation path holds the reference on the
master conntrack and nf_conntrack_expect lock and the nfnetlink glue
path refers to the master ct that is attached to the skb.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781
(git)
Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < e7ccaa0a62a8ff2be5d521299ce79390c318d306 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 4bd1b3d839172724b33d8d02c5a4ff6a1c775417 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < b53294bff19e56ada2f230ceb8b1ffde61cc3817 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < 3dfd3f7712b5a800f2ba632179e9b738076a51f0 (git) Affected: ea781f197d6a835cbb93a0bf88ee1696296ed8aa , < f01794106042ee27e54af6fdf5b319a2fe3df94d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
},
{
"lessThan": "e7ccaa0a62a8ff2be5d521299ce79390c318d306",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
},
{
"lessThan": "4bd1b3d839172724b33d8d02c5a4ff6a1c775417",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
},
{
"lessThan": "b53294bff19e56ada2f230ceb8b1ffde61cc3817",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
},
{
"lessThan": "3dfd3f7712b5a800f2ba632179e9b738076a51f0",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
},
{
"lessThan": "f01794106042ee27e54af6fdf5b319a2fe3df94d",
"status": "affected",
"version": "ea781f197d6a835cbb93a0bf88ee1696296ed8aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c",
"net/netfilter/nf_conntrack_helper.c",
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: use expect-\u003ehelper\n\nUse expect-\u003ehelper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp-\u003emaster-\u003ehelper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:59.127Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781"
},
{
"url": "https://git.kernel.org/stable/c/e7ccaa0a62a8ff2be5d521299ce79390c318d306"
},
{
"url": "https://git.kernel.org/stable/c/4bd1b3d839172724b33d8d02c5a4ff6a1c775417"
},
{
"url": "https://git.kernel.org/stable/c/b53294bff19e56ada2f230ceb8b1ffde61cc3817"
},
{
"url": "https://git.kernel.org/stable/c/3dfd3f7712b5a800f2ba632179e9b738076a51f0"
},
{
"url": "https://git.kernel.org/stable/c/f01794106042ee27e54af6fdf5b319a2fe3df94d"
}
],
"title": "netfilter: nf_conntrack_expect: use expect-\u003ehelper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31414",
"datePublished": "2026-04-13T13:21:02.592Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-27T14:02:59.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38704 (GCVE-0-2025-38704)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
In the preparation stage of CPU online, if the corresponding
the rdp's->nocb_cb_kthread does not exist, will be created,
there is a situation where the rdp's rcuop kthreads creation fails,
and then de-offload this CPU's rdp, does not assign this CPU's
rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and
rdp's->rdp_gp->nocb_gp_kthread is still valid.
This will cause the subsequent re-offload operation of this offline
CPU, which will pass the conditional check and the kthread_unpark()
will access invalid rdp's->nocb_cb_kthread pointer.
This commit therefore use rdp's->nocb_gp_kthread instead of
rdp_gp's->nocb_gp_kthread for safety check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < b097ae798298885695c339d390b48b4e39619fa7
(git)
Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 3da45ec1e485a1a5ad31fe9ddd467c7ee5ae4ef9 (git) Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < cce3d027227c69e85896af9fbc6fa9af5c68f067 (git) Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 1c951683a720b17c9ecaad1932bc95b29044611f (git) Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d (git) Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree_nocb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b097ae798298885695c339d390b48b4e39619fa7",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
},
{
"lessThan": "3da45ec1e485a1a5ad31fe9ddd467c7ee5ae4ef9",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
},
{
"lessThan": "cce3d027227c69e85896af9fbc6fa9af5c68f067",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
},
{
"lessThan": "1c951683a720b17c9ecaad1932bc95b29044611f",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
},
{
"lessThan": "9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
},
{
"lessThan": "1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1",
"status": "affected",
"version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/tree_nocb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix possible invalid rdp\u0027s-\u003enocb_cb_kthread pointer access\n\nIn the preparation stage of CPU online, if the corresponding\nthe rdp\u0027s-\u003enocb_cb_kthread does not exist, will be created,\nthere is a situation where the rdp\u0027s rcuop kthreads creation fails,\nand then de-offload this CPU\u0027s rdp, does not assign this CPU\u0027s\nrdp-\u003enocb_cb_kthread pointer, but this rdp\u0027s-\u003enocb_gp_rdp and\nrdp\u0027s-\u003erdp_gp-\u003enocb_gp_kthread is still valid.\n\nThis will cause the subsequent re-offload operation of this offline\nCPU, which will pass the conditional check and the kthread_unpark()\nwill access invalid rdp\u0027s-\u003enocb_cb_kthread pointer.\n\nThis commit therefore use rdp\u0027s-\u003enocb_gp_kthread instead of\nrdp_gp\u0027s-\u003enocb_gp_kthread for safety check."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:35.398Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b097ae798298885695c339d390b48b4e39619fa7"
},
{
"url": "https://git.kernel.org/stable/c/3da45ec1e485a1a5ad31fe9ddd467c7ee5ae4ef9"
},
{
"url": "https://git.kernel.org/stable/c/cce3d027227c69e85896af9fbc6fa9af5c68f067"
},
{
"url": "https://git.kernel.org/stable/c/1c951683a720b17c9ecaad1932bc95b29044611f"
},
{
"url": "https://git.kernel.org/stable/c/9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d"
},
{
"url": "https://git.kernel.org/stable/c/1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1"
}
],
"title": "rcu/nocb: Fix possible invalid rdp\u0027s-\u003enocb_cb_kthread pointer access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38704",
"datePublished": "2025-09-04T15:32:55.718Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2026-03-25T10:19:35.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31477 (GCVE-0-2026-31477)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ksmbd: fix memory leaks and NULL deref in smb2_lock()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix memory leaks and NULL deref in smb2_lock()
smb2_lock() has three error handling issues after list_del() detaches
smb_lock from lock_list at no_check_cl:
1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
path, goto out leaks smb_lock and its flock because the out:
handler only iterates lock_list and rollback_list, neither of
which contains the detached smb_lock.
2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
leaks smb_lock and flock for the same reason. The error code
returned to the dispatcher is also stale.
3) In the rollback path, smb_flock_init() can return NULL on
allocation failure. The result is dereferenced unconditionally,
causing a kernel NULL pointer dereference. Add a NULL check to
prevent the crash and clean up the bookkeeping; the VFS lock
itself cannot be rolled back without the allocation and will be
released at file or connection teardown.
Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
the if(!rc) check in the UNLOCK branch so all exit paths share one
free site, and by freeing smb_lock and flock before goto out in the
non-UNLOCK branch. Propagate the correct error code in both cases.
Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
a NULL check for locks_free_lock(rlock) in the shared cleanup.
Found via call-graph analysis using sqry.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < cdac6f7e7e428dc70e3b5898ac6999a72ed13993
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 91aeaa7256006d79a37298f5a1df23325db91599 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 3cdacd11b41569ce75b3162142240f2355e04900 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < aab42f0795620cf0d3955a520f571f697d0f9a2a (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 309b44ed684496ed3f9c5715d10b899338623512 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cdac6f7e7e428dc70e3b5898ac6999a72ed13993",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "91aeaa7256006d79a37298f5a1df23325db91599",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "3cdacd11b41569ce75b3162142240f2355e04900",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "aab42f0795620cf0d3955a520f571f697d0f9a2a",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "309b44ed684496ed3f9c5715d10b899338623512",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n path, goto out leaks smb_lock and its flock because the out:\n handler only iterates lock_list and rollback_list, neither of\n which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n leaks smb_lock and flock for the same reason. The error code\n returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n allocation failure. The result is dereferenced unconditionally,\n causing a kernel NULL pointer dereference. Add a NULL check to\n prevent the crash and clean up the bookkeeping; the VFS lock\n itself cannot be rolled back without the allocation and will be\n released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch. Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:31.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cdac6f7e7e428dc70e3b5898ac6999a72ed13993"
},
{
"url": "https://git.kernel.org/stable/c/c9b95ef6f5039f19e46c3a521a4fe1752d91dfe9"
},
{
"url": "https://git.kernel.org/stable/c/91aeaa7256006d79a37298f5a1df23325db91599"
},
{
"url": "https://git.kernel.org/stable/c/3cdacd11b41569ce75b3162142240f2355e04900"
},
{
"url": "https://git.kernel.org/stable/c/aab42f0795620cf0d3955a520f571f697d0f9a2a"
},
{
"url": "https://git.kernel.org/stable/c/309b44ed684496ed3f9c5715d10b899338623512"
}
],
"title": "ksmbd: fix memory leaks and NULL deref in smb2_lock()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31477",
"datePublished": "2026-04-22T13:54:05.470Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-04-27T14:03:31.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40358 (GCVE-0-2025-40358)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
riscv: stacktrace: Disable KASAN checks for non-current tasks
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: stacktrace: Disable KASAN checks for non-current tasks
Unwinding the stack of a task other than current, KASAN would report
"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460"
There is a same issue on x86 and has been resolved by the commit
84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks")
The solution could be applied to RISC-V too.
This patch also can solve the issue:
https://seclists.org/oss-sec/2025/q4/23
[pjw@kernel.org: clean up checkpatch issues]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < ef4d626ac59a56f8ec5cc09c1fef26f2923eec6f
(git)
Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < f34ba22989da61186f30a40b6a82e0b3337b96fc (git) Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2 (git) Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 2c8d2b53866fb229b438296526ef0fa5a990e5e5 (git) Affected: 5d8544e2d0075a5f3c9a2cf27152354d54360da1 , < 060ea84a484e852b52b938f234bf9b5503a6c910 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/stacktrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef4d626ac59a56f8ec5cc09c1fef26f2923eec6f",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "f34ba22989da61186f30a40b6a82e0b3337b96fc",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "2c8d2b53866fb229b438296526ef0fa5a990e5e5",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
},
{
"lessThan": "060ea84a484e852b52b938f234bf9b5503a6c910",
"status": "affected",
"version": "5d8544e2d0075a5f3c9a2cf27152354d54360da1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/stacktrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: stacktrace: Disable KASAN checks for non-current tasks\n\nUnwinding the stack of a task other than current, KASAN would report\n\"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\"\n\nThere is a same issue on x86 and has been resolved by the commit\n84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\")\nThe solution could be applied to RISC-V too.\n\nThis patch also can solve the issue:\nhttps://seclists.org/oss-sec/2025/q4/23\n\n[pjw@kernel.org: clean up checkpatch issues]"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:50.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef4d626ac59a56f8ec5cc09c1fef26f2923eec6f"
},
{
"url": "https://git.kernel.org/stable/c/f34ba22989da61186f30a40b6a82e0b3337b96fc"
},
{
"url": "https://git.kernel.org/stable/c/27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2"
},
{
"url": "https://git.kernel.org/stable/c/2c8d2b53866fb229b438296526ef0fa5a990e5e5"
},
{
"url": "https://git.kernel.org/stable/c/060ea84a484e852b52b938f234bf9b5503a6c910"
}
],
"title": "riscv: stacktrace: Disable KASAN checks for non-current tasks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40358",
"datePublished": "2025-12-16T13:39:57.847Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-03-25T10:19:50.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47736 (GCVE-0-2024-47736)
Vulnerability from cvelistv5 – Published: 2024-10-21 12:14 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
erofs: handle overlapped pclusters out of crafted images properly
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle overlapped pclusters out of crafted images properly
syzbot reported a task hang issue due to a deadlock case where it is
waiting for the folio lock of a cached folio that will be used for
cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with
several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length
0: 0.. 16384 | 16384 : 151552.. 167936 | 16384
1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384
2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384
...
Here, extent 0/1 are physically overlapped although it's entirely
_impossible_ for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as
up-to-date and then unlocked immediately (unlike in-place folios) when
compressed I/Os are complete. If physical blocks are not submitted in
the incremental order, there should be separate BIOs to avoid dependency
issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for
efficient inter-queries. However, this is somewhat hard to implement
easily if overlapped big pclusters exist. Again, these only appear in
fuzzed images so let's simply fall back to temporary short-lived pages
for correctness.
Additionally, it justifies that referenced managed folios cannot be
truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
difference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e6c8fa9f2e95c88a642521a5da19a8e31748846 , < c1172e65aad4b115392ea4c6e61e56e5b9b69df4
(git)
Affected: 8e6c8fa9f2e95c88a642521a5da19a8e31748846 , < 1bf7e414cac303c9aec1be67872e19be8b64980c (git) Affected: 8e6c8fa9f2e95c88a642521a5da19a8e31748846 , < b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8 (git) Affected: 8e6c8fa9f2e95c88a642521a5da19a8e31748846 , < 9cfa199bcbbbba31cbf97b2786f44f4464f3f29a (git) Affected: 8e6c8fa9f2e95c88a642521a5da19a8e31748846 , < 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T12:59:50.164921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:04:15.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1172e65aad4b115392ea4c6e61e56e5b9b69df4",
"status": "affected",
"version": "8e6c8fa9f2e95c88a642521a5da19a8e31748846",
"versionType": "git"
},
{
"lessThan": "1bf7e414cac303c9aec1be67872e19be8b64980c",
"status": "affected",
"version": "8e6c8fa9f2e95c88a642521a5da19a8e31748846",
"versionType": "git"
},
{
"lessThan": "b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8",
"status": "affected",
"version": "8e6c8fa9f2e95c88a642521a5da19a8e31748846",
"versionType": "git"
},
{
"lessThan": "9cfa199bcbbbba31cbf97b2786f44f4464f3f29a",
"status": "affected",
"version": "8e6c8fa9f2e95c88a642521a5da19a8e31748846",
"versionType": "git"
},
{
"lessThan": "9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50",
"status": "affected",
"version": "8e6c8fa9f2e95c88a642521a5da19a8e31748846",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.72",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle overlapped pclusters out of crafted images properly\n\nsyzbot reported a task hang issue due to a deadlock case where it is\nwaiting for the folio lock of a cached folio that will be used for\ncache I/Os.\n\nAfter looking into the crafted fuzzed image, I found it\u0027s formed with\nseveral overlapped big pclusters as below:\n\n Ext: logical offset | length : physical offset | length\n 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384\n 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384\n 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384\n...\n\nHere, extent 0/1 are physically overlapped although it\u0027s entirely\n_impossible_ for normal filesystem images generated by mkfs.\n\nFirst, managed folios containing compressed data will be marked as\nup-to-date and then unlocked immediately (unlike in-place folios) when\ncompressed I/Os are complete. If physical blocks are not submitted in\nthe incremental order, there should be separate BIOs to avoid dependency\nissues. However, the current code mis-arranges z_erofs_fill_bio_vec()\nand BIO submission which causes unexpected BIO waits.\n\nSecond, managed folios will be connected to their own pclusters for\nefficient inter-queries. However, this is somewhat hard to implement\neasily if overlapped big pclusters exist. Again, these only appear in\nfuzzed images so let\u0027s simply fall back to temporary short-lived pages\nfor correctness.\n\nAdditionally, it justifies that referenced managed folios cannot be\ntruncated for now and reverts part of commit 2080ca1ed3e4 (\"erofs: tidy\nup `struct z_erofs_bvec`\") for simplicity although it shouldn\u0027t be any\ndifference."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:32.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1172e65aad4b115392ea4c6e61e56e5b9b69df4"
},
{
"url": "https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c"
},
{
"url": "https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8"
},
{
"url": "https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a"
},
{
"url": "https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50"
}
],
"title": "erofs: handle overlapped pclusters out of crafted images properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47736",
"datePublished": "2024-10-21T12:14:06.530Z",
"dateReserved": "2024-09-30T16:00:12.958Z",
"dateUpdated": "2026-04-11T12:45:32.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31634 (GCVE-0-2026-31634)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-24 14:44
VLAI?
EPSS
Title
rxrpc: fix reference count leak in rxrpc_server_keyring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix reference count leak in rxrpc_server_keyring()
This patch fixes a reference count leak in rxrpc_server_keyring()
by checking if rx->securities is already set.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < fc76d0bd00850b7372f0a4a319c0c60f80487632
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 9ce36d28f67c2a477a7e2f03480de3f6783fb363 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 12de9e0e0b0b7058be7dfb8a5927eb565bc25780 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 139c750bf06649097d98b0bc41e2a678b4627e27 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < f125846ee79fcae537a964ce66494e96fa54a6de (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/server_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc76d0bd00850b7372f0a4a319c0c60f80487632",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "9ce36d28f67c2a477a7e2f03480de3f6783fb363",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "12de9e0e0b0b7058be7dfb8a5927eb565bc25780",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "139c750bf06649097d98b0bc41e2a678b4627e27",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "f125846ee79fcae537a964ce66494e96fa54a6de",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/server_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx-\u003esecurities is already set."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:44:49.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc76d0bd00850b7372f0a4a319c0c60f80487632"
},
{
"url": "https://git.kernel.org/stable/c/c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2"
},
{
"url": "https://git.kernel.org/stable/c/9ce36d28f67c2a477a7e2f03480de3f6783fb363"
},
{
"url": "https://git.kernel.org/stable/c/12de9e0e0b0b7058be7dfb8a5927eb565bc25780"
},
{
"url": "https://git.kernel.org/stable/c/8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a"
},
{
"url": "https://git.kernel.org/stable/c/139c750bf06649097d98b0bc41e2a678b4627e27"
},
{
"url": "https://git.kernel.org/stable/c/f125846ee79fcae537a964ce66494e96fa54a6de"
}
],
"title": "rxrpc: fix reference count leak in rxrpc_server_keyring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31634",
"datePublished": "2026-04-24T14:44:49.307Z",
"dateReserved": "2026-03-09T15:48:24.125Z",
"dateUpdated": "2026-04-24T14:44:49.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31778 (GCVE-0-2026-31778)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
ALSA: caiaq: fix stack out-of-bounds read in init_card
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: fix stack out-of-bounds read in init_card
The loop creates a whitespace-stripped copy of the card shortname
where `len < sizeof(card->id)` is used for the bounds check. Since
sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
writing 16 non-space characters fills the entire buffer,
overwriting the terminating nullbyte.
When this non-null-terminated string is later passed to
snd_card_set_id() -> copy_valid_id_string(), the function scans
forward with `while (*nid && ...)` and reads past the end of the
stack buffer, reading the contents of the stack.
A USB device with a product name containing many non-ASCII, non-space
characters (e.g. multibyte UTF-8) will reliably trigger this as follows:
BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
sound/core/init.c:696 [inline]
BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
sound/core/init.c:718
The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
which first introduced this whitespace-stripping loop. The original
code never accounted for the null terminator when bounding the copy.
Fix this by changing the loop bound to `sizeof(card->id) - 1`,
ensuring at least one byte remains as the null terminator.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 02d9c5b0b5553a391448b6d655262bd829f90234
(git)
Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6 (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 66194c2575a4f567577ae70b1d7561163ce791a6 (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < a82c1bce2d1299dd3c686a8fe48cf75b79a403c7 (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 3178b62e2e31bab39f63d4c8e54bf4ee0a425627 (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 3afa2e67f3523a980a2f90fd63c22322ac2b9ce0 (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 7594a6464873d90fd229e5b94cdd3b92c9feabed (git) Affected: bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a , < 45424e871abf2a152e247a9cff78359f18dd95c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02d9c5b0b5553a391448b6d655262bd829f90234",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "66194c2575a4f567577ae70b1d7561163ce791a6",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "a82c1bce2d1299dd3c686a8fe48cf75b79a403c7",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "3178b62e2e31bab39f63d4c8e54bf4ee0a425627",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "3afa2e67f3523a980a2f90fd63c22322ac2b9ce0",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "7594a6464873d90fd229e5b94cdd3b92c9feabed",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
},
{
"lessThan": "45424e871abf2a152e247a9cff78359f18dd95c0",
"status": "affected",
"version": "bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix stack out-of-bounds read in init_card\n\nThe loop creates a whitespace-stripped copy of the card shortname\nwhere `len \u003c sizeof(card-\u003eid)` is used for the bounds check. Since\nsizeof(card-\u003eid) is 16 and the local id buffer is also 16 bytes,\nwriting 16 non-space characters fills the entire buffer,\noverwriting the terminating nullbyte.\n\nWhen this non-null-terminated string is later passed to\nsnd_card_set_id() -\u003e copy_valid_id_string(), the function scans\nforward with `while (*nid \u0026\u0026 ...)` and reads past the end of the\nstack buffer, reading the contents of the stack.\n\nA USB device with a product name containing many non-ASCII, non-space\ncharacters (e.g. multibyte UTF-8) will reliably trigger this as follows:\n\n BUG: KASAN: stack-out-of-bounds in copy_valid_id_string\n sound/core/init.c:696 [inline]\n BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c\n sound/core/init.c:718\n\nThe off-by-one has been present since commit bafeee5b1f8d (\"ALSA:\nsnd_usb_caiaq: give better shortname\") from June 2009 (v2.6.31-rc1),\nwhich first introduced this whitespace-stripping loop. The original\ncode never accounted for the null terminator when bounding the copy.\n\nFix this by changing the loop bound to `sizeof(card-\u003eid) - 1`,\nensuring at least one byte remains as the null terminator."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:05.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234"
},
{
"url": "https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6"
},
{
"url": "https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6"
},
{
"url": "https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7"
},
{
"url": "https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627"
},
{
"url": "https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0"
},
{
"url": "https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed"
},
{
"url": "https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0"
}
],
"title": "ALSA: caiaq: fix stack out-of-bounds read in init_card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31778",
"datePublished": "2026-05-01T14:15:05.804Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-01T14:15:05.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43046 (GCVE-0-2026-43046)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
btrfs: reject root items with drop_progress and zero drop_level
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject root items with drop_progress and zero drop_level
[BUG]
When recovering relocation at mount time, merge_reloc_root() and
btrfs_drop_snapshot() both use BUG_ON(level == 0) to guard against
an impossible state: a non-zero drop_progress combined with a zero
drop_level in a root_item, which can be triggered:
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1545!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2
RIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545
Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000
Call Trace:
merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861
btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195
btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130
open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128
vfs_get_tree+0x9a/0x370 fs/super.c:1758
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3642 [inline]
do_new_mount fs/namespace.c:3718 [inline]
path_mount+0x5b8/0x1ea0 fs/namespace.c:4028
do_mount fs/namespace.c:4041 [inline]
__do_sys_mount fs/namespace.c:4229 [inline]
__se_sys_mount fs/namespace.c:4206 [inline]
__x64_sys_mount+0x282/0x320 fs/namespace.c:4206
...
RIP: 0033:0x7f969c9a8fde
Code: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f
---[ end trace 0000000000000000 ]---
The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic
metadata fuzzing tool that corrupts btrfs metadata at runtime.
[CAUSE]
A non-zero drop_progress.objectid means an interrupted
btrfs_drop_snapshot() left a resume point on disk, and in that case
drop_level must be greater than 0 because the checkpoint is only
saved at internal node levels.
Although this invariant is enforced when the kernel writes the root
item, it is not validated when the root item is read back from disk.
That allows on-disk corruption to provide an invalid state with
drop_progress.objectid != 0 and drop_level == 0.
When relocation recovery later processes such a root item,
merge_reloc_root() reads drop_level and hits BUG_ON(level == 0). The
same invalid metadata can also trigger the corresponding BUG_ON() in
btrfs_drop_snapshot().
[FIX]
Fix this by validating the root_item invariant in tree-checker when
reading root items from disk: if drop_progress.objectid is non-zero,
drop_level must also be non-zero. Reject such malformed metadata with
-EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()
and triggers the BUG_ON.
After the fix, the same corruption is correctly rejected by tree-checker
and the BUG_ON is no longer triggered.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f3a742736cecda5a8778be70faa2f779458839f , < bedaf7d0b9d793e116f16b4d9a7dbc94bcc80443
(git)
Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < ac68a9a8e481ab1becaed29d6d23087dac3de15d (git) Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < 295f8075d00442d71dc9ccae421ace1c0d2d9224 (git) Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < 53ceedd1eb6280ca8359664e0226983eded2ed73 (git) Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < 850de3d87f4720b71ccdcd44f4aa57e46b53a3f3 (git) Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < de585ee18dd5601745f65a60fef7b7ceebd78c83 (git) Affected: 9f3a742736cecda5a8778be70faa2f779458839f , < b17b79ff896305fd74980a5f72afec370ee88ca4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bedaf7d0b9d793e116f16b4d9a7dbc94bcc80443",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "ac68a9a8e481ab1becaed29d6d23087dac3de15d",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "295f8075d00442d71dc9ccae421ace1c0d2d9224",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "53ceedd1eb6280ca8359664e0226983eded2ed73",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "850de3d87f4720b71ccdcd44f4aa57e46b53a3f3",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "de585ee18dd5601745f65a60fef7b7ceebd78c83",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
},
{
"lessThan": "b17b79ff896305fd74980a5f72afec370ee88ca4",
"status": "affected",
"version": "9f3a742736cecda5a8778be70faa2f779458839f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-checker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject root items with drop_progress and zero drop_level\n\n[BUG]\nWhen recovering relocation at mount time, merge_reloc_root() and\nbtrfs_drop_snapshot() both use BUG_ON(level == 0) to guard against\nan impossible state: a non-zero drop_progress combined with a zero\ndrop_level in a root_item, which can be triggered:\n\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/relocation.c:1545!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2\nRIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545\nCode: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000\nCall Trace:\n merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861\n btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195\n btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130\n open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640\n btrfs_fill_super fs/btrfs/super.c:987 [inline]\n btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]\n btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128\n vfs_get_tree+0x9a/0x370 fs/super.c:1758\n fc_mount fs/namespace.c:1199 [inline]\n do_new_mount_fc fs/namespace.c:3642 [inline]\n do_new_mount fs/namespace.c:3718 [inline]\n path_mount+0x5b8/0x1ea0 fs/namespace.c:4028\n do_mount fs/namespace.c:4041 [inline]\n __do_sys_mount fs/namespace.c:4229 [inline]\n __se_sys_mount fs/namespace.c:4206 [inline]\n __x64_sys_mount+0x282/0x320 fs/namespace.c:4206\n ...\nRIP: 0033:0x7f969c9a8fde\nCode: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f\n---[ end trace 0000000000000000 ]---\n\nThe bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic\nmetadata fuzzing tool that corrupts btrfs metadata at runtime.\n\n[CAUSE]\nA non-zero drop_progress.objectid means an interrupted\nbtrfs_drop_snapshot() left a resume point on disk, and in that case\ndrop_level must be greater than 0 because the checkpoint is only\nsaved at internal node levels.\n\nAlthough this invariant is enforced when the kernel writes the root\nitem, it is not validated when the root item is read back from disk.\nThat allows on-disk corruption to provide an invalid state with\ndrop_progress.objectid != 0 and drop_level == 0.\n\nWhen relocation recovery later processes such a root item,\nmerge_reloc_root() reads drop_level and hits BUG_ON(level == 0). The\nsame invalid metadata can also trigger the corresponding BUG_ON() in\nbtrfs_drop_snapshot().\n\n[FIX]\nFix this by validating the root_item invariant in tree-checker when\nreading root items from disk: if drop_progress.objectid is non-zero,\ndrop_level must also be non-zero. Reject such malformed metadata with\n-EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()\nand triggers the BUG_ON.\n\nAfter the fix, the same corruption is correctly rejected by tree-checker\nand the BUG_ON is no longer triggered."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:31.818Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bedaf7d0b9d793e116f16b4d9a7dbc94bcc80443"
},
{
"url": "https://git.kernel.org/stable/c/ac68a9a8e481ab1becaed29d6d23087dac3de15d"
},
{
"url": "https://git.kernel.org/stable/c/295f8075d00442d71dc9ccae421ace1c0d2d9224"
},
{
"url": "https://git.kernel.org/stable/c/53ceedd1eb6280ca8359664e0226983eded2ed73"
},
{
"url": "https://git.kernel.org/stable/c/850de3d87f4720b71ccdcd44f4aa57e46b53a3f3"
},
{
"url": "https://git.kernel.org/stable/c/de585ee18dd5601745f65a60fef7b7ceebd78c83"
},
{
"url": "https://git.kernel.org/stable/c/b17b79ff896305fd74980a5f72afec370ee88ca4"
}
],
"title": "btrfs: reject root items with drop_progress and zero drop_level",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43046",
"datePublished": "2026-05-01T14:15:41.849Z",
"dateReserved": "2026-05-01T14:12:55.979Z",
"dateUpdated": "2026-05-02T06:14:31.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21682 (GCVE-0-2025-21682)
Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
eth: bnxt: always recalculate features after XDP clearing, fix null-deref
Summary
In the Linux kernel, the following vulnerability has been resolved:
eth: bnxt: always recalculate features after XDP clearing, fix null-deref
Recalculate features when XDP is detached.
Before:
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth0 xdp off
# ethtool -k eth0 | grep gro
rx-gro-hw: off [requested on]
After:
# ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth0 xdp off
# ethtool -k eth0 | grep gro
rx-gro-hw: on
The fact that HW-GRO doesn't get re-enabled automatically is just
a minor annoyance. The real issue is that the features will randomly
come back during another reconfiguration which just happens to invoke
netdev_update_features(). The driver doesn't handle reconfiguring
two things at a time very robustly.
Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") we only reconfigure the RSS hash table
if the "effective" number of Rx rings has changed. If HW-GRO is
enabled "effective" number of rings is 2x what user sees.
So if we are in the bad state, with HW-GRO re-enablement "pending"
after XDP off, and we lower the rings by / 2 - the HW-GRO rings
doing 2x and the ethtool -L doing / 2 may cancel each other out,
and the:
if (old_rx_rings != bp->hw_resc.resv_rx_rings &&
condition in __bnxt_reserve_rings() will be false.
The RSS map won't get updated, and we'll crash with:
BUG: kernel NULL pointer dereference, address: 0000000000000168
RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0
bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180
__bnxt_setup_vnic_p5+0x58/0x110
bnxt_init_nic+0xb72/0xf50
__bnxt_open_nic+0x40d/0xab0
bnxt_open_nic+0x2b/0x60
ethtool_set_channels+0x18c/0x1d0
As we try to access a freed ring.
The issue is present since XDP support was added, really, but
prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in
__bnxt_reserve_rings()") it wasn't causing major issues.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1054aee82321483dceabbb9b9e5d6512e8fe684b , < 076a694a42ae3f0466bc6e4126050eeb7b7d299a
(git)
Affected: 1054aee82321483dceabbb9b9e5d6512e8fe684b , < 90336fc3d6f5e716ac39a9ddbbde453e23a5aa65 (git) Affected: 1054aee82321483dceabbb9b9e5d6512e8fe684b , < 08831a894d18abfaabb5bbde7c2069a7fb41dd93 (git) Affected: 1054aee82321483dceabbb9b9e5d6512e8fe684b , < f0aa6a37a3dbb40b272df5fc6db93c114688adcd (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:51:50.706963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:11.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt.h",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "076a694a42ae3f0466bc6e4126050eeb7b7d299a",
"status": "affected",
"version": "1054aee82321483dceabbb9b9e5d6512e8fe684b",
"versionType": "git"
},
{
"lessThan": "90336fc3d6f5e716ac39a9ddbbde453e23a5aa65",
"status": "affected",
"version": "1054aee82321483dceabbb9b9e5d6512e8fe684b",
"versionType": "git"
},
{
"lessThan": "08831a894d18abfaabb5bbde7c2069a7fb41dd93",
"status": "affected",
"version": "1054aee82321483dceabbb9b9e5d6512e8fe684b",
"versionType": "git"
},
{
"lessThan": "f0aa6a37a3dbb40b272df5fc6db93c114688adcd",
"status": "affected",
"version": "1054aee82321483dceabbb9b9e5d6512e8fe684b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt.h",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.11",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: always recalculate features after XDP clearing, fix null-deref\n\nRecalculate features when XDP is detached.\n\nBefore:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: off [requested on]\n\nAfter:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: on\n\nThe fact that HW-GRO doesn\u0027t get re-enabled automatically is just\na minor annoyance. The real issue is that the features will randomly\ncome back during another reconfiguration which just happens to invoke\nnetdev_update_features(). The driver doesn\u0027t handle reconfiguring\ntwo things at a time very robustly.\n\nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table\nif the \"effective\" number of Rx rings has changed. If HW-GRO is\nenabled \"effective\" number of rings is 2x what user sees.\nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"\nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings\ndoing 2x and the ethtool -L doing / 2 may cancel each other out,\nand the:\n\n if (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings \u0026\u0026\n\ncondition in __bnxt_reserve_rings() will be false.\nThe RSS map won\u0027t get updated, and we\u0027ll crash with:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000168\n RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0\n bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180\n __bnxt_setup_vnic_p5+0x58/0x110\n bnxt_init_nic+0xb72/0xf50\n __bnxt_open_nic+0x40d/0xab0\n bnxt_open_nic+0x2b/0x60\n ethtool_set_channels+0x18c/0x1d0\n\nAs we try to access a freed ring.\n\nThe issue is present since XDP support was added, really, but\nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") it wasn\u0027t causing major issues."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:20.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/076a694a42ae3f0466bc6e4126050eeb7b7d299a"
},
{
"url": "https://git.kernel.org/stable/c/90336fc3d6f5e716ac39a9ddbbde453e23a5aa65"
},
{
"url": "https://git.kernel.org/stable/c/08831a894d18abfaabb5bbde7c2069a7fb41dd93"
},
{
"url": "https://git.kernel.org/stable/c/f0aa6a37a3dbb40b272df5fc6db93c114688adcd"
}
],
"title": "eth: bnxt: always recalculate features after XDP clearing, fix null-deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21682",
"datePublished": "2025-01-31T11:25:42.160Z",
"dateReserved": "2024-12-29T08:45:45.739Z",
"dateUpdated": "2026-03-25T10:19:20.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31483 (GCVE-0-2026-31483)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
s390/syscalls: Add spectre boundary for syscall dispatch table
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/syscalls: Add spectre boundary for syscall dispatch table
The s390 syscall number is directly controlled by userspace, but does
not have an array_index_nospec() boundary to prevent access past the
syscall function pointer tables.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
56e62a73702836017564eaacd5212e4d0fa1c01d , < 3c3b97064764899c39a0abbd35a6caa031e70333
(git)
Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 1cb9c7bc9025c637564fabc7fcc3c9343949e310 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 7a5260fbc6e79a1595328ec5c6aa3f937504a1f0 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < f8c444b918d639e1f9a621ee20fe481c1d10dfc4 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 87776f02449e3bded95b2ccbd6b012e9ae64e6f3 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 4d05dd18d867d58c6952a3bc260d244899da7256 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 48b8814e25d073dd84daf990a879a820bad2bcbd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c3b97064764899c39a0abbd35a6caa031e70333",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "1cb9c7bc9025c637564fabc7fcc3c9343949e310",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "7a5260fbc6e79a1595328ec5c6aa3f937504a1f0",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "f8c444b918d639e1f9a621ee20fe481c1d10dfc4",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "87776f02449e3bded95b2ccbd6b012e9ae64e6f3",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "4d05dd18d867d58c6952a3bc260d244899da7256",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "48b8814e25d073dd84daf990a879a820bad2bcbd",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/syscalls: Add spectre boundary for syscall dispatch table\n\nThe s390 syscall number is directly controlled by userspace, but does\nnot have an array_index_nospec() boundary to prevent access past the\nsyscall function pointer tables."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:09.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c3b97064764899c39a0abbd35a6caa031e70333"
},
{
"url": "https://git.kernel.org/stable/c/1cb9c7bc9025c637564fabc7fcc3c9343949e310"
},
{
"url": "https://git.kernel.org/stable/c/7a5260fbc6e79a1595328ec5c6aa3f937504a1f0"
},
{
"url": "https://git.kernel.org/stable/c/f8c444b918d639e1f9a621ee20fe481c1d10dfc4"
},
{
"url": "https://git.kernel.org/stable/c/87776f02449e3bded95b2ccbd6b012e9ae64e6f3"
},
{
"url": "https://git.kernel.org/stable/c/4d05dd18d867d58c6952a3bc260d244899da7256"
},
{
"url": "https://git.kernel.org/stable/c/48b8814e25d073dd84daf990a879a820bad2bcbd"
}
],
"title": "s390/syscalls: Add spectre boundary for syscall dispatch table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31483",
"datePublished": "2026-04-22T13:54:09.561Z",
"dateReserved": "2026-03-09T15:48:24.101Z",
"dateUpdated": "2026-04-22T13:54:09.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31780 (GCVE-0-2026-31780)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
The variable valuesize is declared as u8 but accumulates the total
length of all SSIDs to scan. Each SSID contributes up to 33 bytes
(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
SSIDs the total can reach 330, which wraps around to 74 when stored
in a u8.
This causes kmalloc to allocate only 75 bytes while the subsequent
memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
heap buffer overflow.
Widen valuesize from u8 to u32 to accommodate the full range.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c5c77ba18ea66aa05441c71e38473efb787705a4 , < 34a23fd9ddd683a03c7e8cc0ceded3e59e354b99
(git)
Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 549f02d8ec94d39092ab6d9b103d0d6783a4b024 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < bfbddeadd4779651403035ee177ae2f22f9f5521 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < c97b2a00059608592ad0d86fbb813a4f8cf9464b (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < d8388614de613c28eeb659c10115060a83739924 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 0c7f21d8bd2f93998b72b7a7f93152336aeca4dd (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < d049e56b1739101d1c4d81deedb269c52a8dbba0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/hif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34a23fd9ddd683a03c7e8cc0ceded3e59e354b99",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "549f02d8ec94d39092ab6d9b103d0d6783a4b024",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "bfbddeadd4779651403035ee177ae2f22f9f5521",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "c97b2a00059608592ad0d86fbb813a4f8cf9464b",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "d8388614de613c28eeb659c10115060a83739924",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "0c7f21d8bd2f93998b72b7a7f93152336aeca4dd",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "d049e56b1739101d1c4d81deedb269c52a8dbba0",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/hif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation\n\nThe variable valuesize is declared as u8 but accumulates the total\nlength of all SSIDs to scan. Each SSID contributes up to 33 bytes\n(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)\nSSIDs the total can reach 330, which wraps around to 74 when stored\nin a u8.\n\nThis causes kmalloc to allocate only 75 bytes while the subsequent\nmemcpy writes up to 331 bytes into the buffer, resulting in a 256-byte\nheap buffer overflow.\n\nWiden valuesize from u8 to u32 to accommodate the full range."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:57.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99"
},
{
"url": "https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024"
},
{
"url": "https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521"
},
{
"url": "https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7"
},
{
"url": "https://git.kernel.org/stable/c/c97b2a00059608592ad0d86fbb813a4f8cf9464b"
},
{
"url": "https://git.kernel.org/stable/c/d8388614de613c28eeb659c10115060a83739924"
},
{
"url": "https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd"
},
{
"url": "https://git.kernel.org/stable/c/d049e56b1739101d1c4d81deedb269c52a8dbba0"
}
],
"title": "wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31780",
"datePublished": "2026-05-01T14:15:07.253Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-05-03T05:45:57.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43028 (GCVE-0-2026-43028)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
netfilter: x_tables: ensure names are nul-terminated
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: ensure names are nul-terminated
Reject names that lack a \0 character before feeding them
to functions that expect c-strings.
Fixes tag is the most recent commit that needs this change.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c38c4597e4bf3e99860eac98211748e1ecb0e139 , < bcac50ea0a29d430eedc5ac87b215393b567baa9
(git)
Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < ea01c1b219f5a11c66918abaa6f052e5a74041d6 (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < aa6cd4a8863391e0a64f62d8922cb0af732a2cf2 (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < c2d4a3abb15ca14716c6d8b9ffcbcd7c63626af4 (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < 673bbd36cba21d10a10f0932f479df7468e26fbb (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < f419bdc205894750f4d3ec042bc87a1b9cde1351 (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < 73124608172890306b85f2206d8b3cac20e324f1 (git) Affected: c38c4597e4bf3e99860eac98211748e1ecb0e139 , < a958a4f90ddd7de0800b33ca9d7b886b7d40f74e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_cgroup.c",
"net/netfilter/xt_rateest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bcac50ea0a29d430eedc5ac87b215393b567baa9",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "ea01c1b219f5a11c66918abaa6f052e5a74041d6",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "aa6cd4a8863391e0a64f62d8922cb0af732a2cf2",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "c2d4a3abb15ca14716c6d8b9ffcbcd7c63626af4",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "673bbd36cba21d10a10f0932f479df7468e26fbb",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "f419bdc205894750f4d3ec042bc87a1b9cde1351",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "73124608172890306b85f2206d8b3cac20e324f1",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
},
{
"lessThan": "a958a4f90ddd7de0800b33ca9d7b886b7d40f74e",
"status": "affected",
"version": "c38c4597e4bf3e99860eac98211748e1ecb0e139",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_cgroup.c",
"net/netfilter/xt_rateest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: ensure names are nul-terminated\n\nReject names that lack a \\0 character before feeding them\nto functions that expect c-strings.\n\nFixes tag is the most recent commit that needs this change."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:10.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bcac50ea0a29d430eedc5ac87b215393b567baa9"
},
{
"url": "https://git.kernel.org/stable/c/ea01c1b219f5a11c66918abaa6f052e5a74041d6"
},
{
"url": "https://git.kernel.org/stable/c/aa6cd4a8863391e0a64f62d8922cb0af732a2cf2"
},
{
"url": "https://git.kernel.org/stable/c/c2d4a3abb15ca14716c6d8b9ffcbcd7c63626af4"
},
{
"url": "https://git.kernel.org/stable/c/673bbd36cba21d10a10f0932f479df7468e26fbb"
},
{
"url": "https://git.kernel.org/stable/c/f419bdc205894750f4d3ec042bc87a1b9cde1351"
},
{
"url": "https://git.kernel.org/stable/c/73124608172890306b85f2206d8b3cac20e324f1"
},
{
"url": "https://git.kernel.org/stable/c/a958a4f90ddd7de0800b33ca9d7b886b7d40f74e"
}
],
"title": "netfilter: x_tables: ensure names are nul-terminated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43028",
"datePublished": "2026-05-01T14:15:29.192Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-03T05:46:10.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23270 (GCVE-0-2026-23270)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
172ba7d46c202e679f3ccb10264c67416aaeb1c4 , < bc4e5bb529823a09f02dbe96169de679a9db26e0
(git)
Affected: 0b5b831122fc3789fff75be433ba3e4dd7b779d4 , < fb3c380a54e33d1fd272cc342faa906d787d7ef1 (git) Affected: 73f7da5fd124f2cda9161e2e46114915e6e82e97 , < 5a110ddcc99bda77a28598b3555fe009eaab3828 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 524ce8b4ea8f64900b6c52b6a28df74f6bc0801e (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 9deda0fcda5c1f388c5e279541850b71a2ccfcf4 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 11cb63b0d1a0685e0831ae3c77223e002ef18189 (git) Affected: f5346df0591d10bc948761ca854b1fae6d2ef441 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_ct.c",
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc4e5bb529823a09f02dbe96169de679a9db26e0",
"status": "affected",
"version": "172ba7d46c202e679f3ccb10264c67416aaeb1c4",
"versionType": "git"
},
{
"lessThan": "fb3c380a54e33d1fd272cc342faa906d787d7ef1",
"status": "affected",
"version": "0b5b831122fc3789fff75be433ba3e4dd7b779d4",
"versionType": "git"
},
{
"lessThan": "5a110ddcc99bda77a28598b3555fe009eaab3828",
"status": "affected",
"version": "73f7da5fd124f2cda9161e2e46114915e6e82e97",
"versionType": "git"
},
{
"lessThan": "524ce8b4ea8f64900b6c52b6a28df74f6bc0801e",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "9deda0fcda5c1f388c5e279541850b71a2ccfcf4",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "11cb63b0d1a0685e0831ae3c77223e002ef18189",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"status": "affected",
"version": "f5346df0591d10bc948761ca854b1fae6d2ef441",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_ct.c",
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:30.870Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0"
},
{
"url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"
},
{
"url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"
},
{
"url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"
},
{
"url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"
},
{
"url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"
},
{
"url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"
}
],
"title": "net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23270",
"datePublished": "2026-03-18T17:54:43.803Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-18T08:57:30.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31466 (GCVE-0-2026-31466)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-22 13:53
VLAI?
EPSS
Title
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
On arm64 server, we found folio that get from migration entry isn't locked
in softleaf_to_folio(). This issue triggers when mTHP splitting and
zap_nonpresent_ptes() races, and the root cause is lack of memory barrier
in softleaf_to_folio(). The race is as follows:
CPU0 CPU1
deferred_split_scan() zap_nonpresent_ptes()
lock folio
split_folio()
unmap_folio()
change ptes to migration entries
__split_folio_to_order() softleaf_to_folio()
set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry))
smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio))
prep_compound_page() for tail pages
In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages
are visible before the tail page becomes non-compound. smp_wmb() should
be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a
result, if zap_nonpresent_ptes() accesses migration entry that stores tail
pfn, softleaf_to_folio() may see the updated compound_head of tail page
before page->flags.
This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()
because of the race between folio split and zap_nonpresent_ptes()
leading to a folio incorrectly undergoing modification without a folio
lock being held.
This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further
swapops predicates"), which in merged in v6.19-rc1.
To fix it, add missing smp_rmb() if the softleaf entry is migration entry
in softleaf_to_folio() and softleaf_to_page().
[tujinjiang@huawei.com: update function name and comments]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 426ee10711586617da869c8bb798214965337617
(git)
Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 722cfaf6b31d31123439e67b5deac6b1261a3dea (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 7ddcf4a245c1c5a91fdd9698757e3d95179ffe41 (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < b8c49ad888892ad7b77062b9c102b799a3e9b4f8 (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 7ad1997b9bc8032603df8f091761114479285769 (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7 (git) Affected: e9b61f19858a5d6c42ce2298cf138279375d0d9b , < 4c5e7f0fcd592801c9cc18f29f80fbee84eb8669 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/leafops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "426ee10711586617da869c8bb798214965337617",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "722cfaf6b31d31123439e67b5deac6b1261a3dea",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "7ddcf4a245c1c5a91fdd9698757e3d95179ffe41",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "b8c49ad888892ad7b77062b9c102b799a3e9b4f8",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "7ad1997b9bc8032603df8f091761114479285769",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
},
{
"lessThan": "4c5e7f0fcd592801c9cc18f29f80fbee84eb8669",
"status": "affected",
"version": "e9b61f19858a5d6c42ce2298cf138279375d0d9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/leafops.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix folio isn\u0027t locked in softleaf_to_folio()\n\nOn arm64 server, we found folio that get from migration entry isn\u0027t locked\nin softleaf_to_folio(). This issue triggers when mTHP splitting and\nzap_nonpresent_ptes() races, and the root cause is lack of memory barrier\nin softleaf_to_folio(). The race is as follows:\n\n\tCPU0 CPU1\n\ndeferred_split_scan() zap_nonpresent_ptes()\n lock folio\n split_folio()\n unmap_folio()\n change ptes to migration entries\n __split_folio_to_order() softleaf_to_folio()\n set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry))\n smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio))\n prep_compound_page() for tail pages\n\nIn __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages\nare visible before the tail page becomes non-compound. smp_wmb() should\nbe paired with smp_rmb() in softleaf_to_folio(), which is missed. As a\nresult, if zap_nonpresent_ptes() accesses migration entry that stores tail\npfn, softleaf_to_folio() may see the updated compound_head of tail page\nbefore page-\u003eflags.\n\nThis issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()\nbecause of the race between folio split and zap_nonpresent_ptes()\nleading to a folio incorrectly undergoing modification without a folio\nlock being held.\n\nThis is a BUG_ON() before commit 93976a20345b (\"mm: eliminate further\nswapops predicates\"), which in merged in v6.19-rc1.\n\nTo fix it, add missing smp_rmb() if the softleaf entry is migration entry\nin softleaf_to_folio() and softleaf_to_page().\n\n[tujinjiang@huawei.com: update function name and comments]"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:53:56.259Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/426ee10711586617da869c8bb798214965337617"
},
{
"url": "https://git.kernel.org/stable/c/f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd"
},
{
"url": "https://git.kernel.org/stable/c/722cfaf6b31d31123439e67b5deac6b1261a3dea"
},
{
"url": "https://git.kernel.org/stable/c/7ddcf4a245c1c5a91fdd9698757e3d95179ffe41"
},
{
"url": "https://git.kernel.org/stable/c/b8c49ad888892ad7b77062b9c102b799a3e9b4f8"
},
{
"url": "https://git.kernel.org/stable/c/7ad1997b9bc8032603df8f091761114479285769"
},
{
"url": "https://git.kernel.org/stable/c/8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7"
},
{
"url": "https://git.kernel.org/stable/c/4c5e7f0fcd592801c9cc18f29f80fbee84eb8669"
}
],
"title": "mm/huge_memory: fix folio isn\u0027t locked in softleaf_to_folio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31466",
"datePublished": "2026-04-22T13:53:56.259Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-04-22T13:53:56.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31469 (GCVE-0-2026-31469)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
and the device's IFF_XMIT_DST_RELEASE flag is cleared
(e.g., during the configuration of tc route filter rules).
When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
expects the driver to hold the reference to skb->dst until the packet
is fully transmitted and freed. In virtio_net with napi_tx=N,
skbs may remain in the virtio transmit ring for an extended period.
If the network namespace is destroyed while these skbs are still pending,
the corresponding dst_ops structure has freed. When a subsequent packet
is transmitted, free_old_xmit() is triggered to clean up old skbs.
It then calls dst_release() on the skb associated with the stale dst_entry.
Since the dst_ops (referenced by the dst_entry) has already been freed,
a UAF kernel paging request occurs.
fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
the dst reference before the skb is queued in virtio_net.
Call Trace:
Unable to handle kernel paging request at virtual address ffff80007e150000
CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
...
percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
dst_release+0xe0/0x110 net/core/dst.c:177
skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
__free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]
free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
...
Reproduction Steps:
NETDEV="enp3s0"
config_qdisc_route_filter() {
tc qdisc del dev $NETDEV root
tc qdisc add dev $NETDEV root handle 1: prio
tc filter add dev $NETDEV parent 1:0 \
protocol ip prio 100 route to 100 flowid 1:1
ip route add 192.168.1.100/32 dev $NETDEV realm 100
}
test_ns() {
ip netns add testns
ip link set $NETDEV netns testns
ip netns exec testns ifconfig $NETDEV 10.0.32.46/24
ip netns exec testns ping -c 1 10.0.32.1
ip netns del testns
}
config_qdisc_route_filter
test_ns
sleep 2
test_ns
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < be0e63f3b97bbaf453c542e8a15ba2a536e2ac01
(git)
Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < c1ec36cb3768574b916f20d2d7415fd14fa1bf12 (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < 8a4790850e710fd6771e4d2112168ed1dd6c0e54 (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < fedd2e1630cac920844997227ccbe7b26a76375a (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < f04733c4dc40c43899c3d1c97afbae5831a3770f (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < 9a18629f2525781f0f3dda7be72b204e4cf77d08 (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < 63d45077b97bb0e0fe0c75931acbbca7a47af141 (git) Affected: f2fc6a54585a1be6669613a31fbaba2ecbadcd36 , < ba8bda9a0896746053aa97ac6c3e08168729172c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be0e63f3b97bbaf453c542e8a15ba2a536e2ac01",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "c1ec36cb3768574b916f20d2d7415fd14fa1bf12",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "8a4790850e710fd6771e4d2112168ed1dd6c0e54",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "fedd2e1630cac920844997227ccbe7b26a76375a",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "f04733c4dc40c43899c3d1c97afbae5831a3770f",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "9a18629f2525781f0f3dda7be72b204e4cf77d08",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "63d45077b97bb0e0fe0c75931acbbca7a47af141",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
},
{
"lessThan": "ba8bda9a0896746053aa97ac6c3e08168729172c",
"status": "affected",
"version": "f2fc6a54585a1be6669613a31fbaba2ecbadcd36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device\u0027s IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb-\u003edst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n ...\n percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n dst_release+0xe0/0x110 net/core/dst.c:177\n skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]\n free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n tc qdisc del dev $NETDEV root\n tc qdisc add dev $NETDEV root handle 1: prio\n tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n ip netns add testns\n ip link set $NETDEV netns testns\n ip netns exec testns ifconfig $NETDEV 10.0.32.46/24\n ip netns exec testns ping -c 1 10.0.32.1\n ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:23.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be0e63f3b97bbaf453c542e8a15ba2a536e2ac01"
},
{
"url": "https://git.kernel.org/stable/c/c1ec36cb3768574b916f20d2d7415fd14fa1bf12"
},
{
"url": "https://git.kernel.org/stable/c/8a4790850e710fd6771e4d2112168ed1dd6c0e54"
},
{
"url": "https://git.kernel.org/stable/c/fedd2e1630cac920844997227ccbe7b26a76375a"
},
{
"url": "https://git.kernel.org/stable/c/f04733c4dc40c43899c3d1c97afbae5831a3770f"
},
{
"url": "https://git.kernel.org/stable/c/9a18629f2525781f0f3dda7be72b204e4cf77d08"
},
{
"url": "https://git.kernel.org/stable/c/63d45077b97bb0e0fe0c75931acbbca7a47af141"
},
{
"url": "https://git.kernel.org/stable/c/ba8bda9a0896746053aa97ac6c3e08168729172c"
}
],
"title": "virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31469",
"datePublished": "2026-04-22T13:53:58.266Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-04-27T14:03:23.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31721 (GCVE-0-2026-31721)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
There was an issue when you did the following:
- setup and bind an hid gadget
- open /dev/hidg0
- use the resulting fd in EPOLL_CTL_ADD
- unbind the UDC
- bind the UDC
- use the fd in EPOLL_CTL_DEL
When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported
within remove_wait_queue (via ep_remove_wait_queue). After some
debugging I found out that the queues, which f_hid registers via
poll_wait were the problem. These were initialized using
init_waitqueue_head inside hidg_bind. So effectively, the bind function
re-initialized the queues while there were still items in them.
The solution is to move the initialization from hidg_bind to hidg_alloc
to extend their lifetimes to the lifetime of the function instance.
Additionally, I found many other possibly problematic init calls in the
bind function, which I moved as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cb382536052fcc7713988869b54a81137069e5a9 , < 13440c0db227c5db01da751ed966dde4cdd2ea18
(git)
Affected: cb382536052fcc7713988869b54a81137069e5a9 , < de93e0862169b5539e00c2b9980b93fd80c37c0d (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 81aee4500055876883658b024b6fb61801afe134 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 8ec6a58586f195a88479edcdb0b8027c39f12d03 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < f7d00ee1c8082c8a134340aaf16d71a27e29c362 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 5d1bb391ceeebb28327703dd07af8c6324af298f (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 26a879a41ed960b3fb4ec773ef2788c515c0e488 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13440c0db227c5db01da751ed966dde4cdd2ea18",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "de93e0862169b5539e00c2b9980b93fd80c37c0d",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "81aee4500055876883658b024b6fb61801afe134",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "8ec6a58586f195a88479edcdb0b8027c39f12d03",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "f7d00ee1c8082c8a134340aaf16d71a27e29c362",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "5d1bb391ceeebb28327703dd07af8c6324af298f",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "26a879a41ed960b3fb4ec773ef2788c515c0e488",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "4e0a88254ad59f6c53a34bf5fa241884ec09e8b2",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: move list and spinlock inits from bind to alloc\n\nThere was an issue when you did the following:\n- setup and bind an hid gadget\n- open /dev/hidg0\n- use the resulting fd in EPOLL_CTL_ADD\n- unbind the UDC\n- bind the UDC\n- use the fd in EPOLL_CTL_DEL\n\nWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported\nwithin remove_wait_queue (via ep_remove_wait_queue). After some\ndebugging I found out that the queues, which f_hid registers via\npoll_wait were the problem. These were initialized using\ninit_waitqueue_head inside hidg_bind. So effectively, the bind function\nre-initialized the queues while there were still items in them.\n\nThe solution is to move the initialization from hidg_bind to hidg_alloc\nto extend their lifetimes to the lifetime of the function instance.\n\nAdditionally, I found many other possibly problematic init calls in the\nbind function, which I moved as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:22.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18"
},
{
"url": "https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d"
},
{
"url": "https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134"
},
{
"url": "https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03"
},
{
"url": "https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362"
},
{
"url": "https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f"
},
{
"url": "https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488"
},
{
"url": "https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2"
}
],
"title": "usb: gadget: f_hid: move list and spinlock inits from bind to alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31721",
"datePublished": "2026-05-01T14:14:23.492Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-05-02T06:14:22.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23300 (GCVE-0-2026-23300)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
When a standalone IPv6 nexthop object is created with a loopback device
(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies
it as a reject route. This is because nexthop objects have no destination
prefix (fc_dst=::), causing fib6_is_reject() to match any loopback
nexthop. The reject path skips fib_nh_common_init(), leaving
nhc_pcpu_rth_output unallocated. If an IPv4 route later references this
nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and
panics.
Simplify the check in fib6_nh_init() to only match explicit reject
routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback
promotion heuristic in fib6_is_reject() is handled separately by
ip6_route_info_create_nh(). After this change, the three cases behave
as follows:
1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):
RTF_REJECT is set, enters reject path, skips fib_nh_common_init().
No behavior change.
2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. ip6_route_info_create_nh() still promotes it to reject
afterward. nhc_pcpu_rth_output is allocated but unused, which is
harmless.
3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):
RTF_REJECT is not set, takes normal path, fib_nh_common_init() is
called. nhc_pcpu_rth_output is properly allocated, fixing the crash
when IPv4 routes reference this nexthop.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 607e68c1b7c5a30c795571be1906d716e989a644
(git)
Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < c11d7c56c2076ee9cd72004f1976fe0734df2ae9 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < b299121e7453d23faddf464087dff513a495b4fc (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < f7c9f8e3607440fe39300efbaf46cf7b5eecb23f (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < b3b5a037d520afe3d5276e653bc0ff516bbda34c (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 8650db85b4259d2885d2a80fbc2317ce24194133 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 21ec92774d1536f71bdc90b0e3d052eff99cf093 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "607e68c1b7c5a30c795571be1906d716e989a644",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "c11d7c56c2076ee9cd72004f1976fe0734df2ae9",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "b299121e7453d23faddf464087dff513a495b4fc",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "f7c9f8e3607440fe39300efbaf46cf7b5eecb23f",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "b3b5a037d520afe3d5276e653bc0ff516bbda34c",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "8650db85b4259d2885d2a80fbc2317ce24194133",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "21ec92774d1536f71bdc90b0e3d052eff99cf093",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:47.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/607e68c1b7c5a30c795571be1906d716e989a644"
},
{
"url": "https://git.kernel.org/stable/c/c11d7c56c2076ee9cd72004f1976fe0734df2ae9"
},
{
"url": "https://git.kernel.org/stable/c/b5062fc2150614c9ea8a611c2e0cb6e047ebfa3a"
},
{
"url": "https://git.kernel.org/stable/c/b299121e7453d23faddf464087dff513a495b4fc"
},
{
"url": "https://git.kernel.org/stable/c/f7c9f8e3607440fe39300efbaf46cf7b5eecb23f"
},
{
"url": "https://git.kernel.org/stable/c/b3b5a037d520afe3d5276e653bc0ff516bbda34c"
},
{
"url": "https://git.kernel.org/stable/c/8650db85b4259d2885d2a80fbc2317ce24194133"
},
{
"url": "https://git.kernel.org/stable/c/21ec92774d1536f71bdc90b0e3d052eff99cf093"
}
],
"title": "net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23300",
"datePublished": "2026-03-25T10:26:56.138Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:47.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31738 (GCVE-0-2026-31738)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
vxlan: validate ND option lengths in vxlan_na_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: validate ND option lengths in vxlan_na_create
vxlan_na_create() walks ND options according to option-provided
lengths. A malformed option can make the parser advance beyond the
computed option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 901c1dd3bab2955d7e664f914c374c8c3ac2b958
(git)
Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < e476745917a1e288eb15e7ff49d286a86a4861d3 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 2029712fb2c87e9a8c75094906f2ee29bf08c500 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 602596c69a70e50d9ab8c6ae0290a01f88229dd7 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < de20d2e3b9179d132f5f5b44e490d7c916c6321b (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < eddfce70a6f3107d1679b0c2fcbeb96b593bd679 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < b69c4236255bd8de16cd876e58c6f0867d1d78b1 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < afa9a05e6c4971bd5586f1b304e14d61fb3d9385 (git) Affected: d8be18c52dbc94989f6d74637b731af39cd3d902 (git) Affected: 3927dace523706cc00f808520eaf2125dd7c07b5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "901c1dd3bab2955d7e664f914c374c8c3ac2b958",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "e476745917a1e288eb15e7ff49d286a86a4861d3",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "2029712fb2c87e9a8c75094906f2ee29bf08c500",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "602596c69a70e50d9ab8c6ae0290a01f88229dd7",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "de20d2e3b9179d132f5f5b44e490d7c916c6321b",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "eddfce70a6f3107d1679b0c2fcbeb96b593bd679",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "b69c4236255bd8de16cd876e58c6f0867d1d78b1",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "afa9a05e6c4971bd5586f1b304e14d61fb3d9385",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"status": "affected",
"version": "d8be18c52dbc94989f6d74637b731af39cd3d902",
"versionType": "git"
},
{
"status": "affected",
"version": "3927dace523706cc00f808520eaf2125dd7c07b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: validate ND option lengths in vxlan_na_create\n\nvxlan_na_create() walks ND options according to option-provided\nlengths. A malformed option can make the parser advance beyond the\ncomputed option span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:34.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958"
},
{
"url": "https://git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3"
},
{
"url": "https://git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500"
},
{
"url": "https://git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7"
},
{
"url": "https://git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321b"
},
{
"url": "https://git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679"
},
{
"url": "https://git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1"
},
{
"url": "https://git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385"
}
],
"title": "vxlan: validate ND option lengths in vxlan_na_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31738",
"datePublished": "2026-05-01T14:14:34.900Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-01T14:14:34.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31773 (GCVE-0-2026-31773)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
Bluetooth: SMP: derive legacy responder STK authentication from MITM state
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SMP: derive legacy responder STK authentication from MITM state
The legacy responder path in smp_random() currently labels the stored
STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.
That reflects what the local service requested, not what the pairing
flow actually achieved.
For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear
and the resulting STK should remain unauthenticated even if the local
side requested HIGH security. Use the established MITM state when
storing the responder STK so the key metadata matches the pairing result.
This also keeps the legacy path aligned with the Secure Connections code,
which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fff3490f47810e2d34b91fb9e31103e923b11c2f , < 9a38659a3d06080715691bd3139f9c4b61f688e3
(git)
Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 667f44f1392df6482483756458c48670e579e9ff (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 929db734d12db41ca5f95424db4612397f1bd4a7 (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < b1c6a8e554a39b222c0879a288ea98e338fc4d77 (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 0afc846bd80073ffcd2b8040f2b2fafaea3d9f72 (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 061ee71ac6b03c9f8432fe49538c3682bfcf4cf3 (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 9a6d0db176f082685e0b6149700c0baf3ce2aa8b (git) Affected: fff3490f47810e2d34b91fb9e31103e923b11c2f , < 20756fec2f0108cb88e815941f1ffff88dc286fe (git) Affected: 14ec593d6bb050cf40a4ade2f9ac9ca050e0412c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a38659a3d06080715691bd3139f9c4b61f688e3",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "667f44f1392df6482483756458c48670e579e9ff",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "929db734d12db41ca5f95424db4612397f1bd4a7",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "b1c6a8e554a39b222c0879a288ea98e338fc4d77",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "0afc846bd80073ffcd2b8040f2b2fafaea3d9f72",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "061ee71ac6b03c9f8432fe49538c3682bfcf4cf3",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "9a6d0db176f082685e0b6149700c0baf3ce2aa8b",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"lessThan": "20756fec2f0108cb88e815941f1ffff88dc286fe",
"status": "affected",
"version": "fff3490f47810e2d34b91fb9e31103e923b11c2f",
"versionType": "git"
},
{
"status": "affected",
"version": "14ec593d6bb050cf40a4ade2f9ac9ca050e0412c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/smp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.15.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: derive legacy responder STK authentication from MITM state\n\nThe legacy responder path in smp_random() currently labels the stored\nSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.\nThat reflects what the local service requested, not what the pairing\nflow actually achieved.\n\nFor Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear\nand the resulting STK should remain unauthenticated even if the local\nside requested HIGH security. Use the established MITM state when\nstoring the responder STK so the key metadata matches the pairing result.\n\nThis also keeps the legacy path aligned with the Secure Connections code,\nwhich already treats JUST_WORKS/JUST_CFM as unauthenticated."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:54.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a38659a3d06080715691bd3139f9c4b61f688e3"
},
{
"url": "https://git.kernel.org/stable/c/667f44f1392df6482483756458c48670e579e9ff"
},
{
"url": "https://git.kernel.org/stable/c/929db734d12db41ca5f95424db4612397f1bd4a7"
},
{
"url": "https://git.kernel.org/stable/c/b1c6a8e554a39b222c0879a288ea98e338fc4d77"
},
{
"url": "https://git.kernel.org/stable/c/0afc846bd80073ffcd2b8040f2b2fafaea3d9f72"
},
{
"url": "https://git.kernel.org/stable/c/061ee71ac6b03c9f8432fe49538c3682bfcf4cf3"
},
{
"url": "https://git.kernel.org/stable/c/9a6d0db176f082685e0b6149700c0baf3ce2aa8b"
},
{
"url": "https://git.kernel.org/stable/c/20756fec2f0108cb88e815941f1ffff88dc286fe"
}
],
"title": "Bluetooth: SMP: derive legacy responder STK authentication from MITM state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31773",
"datePublished": "2026-05-01T14:15:01.277Z",
"dateReserved": "2026-03-09T15:48:24.140Z",
"dateUpdated": "2026-05-03T05:45:54.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23388 (GCVE-0-2026-23388)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:28 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
Squashfs: check metadata block offset is within range
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check metadata block offset is within range
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.
The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f400e12656ab518be107febfe2315fb1eab5a342 , < 60f679f643f3f36a8571ea585e4ce5d93ef952b5
(git)
Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 3f68a9457a6190814377577374da75f872e0a013 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 0c8ab092aec3ac4294940054772d30b511b16713 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 6b847d65f5b0065e02080c61fad93d57d6686383 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 01ee0bcc29864b78249308e8b35042b09bbf5fe3 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 3b9499e7d677dd4366239a292238489a804936b2 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < fdb24a820a5832ec4532273282cbd4f22c291a0d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60f679f643f3f36a8571ea585e4ce5d93ef952b5",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "3f68a9457a6190814377577374da75f872e0a013",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "0c8ab092aec3ac4294940054772d30b511b16713",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "6b847d65f5b0065e02080c61fad93d57d6686383",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "01ee0bcc29864b78249308e8b35042b09bbf5fe3",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "3b9499e7d677dd4366239a292238489a804936b2",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "fdb24a820a5832ec4532273282cbd4f22c291a0d",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:25.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60f679f643f3f36a8571ea585e4ce5d93ef952b5"
},
{
"url": "https://git.kernel.org/stable/c/3f68a9457a6190814377577374da75f872e0a013"
},
{
"url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"
},
{
"url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"
},
{
"url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"
},
{
"url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"
},
{
"url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"
},
{
"url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"
}
],
"title": "Squashfs: check metadata block offset is within range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23388",
"datePublished": "2026-03-25T10:28:06.224Z",
"dateReserved": "2026-01-13T15:37:46.008Z",
"dateUpdated": "2026-04-18T08:58:25.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23351 (GCVE-0-2026-23351)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
Yiming Qian reports Use-after-free in the pipapo set type:
Under a large number of expired elements, commit-time GC can run for a very
long time in a non-preemptible context, triggering soft lockup warnings and
RCU stall reports (local denial of service).
We must split GC in an unlink and a reclaim phase.
We cannot queue elements for freeing until pointers have been swapped.
Expired elements are still exposed to both the packet path and userspace
dumpers via the live copy of the data structure.
call_rcu() does not protect us: dump operations or element lookups starting
after call_rcu has fired can still observe the free'd element, unless the
commit phase has made enough progress to swap the clone and live pointers
before any new reader has picked up the old version.
This a similar approach as done recently for the rbtree backend in commit
35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 65ca51b9fb85477ab92a04295aed34b38f7c062e
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 16f3595c0441d87dfa005c47d8f95be213afaa9e (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 7864c667aed01a58b87ca518a631322cd0ac34c0 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < c12d570d71920903a1a0468b7d13b085203d0c93 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 500a50a301ce962b019ab95053ac70264fec2c21 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < aff13667708dfa0dce136b8efd81baa9fa6ef261 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 9df95785d3d8302f7c066050117b04cd3c2048c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ca51b9fb85477ab92a04295aed34b38f7c062e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "16f3595c0441d87dfa005c47d8f95be213afaa9e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "7864c667aed01a58b87ca518a631322cd0ac34c0",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "c12d570d71920903a1a0468b7d13b085203d0c93",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "500a50a301ce962b019ab95053ac70264fec2c21",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "aff13667708dfa0dce136b8efd81baa9fa6ef261",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "9df95785d3d8302f7c066050117b04cd3c2048c2",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_pipapo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free\u0027d element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don\u0027t gc elements on insert\")."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:05.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ca51b9fb85477ab92a04295aed34b38f7c062e"
},
{
"url": "https://git.kernel.org/stable/c/c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a"
},
{
"url": "https://git.kernel.org/stable/c/16f3595c0441d87dfa005c47d8f95be213afaa9e"
},
{
"url": "https://git.kernel.org/stable/c/7864c667aed01a58b87ca518a631322cd0ac34c0"
},
{
"url": "https://git.kernel.org/stable/c/c12d570d71920903a1a0468b7d13b085203d0c93"
},
{
"url": "https://git.kernel.org/stable/c/500a50a301ce962b019ab95053ac70264fec2c21"
},
{
"url": "https://git.kernel.org/stable/c/aff13667708dfa0dce136b8efd81baa9fa6ef261"
},
{
"url": "https://git.kernel.org/stable/c/9df95785d3d8302f7c066050117b04cd3c2048c2"
}
],
"title": "netfilter: nft_set_pipapo: split gc into unlink and reclaim phase",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23351",
"datePublished": "2026-03-25T10:27:36.854Z",
"dateReserved": "2026-01-13T15:37:45.999Z",
"dateUpdated": "2026-04-18T08:58:05.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43033 (GCVE-0-2026-43033)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.
However, the data to be hashed need to be rearranged accordingly.
Thanks,
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 8c62f618576519dbed6816fafc623ce592953025
(git)
Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d589abd8b019b07075fda255ceab8c8e950cdb3f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d0c4ff6812386880f30bc64c2921299cc4d7b47f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 89fe118b6470119b20c04afc36e45b81a69ea11f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 153d5520c3f9fd62e71c7e7f9e34b59cf411e555 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < cded4002d22177e8deaca1f257ecd932c9582b6b (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < e02494114ebf7c8b42777c6cd6982f113bfdbec7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c62f618576519dbed6816fafc623ce592953025",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d589abd8b019b07075fda255ceab8c8e950cdb3f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d0c4ff6812386880f30bc64c2921299cc4d7b47f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "89fe118b6470119b20c04afc36e45b81a69ea11f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "153d5520c3f9fd62e71c7e7f9e34b59cf411e555",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "cded4002d22177e8deaca1f257ecd932c9582b6b",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "e02494114ebf7c8b42777c6cd6982f113bfdbec7",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:15.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c62f618576519dbed6816fafc623ce592953025"
},
{
"url": "https://git.kernel.org/stable/c/d589abd8b019b07075fda255ceab8c8e950cdb3f"
},
{
"url": "https://git.kernel.org/stable/c/5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5"
},
{
"url": "https://git.kernel.org/stable/c/d0c4ff6812386880f30bc64c2921299cc4d7b47f"
},
{
"url": "https://git.kernel.org/stable/c/89fe118b6470119b20c04afc36e45b81a69ea11f"
},
{
"url": "https://git.kernel.org/stable/c/153d5520c3f9fd62e71c7e7f9e34b59cf411e555"
},
{
"url": "https://git.kernel.org/stable/c/cded4002d22177e8deaca1f257ecd932c9582b6b"
},
{
"url": "https://git.kernel.org/stable/c/e02494114ebf7c8b42777c6cd6982f113bfdbec7"
}
],
"title": "crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43033",
"datePublished": "2026-05-01T14:15:32.583Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-03T05:46:15.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43051 (GCVE-0-2026-43051)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada
(git)
Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 5b5b9730111808410e404ceac2fabd32eef92fbd (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < fa8901cb1f0b2113a342db93bd5684b59fe99dcf (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 8bd690ac1242332c73cba10dacdad6c6642bbb94 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 41026bcc0fdf82605205c27935ef719cbc07193b (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < c8dc23c97680eebefde06da5858aaef1b37cf75d (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 3d78386b144453c47e81bf62dc3601b757f02d99 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 2f1763f62909ccb6386ac50350fa0abbf5bb16a9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "5b5b9730111808410e404ceac2fabd32eef92fbd",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "fa8901cb1f0b2113a342db93bd5684b59fe99dcf",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "8bd690ac1242332c73cba10dacdad6c6642bbb94",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "41026bcc0fdf82605205c27935ef719cbc07193b",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "c8dc23c97680eebefde06da5858aaef1b37cf75d",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "3d78386b144453c47e81bf62dc3601b757f02d99",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "2f1763f62909ccb6386ac50350fa0abbf5bb16a9",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:24.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada"
},
{
"url": "https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd"
},
{
"url": "https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf"
},
{
"url": "https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94"
},
{
"url": "https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b"
},
{
"url": "https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d"
},
{
"url": "https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99"
},
{
"url": "https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9"
}
],
"title": "HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43051",
"datePublished": "2026-05-01T14:15:45.314Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-03T05:46:24.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40005 (GCVE-0-2025-40005)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
spi: cadence-quadspi: Implement refcount to handle unbind during busy
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: Implement refcount to handle unbind during busy
driver support indirect read and indirect write operation with
assumption no force device removal(unbind) operation. However
force device removal(removal) is still available to root superuser.
Unbinding driver during operation causes kernel crash. This changes
ensure driver able to handle such operation for indirect read and
indirect write by implementing refcount to track attached devices
to the controller and gracefully wait and until attached devices
remove operation completed before proceed with removal operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a314f6367787ee1d767df9a2120f17e4511144d0 , < 56787f4a75907ae99b5f5842b756fa68e2482f6d
(git)
Affected: a314f6367787ee1d767df9a2120f17e4511144d0 , < 8df235f768cea7a5829cb02525622646eb0df5f5 (git) Affected: a314f6367787ee1d767df9a2120f17e4511144d0 , < 65ed52200080eafce3eead05cf22ce01238defca (git) Affected: a314f6367787ee1d767df9a2120f17e4511144d0 , < b7ec8a2b094a33d0464958c2cbf75b8f229098b0 (git) Affected: a314f6367787ee1d767df9a2120f17e4511144d0 , < 7446284023e8ef694fb392348185349c773eefb3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56787f4a75907ae99b5f5842b756fa68e2482f6d",
"status": "affected",
"version": "a314f6367787ee1d767df9a2120f17e4511144d0",
"versionType": "git"
},
{
"lessThan": "8df235f768cea7a5829cb02525622646eb0df5f5",
"status": "affected",
"version": "a314f6367787ee1d767df9a2120f17e4511144d0",
"versionType": "git"
},
{
"lessThan": "65ed52200080eafce3eead05cf22ce01238defca",
"status": "affected",
"version": "a314f6367787ee1d767df9a2120f17e4511144d0",
"versionType": "git"
},
{
"lessThan": "b7ec8a2b094a33d0464958c2cbf75b8f229098b0",
"status": "affected",
"version": "a314f6367787ee1d767df9a2120f17e4511144d0",
"versionType": "git"
},
{
"lessThan": "7446284023e8ef694fb392348185349c773eefb3",
"status": "affected",
"version": "a314f6367787ee1d767df9a2120f17e4511144d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.125",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Implement refcount to handle unbind during busy\n\ndriver support indirect read and indirect write operation with\nassumption no force device removal(unbind) operation. However\nforce device removal(removal) is still available to root superuser.\n\nUnbinding driver during operation causes kernel crash. This changes\nensure driver able to handle such operation for indirect read and\nindirect write by implementing refcount to track attached devices\nto the controller and gracefully wait and until attached devices\nremove operation completed before proceed with removal operation."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:44.008Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56787f4a75907ae99b5f5842b756fa68e2482f6d"
},
{
"url": "https://git.kernel.org/stable/c/8df235f768cea7a5829cb02525622646eb0df5f5"
},
{
"url": "https://git.kernel.org/stable/c/65ed52200080eafce3eead05cf22ce01238defca"
},
{
"url": "https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0"
},
{
"url": "https://git.kernel.org/stable/c/7446284023e8ef694fb392348185349c773eefb3"
}
],
"title": "spi: cadence-quadspi: Implement refcount to handle unbind during busy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40005",
"datePublished": "2025-10-20T15:26:52.315Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2026-03-25T10:19:44.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31758 (GCVE-0-2026-31758)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
usb: usbtmc: Flush anchored URBs in usbtmc_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: usbtmc: Flush anchored URBs in usbtmc_release
When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f3c8d6eddc272b386464524235440a418ed2029 , < 959ef329071136e4335b54822fe2f607659b4569
(git)
Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < e189d443767f7cd390c52f2e122e1fc41c7562d6 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 95e09b07e50290254b28b8395509473104518f8c (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 977b632db51d231dec0bc571089a5c2402674139 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < d40198de50232e04c14c6e2092e896766c95ea48 (git) Affected: 4f3c8d6eddc272b386464524235440a418ed2029 , < 8a768552f7a8276fb9e01d49773d2094ace7c8f1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "959ef329071136e4335b54822fe2f607659b4569",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "e189d443767f7cd390c52f2e122e1fc41c7562d6",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "95e09b07e50290254b28b8395509473104518f8c",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "977b632db51d231dec0bc571089a5c2402674139",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "d40198de50232e04c14c6e2092e896766c95ea48",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
},
{
"lessThan": "8a768552f7a8276fb9e01d49773d2094ace7c8f1",
"status": "affected",
"version": "4f3c8d6eddc272b386464524235440a418ed2029",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Flush anchored URBs in usbtmc_release\n\nWhen calling usbtmc_release, pending anchored URBs must be flushed or\nkilled to prevent use-after-free errors (e.g. in the HCD giveback\npath). Call usbtmc_draw_down() to allow anchored URBs to be completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:46.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/959ef329071136e4335b54822fe2f607659b4569"
},
{
"url": "https://git.kernel.org/stable/c/e189d443767f7cd390c52f2e122e1fc41c7562d6"
},
{
"url": "https://git.kernel.org/stable/c/7fa8f61bab3fb75b5deba8a0f3abb74dc5068d9f"
},
{
"url": "https://git.kernel.org/stable/c/95e09b07e50290254b28b8395509473104518f8c"
},
{
"url": "https://git.kernel.org/stable/c/d13318dec0c1e0e2ac16f8ecbd522db14cea4bb1"
},
{
"url": "https://git.kernel.org/stable/c/977b632db51d231dec0bc571089a5c2402674139"
},
{
"url": "https://git.kernel.org/stable/c/d40198de50232e04c14c6e2092e896766c95ea48"
},
{
"url": "https://git.kernel.org/stable/c/8a768552f7a8276fb9e01d49773d2094ace7c8f1"
}
],
"title": "usb: usbtmc: Flush anchored URBs in usbtmc_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31758",
"datePublished": "2026-05-01T14:14:48.390Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-03T05:45:46.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23307 (GCVE-0-2026-23307)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
When looking at the data in a USB urb, the actual_length is the size of
the buffer passed to the driver, not the transfer_buffer_length which is
set by the driver as the max size of the buffer.
When parsing the messages in ems_usb_read_bulk_callback() properly check
the size both at the beginning of parsing the message to make sure it is
big enough for the expected structure, and at the end of the message to
make sure we don't overflow past the end of the buffer for the next
message.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
702171adeed3607ee9603ec30ce081411e36ae42 , < aed172a2e2330131f0977d2acd3ec8883f413ec1
(git)
Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < f10177e6c4575aedaea580ce67d792fab7a2235e (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < c703bbf8e9b4947e111c88d2ed09236a6772a471 (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 1818974e1b5ef200e27f144c8cb8a246420bb54d (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 18f75b9cbdc3703f15965425ab69dee509b07785 (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 1cf469026d4a2308eaa91d04dca4a900d07a5c2e (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 2833e13e2b099546abf5d40a483b4eb04ddd1f7b (git) Affected: 702171adeed3607ee9603ec30ce081411e36ae42 , < 38a01c9700b0dcafe97dfa9dc7531bf4a245deff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aed172a2e2330131f0977d2acd3ec8883f413ec1",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "f10177e6c4575aedaea580ce67d792fab7a2235e",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "c703bbf8e9b4947e111c88d2ed09236a6772a471",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "1818974e1b5ef200e27f144c8cb8a246420bb54d",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "18f75b9cbdc3703f15965425ab69dee509b07785",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "1cf469026d4a2308eaa91d04dca4a900d07a5c2e",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "2833e13e2b099546abf5d40a483b4eb04ddd1f7b",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
},
{
"lessThan": "38a01c9700b0dcafe97dfa9dc7531bf4a245deff",
"status": "affected",
"version": "702171adeed3607ee9603ec30ce081411e36ae42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ems_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message\n\nWhen looking at the data in a USB urb, the actual_length is the size of\nthe buffer passed to the driver, not the transfer_buffer_length which is\nset by the driver as the max size of the buffer.\n\nWhen parsing the messages in ems_usb_read_bulk_callback() properly check\nthe size both at the beginning of parsing the message to make sure it is\nbig enough for the expected structure, and at the end of the message to\nmake sure we don\u0027t overflow past the end of the buffer for the next\nmessage."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:53.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aed172a2e2330131f0977d2acd3ec8883f413ec1"
},
{
"url": "https://git.kernel.org/stable/c/f10177e6c4575aedaea580ce67d792fab7a2235e"
},
{
"url": "https://git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471"
},
{
"url": "https://git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54d"
},
{
"url": "https://git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785"
},
{
"url": "https://git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2e"
},
{
"url": "https://git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7b"
},
{
"url": "https://git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deff"
}
],
"title": "can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23307",
"datePublished": "2026-03-25T10:27:02.746Z",
"dateReserved": "2026-01-13T15:37:45.994Z",
"dateUpdated": "2026-04-18T08:57:53.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43050 (GCVE-0-2026-43050)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
atm: lec: fix use-after-free in sock_def_readable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock_def_readable()
A race condition exists between lec_atm_close() setting priv->lecd
to NULL and concurrent access to priv->lecd in send_to_lecd(),
lec_handle_bridge(), and lec_atm_send(). When the socket is freed
via RCU while another thread is still using it, a use-after-free
occurs in sock_def_readable() when accessing the socket's wait queue.
The root cause is that lec_atm_close() clears priv->lecd without
any synchronization, while callers dereference priv->lecd without
any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer:
- Mark priv->lecd as __rcu in lec.h
- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()
for safe pointer assignment
- Use rcu_access_pointer() for NULL checks that do not dereference
the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and
lecd_attach()
- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),
lec_handle_bridge() and lec_atm_send() to safely access lecd
- Use rcu_assign_pointer() followed by synchronize_rcu() in
lec_atm_close() to ensure all readers have completed before
proceeding. This is safe since lec_atm_close() is called from
vcc_release() which holds lock_sock(), a sleeping lock.
- Remove the manual sk_receive_queue drain from lec_atm_close()
since vcc_destroy_socket() already drains it after lec_atm_close()
returns.
v2: Switch from spinlock + sock_hold/put approach to RCU to properly
fix the race. The v1 spinlock approach had two issues pointed out
by Eric Dumazet:
1. priv->lecd was still accessed directly after releasing the
lock instead of using a local copy.
2. The spinlock did not prevent packets being queued after
lec_atm_close() drains sk_receive_queue since timer and
workqueue paths bypass netif_stop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated
unexpectedly with "Connection to localhost closed by remote host",
likely due to a QEMU AHCI emulation issue unrelated to this fix.
Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3e8b25f32f2f35549d03d77da030a24a45bdef5b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 750a33f417f3d196b86375f8d9f8938bacf130fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 317843d5355062020649124eb4a0d7acbcc3f53e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b256d055da47258e63f8b40965f276c5f23d229a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3989740fa4978e1d2d51ecc62be1b01093e104ad (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < abc10f85a3965ac14b9ed7ad3e67b35604a63aa3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5fbbb1ff936d7ff9528d929c1549977e8123d8a8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 922814879542c2e397b0e9641fd36b8202a8e555 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c",
"net/atm/lec.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e8b25f32f2f35549d03d77da030a24a45bdef5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "750a33f417f3d196b86375f8d9f8938bacf130fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "317843d5355062020649124eb4a0d7acbcc3f53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b256d055da47258e63f8b40965f276c5f23d229a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3989740fa4978e1d2d51ecc62be1b01093e104ad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "abc10f85a3965ac14b9ed7ad3e67b35604a63aa3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5fbbb1ff936d7ff9528d929c1549977e8123d8a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "922814879542c2e397b0e9641fd36b8202a8e555",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c",
"net/atm/lec.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv-\u003elecd\nto NULL and concurrent access to priv-\u003elecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket\u0027s wait queue.\n\nThe root cause is that lec_atm_close() clears priv-\u003elecd without\nany synchronization, while callers dereference priv-\u003elecd without\nany protection against concurrent teardown.\n\nFix this by converting priv-\u003elecd to an RCU-protected pointer:\n- Mark priv-\u003elecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n lec_atm_close() to ensure all readers have completed before\n proceeding. This is safe since lec_atm_close() is called from\n vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n since vcc_destroy_socket() already drains it after lec_atm_close()\n returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n fix the race. The v1 spinlock approach had two issues pointed out\n by Eric Dumazet:\n 1. priv-\u003elecd was still accessed directly after releasing the\n lock instead of using a local copy.\n 2. The spinlock did not prevent packets being queued after\n lec_atm_close() drains sk_receive_queue since timer and\n workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n unexpectedly with \"Connection to localhost closed by remote host\",\n likely due to a QEMU AHCI emulation issue unrelated to this fix.\n Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:36.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b"
},
{
"url": "https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe"
},
{
"url": "https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e"
},
{
"url": "https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a"
},
{
"url": "https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad"
},
{
"url": "https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3"
},
{
"url": "https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8"
},
{
"url": "https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555"
}
],
"title": "atm: lec: fix use-after-free in sock_def_readable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43050",
"datePublished": "2026-05-01T14:15:44.542Z",
"dateReserved": "2026-05-01T14:12:55.979Z",
"dateUpdated": "2026-05-02T06:14:36.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40016 (GCVE-0-2025-40016)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:29 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
unique ID.
```
Each Unit and Terminal within the video function is assigned a unique
identification number, the Unit ID (UID) or Terminal ID (TID), contained in
the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
reserved for undefined ID,
```
If we add a new entity with id 0 or a duplicated ID, it will be marked
as UVC_INVALID_ENTITY_ID.
In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require
entities to have a non-zero unique ID"), we ignored all the invalid units,
this broke a lot of non-compatible cameras. Hopefully we are more lucky
this time.
This also prevents some syzkaller reproducers from triggering warnings due
to a chain of entities referring to themselves. In one particular case, an
Output Unit is connected to an Input Unit, both with the same ID of 1. But
when looking up for the source ID of the Output Unit, that same entity is
found instead of the input entity, which leads to such warnings.
In another case, a backward chain was considered finished as the source ID
was 0. Later on, that entity was found, but its pads were not valid.
Here is a sample stack trace for one of those cases.
[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
[ 20.833501] usb 1-1: config 0 descriptor??
[ 21.038518] usb 1-1: string descriptor 0 read error: -71
[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
[ 21.042218] ------------[ cut here ]------------
[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
[ 21.043195] Modules linked in:
[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 21.044639] Workqueue: usb_hub_wq hub_event
[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
[ 21.051136] PKRU: 55555554
[ 21.051331] Call Trace:
[ 21.051480] <TASK>
[ 21.051611] ? __warn+0xc4/0x210
[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
[ 21.052252] ? report_bug+0x11b/0x1a0
[ 21.052540] ? trace_hardirqs_on+0x31/0x40
[ 21.052901] ? handle_bug+0x3d/0x70
[ 21.053197] ? exc_invalid_op+0x1a/0x50
[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
[ 21.053924] ? media_create_pad_link+0x91/0x2e0
[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
[ 21.054834] ? media_create_pad_link+0x91/0x2e0
[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
[ 21.055837] uvc_mc_register_entities+0x358/0x400
[ 21.056144] uvc_register_chains+0x1
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 983a1d327e2642832a43f969761e27339b0d2a8f
(git)
Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 59f64514bc347d0e93b70c6b612ad824b63ae7ca (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < f617d515d66c05e9aebc787a8fe48b7163fc7b70 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 000b2a6bed7f30e0aadfb19bce9af6458d879304 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 15c0e136bd8cd70a1136a11c7876d6aae0eef8c8 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 0f140cede24334b3ee55e3e1127071266cbb8287 (git) Affected: a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b , < 0e2ee70291e64a30fe36960c85294726d34a103e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "983a1d327e2642832a43f969761e27339b0d2a8f",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "59f64514bc347d0e93b70c6b612ad824b63ae7ca",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "f617d515d66c05e9aebc787a8fe48b7163fc7b70",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "000b2a6bed7f30e0aadfb19bce9af6458d879304",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "15c0e136bd8cd70a1136a11c7876d6aae0eef8c8",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0f140cede24334b3ee55e3e1127071266cbb8287",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
},
{
"lessThan": "0e2ee70291e64a30fe36960c85294726d34a103e",
"status": "affected",
"version": "a3fbc2e6bb05a3b1ea341cd29dea09b4a033727b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c",
"drivers/media/usb/uvc/uvcvideo.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID\n\nPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero\nunique ID.\n\n```\nEach Unit and Terminal within the video function is assigned a unique\nidentification number, the Unit ID (UID) or Terminal ID (TID), contained in\nthe bUnitID or bTerminalID field of the descriptor. The value 0x00 is\nreserved for undefined ID,\n```\n\nIf we add a new entity with id 0 or a duplicated ID, it will be marked\nas UVC_INVALID_ENTITY_ID.\n\nIn a previous attempt commit 3dd075fe8ebb (\"media: uvcvideo: Require\nentities to have a non-zero unique ID\"), we ignored all the invalid units,\nthis broke a lot of non-compatible cameras. Hopefully we are more lucky\nthis time.\n\nThis also prevents some syzkaller reproducers from triggering warnings due\nto a chain of entities referring to themselves. In one particular case, an\nOutput Unit is connected to an Input Unit, both with the same ID of 1. But\nwhen looking up for the source ID of the Output Unit, that same entity is\nfound instead of the input entity, which leads to such warnings.\n\nIn another case, a backward chain was considered finished as the source ID\nwas 0. Later on, that entity was found, but its pads were not valid.\n\nHere is a sample stack trace for one of those cases.\n\n[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd\n[ 20.830206] usb 1-1: Using ep0 maxpacket: 8\n[ 20.833501] usb 1-1: config 0 descriptor??\n[ 21.038518] usb 1-1: string descriptor 0 read error: -71\n[ 21.038893] usb 1-1: Found UVC 0.00 device \u003cunnamed\u003e (2833:0201)\n[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!\n[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!\n[ 21.042218] ------------[ cut here ]------------\n[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0\n[ 21.043195] Modules linked in:\n[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444\n[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 21.044639] Workqueue: usb_hub_wq hub_event\n[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0\n[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 \u003c0f\u003e 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00\n[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246\n[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1\n[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290\n[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000\n[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003\n[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000\n[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000\n[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0\n[ 21.051136] PKRU: 55555554\n[ 21.051331] Call Trace:\n[ 21.051480] \u003cTASK\u003e\n[ 21.051611] ? __warn+0xc4/0x210\n[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.052252] ? report_bug+0x11b/0x1a0\n[ 21.052540] ? trace_hardirqs_on+0x31/0x40\n[ 21.052901] ? handle_bug+0x3d/0x70\n[ 21.053197] ? exc_invalid_op+0x1a/0x50\n[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20\n[ 21.053924] ? media_create_pad_link+0x91/0x2e0\n[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.054834] ? media_create_pad_link+0x91/0x2e0\n[ 21.055131] ? _raw_spin_unlock+0x1e/0x40\n[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210\n[ 21.055837] uvc_mc_register_entities+0x358/0x400\n[ 21.056144] uvc_register_chains+0x1\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:05.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/983a1d327e2642832a43f969761e27339b0d2a8f"
},
{
"url": "https://git.kernel.org/stable/c/59f64514bc347d0e93b70c6b612ad824b63ae7ca"
},
{
"url": "https://git.kernel.org/stable/c/f617d515d66c05e9aebc787a8fe48b7163fc7b70"
},
{
"url": "https://git.kernel.org/stable/c/000b2a6bed7f30e0aadfb19bce9af6458d879304"
},
{
"url": "https://git.kernel.org/stable/c/15c0e136bd8cd70a1136a11c7876d6aae0eef8c8"
},
{
"url": "https://git.kernel.org/stable/c/0f140cede24334b3ee55e3e1127071266cbb8287"
},
{
"url": "https://git.kernel.org/stable/c/0e2ee70291e64a30fe36960c85294726d34a103e"
}
],
"title": "media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40016",
"datePublished": "2025-10-20T15:29:10.376Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2026-04-18T08:57:05.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40261 (GCVE-0-2025-40261)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
nvme_fc_delete_assocation() waits for pending I/O to complete before
returning, and an error can cause ->ioerr_work to be queued after
cancel_work_sync() had been called. Move the call to cancel_work_sync() to
be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
[ 1135.917705] ------------[ cut here ]------------
[ 1135.922336] kernel BUG at lib/list_debug.c:52!
[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
[ 1135.950969] Workqueue: 0x0 (nvme-wq)
[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1136.055910] PKRU: 55555554
[ 1136.058623] Call Trace:
[ 1136.061074] <TASK>
[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
[ 1136.071898] ? move_linked_works+0x4a/0xa0
[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.081744] ? __die_body.cold+0x8/0x12
[ 1136.085584] ? die+0x2e/0x50
[ 1136.088469] ? do_trap+0xca/0x110
[ 1136.091789] ? do_error_trap+0x65/0x80
[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.101289] ? exc_invalid_op+0x50/0x70
[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
[ 1136.120806] move_linked_works+0x4a/0xa0
[ 1136.124733] worker_thread+0x216/0x3a0
[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
[ 1136.132758] kthread+0xfa/0x240
[ 1136.135904] ? __pfx_kthread+0x10/0x10
[ 1136.139657] ret_from_fork+0x31/0x50
[ 1136.143236] ? __pfx_kthread+0x10/0x10
[ 1136.146988] ret_from_fork_asm+0x1a/0x30
[ 1136.150915] </TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1cd8c40936ff2b560e1f35159dd6a4602b558e5 , < 3f48cd7f35da07fc067cef926bb7f6f4735de37b
(git)
Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 60ba31330faf5677e2eebef7eac62ea9e42a200d (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 9610a2c162ef729a3988213a4604376e492f6f44 (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 33f64600a12055219bda38b55320c62cdeda9167 (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 48ae433c6cc6985f647b1b37d8bb002972cf9bdb (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < fbd5741a556eaaa63d0908132ca79d335b58b1cd (git) Affected: 19fce0470f05031e6af36e49ce222d0f0050d432 , < 0a2c5495b6d1ecb0fa18ef6631450f391a888256 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f48cd7f35da07fc067cef926bb7f6f4735de37b",
"status": "affected",
"version": "f1cd8c40936ff2b560e1f35159dd6a4602b558e5",
"versionType": "git"
},
{
"lessThan": "60ba31330faf5677e2eebef7eac62ea9e42a200d",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "9610a2c162ef729a3988213a4604376e492f6f44",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "33f64600a12055219bda38b55320c62cdeda9167",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "48ae433c6cc6985f647b1b37d8bb002972cf9bdb",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "fbd5741a556eaaa63d0908132ca79d335b58b1cd",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
},
{
"lessThan": "0a2c5495b6d1ecb0fa18ef6631450f391a888256",
"status": "affected",
"version": "19fce0470f05031e6af36e49ce222d0f0050d432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause -\u003eioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \u003cTASK\u003e\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:07.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f48cd7f35da07fc067cef926bb7f6f4735de37b"
},
{
"url": "https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d"
},
{
"url": "https://git.kernel.org/stable/c/9610a2c162ef729a3988213a4604376e492f6f44"
},
{
"url": "https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167"
},
{
"url": "https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb"
},
{
"url": "https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd"
},
{
"url": "https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256"
}
],
"title": "nvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40261",
"datePublished": "2025-12-04T16:08:21.345Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2026-04-18T08:57:07.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31448 (GCVE-0-2026-31448)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ext4: avoid infinite loops caused by residual data
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid infinite loops caused by residual data
On the mkdir/mknod path, when mapping logical blocks to physical blocks,
if inserting a new extent into the extent tree fails (in this example,
because the file system disabled the huge file feature when marking the
inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to
reclaim the physical block without deleting the corresponding data in
the extent tree. This causes subsequent mkdir operations to reference
the previously reclaimed physical block number again, even though this
physical block is already being used by the xattr block. Therefore, a
situation arises where both the directory and xattr are using the same
buffer head block in memory simultaneously.
The above causes ext4_xattr_block_set() to enter an infinite loop about
"inserted" and cannot release the inode lock, ultimately leading to the
143s blocking problem mentioned in [1].
If the metadata is corrupted, then trying to remove some extent space
can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE
was passed, remove space wrongly update quota information.
Jan Kara suggests distinguishing between two cases:
1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully
consistent and we must maintain its consistency including all the
accounting. However these errors can happen only early before we've
inserted the extent into the extent tree. So current code works correctly
for this case.
2) Some other error - this means metadata is corrupted. We should strive to
do as few modifications as possible to limit damage. So I'd just skip
freeing of allocated blocks.
[1]
INFO: task syz.0.17:5995 blocked for more than 143 seconds.
Call Trace:
inode_lock_nested include/linux/fs.h:1073 [inline]
__start_dirop fs/namei.c:2923 [inline]
start_dirop fs/namei.c:2934 [inline]
Severity ?
9.4 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
315054f023d28ee64f308adf8b5737831541776b , < c66545e83a802c3851d9be27a41c0479dd29ff0c
(git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < ecc50bfca9b5c2ee6aeef998181689b80477367b (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 3a7667595bcad84da53fc156a418e110267c3412 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 416c86f30f91b4fb2642ef6b102596ca898f41a5 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 64f425b06b3bea9abc8977fd3982779b3ad070c9 (git) Affected: 315054f023d28ee64f308adf8b5737831541776b , < 5422fe71d26d42af6c454ca9527faaad4e677d6c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c66545e83a802c3851d9be27a41c0479dd29ff0c",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "ecc50bfca9b5c2ee6aeef998181689b80477367b",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "3a7667595bcad84da53fc156a418e110267c3412",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "416c86f30f91b4fb2642ef6b102596ca898f41a5",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "64f425b06b3bea9abc8977fd3982779b3ad070c9",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
},
{
"lessThan": "5422fe71d26d42af6c454ca9527faaad4e677d6c",
"status": "affected",
"version": "315054f023d28ee64f308adf8b5737831541776b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we\u0027ve\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I\u0027d just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:13.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c"
},
{
"url": "https://git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b"
},
{
"url": "https://git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412"
},
{
"url": "https://git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5"
},
{
"url": "https://git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9"
},
{
"url": "https://git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c"
}
],
"title": "ext4: avoid infinite loops caused by residual data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31448",
"datePublished": "2026-04-22T13:53:44.129Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-27T14:03:13.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23281 (GCVE-0-2026-23281)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
wifi: libertas: fix use-after-free in lbs_free_adapter()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: fix use-after-free in lbs_free_adapter()
The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.
If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.
Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.
Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.
This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
954ee164f4f4598afc172c0ec3865d0352e55a0b , < b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
(git)
Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < 09f3c30ab3b1371eaf9676a1b8add57bca763083 (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < 3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < 3c5c818c78b03a1725f3dcd566865c77b48dd3a6 (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < d0155fe68f31b339961cf2d4f92937d57e9384e6 (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < ed7d30f90b77f73a47498686ede83f622b7e4f0d (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < a9f55b14486426d907459bced5825a25063bd922 (git) Affected: 954ee164f4f4598afc172c0ec3865d0352e55a0b , < 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "09f3c30ab3b1371eaf9676a1b8add57bca763083",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "3c5c818c78b03a1725f3dcd566865c77b48dd3a6",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "d0155fe68f31b339961cf2d4f92937d57e9384e6",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "ed7d30f90b77f73a47498686ede83f622b7e4f0d",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "a9f55b14486426d907459bced5825a25063bd922",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
},
{
"lessThan": "03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0",
"status": "affected",
"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix use-after-free in lbs_free_adapter()\n\nThe lbs_free_adapter() function uses timer_delete() (non-synchronous)\nfor both command_timer and tx_lockup_timer before the structure is\nfreed. This is incorrect because timer_delete() does not wait for\nany running timer callback to complete.\n\nIf a timer callback is executing when lbs_free_adapter() is called,\nthe callback will access freed memory since lbs_cfg_free() frees the\ncontaining structure immediately after lbs_free_adapter() returns.\n\nBoth timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)\naccess priv-\u003edriver_lock, priv-\u003ecur_cmd, priv-\u003edev, and other fields,\nwhich would all be use-after-free violations.\n\nUse timer_delete_sync() instead to ensure any running timer callback\nhas completed before returning.\n\nThis bug was introduced in commit 8f641d93c38a (\"libertas: detect TX\nlockups and reset hardware\") where del_timer() was used instead of\ndel_timer_sync() in the cleanup path. The command_timer has had the\nsame issue since the driver was first written."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:36.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4"
},
{
"url": "https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083"
},
{
"url": "https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc"
},
{
"url": "https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6"
},
{
"url": "https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6"
},
{
"url": "https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d"
},
{
"url": "https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922"
},
{
"url": "https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0"
}
],
"title": "wifi: libertas: fix use-after-free in lbs_free_adapter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23281",
"datePublished": "2026-03-25T10:26:41.844Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:36.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23438 (GCVE-0-2026-23438)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
mvpp2_bm_switch_buffers() unconditionally calls
mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
shared buffer pool modes. This function programs CM3 flow control
registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
priv->cm3_base without any NULL check.
When the CM3 SRAM resource is not present in the device tree (the
third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
NULL and priv->global_tx_fc is false. Any operation that triggers
mvpp2_bm_switch_buffers(), for example an MTU change that crosses
the jumbo frame threshold, will crash:
Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
pc : readl+0x0/0x18
lr : mvpp2_cm3_read.isra.0+0x14/0x20
Call trace:
readl+0x0/0x18
mvpp2_bm_pool_update_fc+0x40/0x12c
mvpp2_bm_pool_update_priv_fc+0x94/0xd8
mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
mvpp2_change_mtu+0x140/0x380
__dev_set_mtu+0x1c/0x38
dev_set_mtu_ext+0x78/0x118
dev_set_mtu+0x48/0xa8
dev_ifsioc+0x21c/0x43c
dev_ioctl+0x2d8/0x42c
sock_ioctl+0x314/0x378
Every other flow control call site in the driver already guards
hardware access with either priv->global_tx_fc or port->tx_fc.
mvpp2_bm_switch_buffers() is the only place that omits this check.
Add the missing priv->global_tx_fc guard to both the disable and
re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
rest of the driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3a616b92a9d17448d96a33bf58e69f01457fd43a , < 0cfcd31f98fc608dc9406bff3fee3a9dd364d014
(git)
Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < da089f74a993f846685067b14158cb41b879ff29 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < ff0c54f088f7ab91dbbf47cf8244460f99122750 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8baced53a35fc9710f80d6ca016a2c418dc3231f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8a63baadf08453f66eb582fdb6dd234f72024723 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cfcd31f98fc608dc9406bff3fee3a9dd364d014",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "da089f74a993f846685067b14158cb41b879ff29",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "ff0c54f088f7ab91dbbf47cf8244460f99122750",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8baced53a35fc9710f80d6ca016a2c418dc3231f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8a63baadf08453f66eb582fdb6dd234f72024723",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:54.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cfcd31f98fc608dc9406bff3fee3a9dd364d014"
},
{
"url": "https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"
},
{
"url": "https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"
},
{
"url": "https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"
},
{
"url": "https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"
},
{
"url": "https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"
},
{
"url": "https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"
}
],
"title": "net: mvpp2: guard flow control update with global_tx_fc in buffer switching",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23438",
"datePublished": "2026-04-03T15:15:22.701Z",
"dateReserved": "2026-01-13T15:37:46.017Z",
"dateUpdated": "2026-04-18T08:58:54.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23446 (GCVE-0-2026-23446)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: usb: aqc111: Do not perform PM inside suspend callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: Do not perform PM inside suspend callback
syzbot reports "task hung in rpm_resume"
This is caused by aqc111_suspend calling
the PM variant of its write_cmd routine.
The simplified call trace looks like this:
rpm_suspend()
usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
aqc111_suspend() - called for the usb device interface
aqc111_write32_cmd()
usb_autopm_get_interface()
pm_runtime_resume_and_get()
rpm_resume() - here we call rpm_resume() on our parent
rpm_resume() - Here we wait for a status change that will never happen.
At this point we block another task which holds
rtnl_lock and locks up the whole networking stack.
Fix this by replacing the write_cmd calls with their _nopm variants
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < cc06ac99fd78839b2d38850785731ef131d9ae26
(git)
Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < b87f361d41f9a7f1f6c426947ca815651c481376 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 621f2f43741b51f62d767eb4752fbcefe2526926 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 4de6a43e8ecf961feabddf0e9d6911081d2ed218 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 3267bcb744ee8a2feabaa7ab69473f086f67fd71 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < d3e32a612c6391ca9b7c183aeec22b4fd24c300c (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 98e8aed64614b0c199d5f0391fbe1a4331cb5773 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 069c8f5aebe4d5224cf62acc7d4b3486091c658a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc06ac99fd78839b2d38850785731ef131d9ae26",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "b87f361d41f9a7f1f6c426947ca815651c481376",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "621f2f43741b51f62d767eb4752fbcefe2526926",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "4de6a43e8ecf961feabddf0e9d6911081d2ed218",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "3267bcb744ee8a2feabaa7ab69473f086f67fd71",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "d3e32a612c6391ca9b7c183aeec22b4fd24c300c",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "98e8aed64614b0c199d5f0391fbe1a4331cb5773",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "069c8f5aebe4d5224cf62acc7d4b3486091c658a",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Do not perform PM inside suspend callback\n\nsyzbot reports \"task hung in rpm_resume\"\n\nThis is caused by aqc111_suspend calling\nthe PM variant of its write_cmd routine.\n\nThe simplified call trace looks like this:\n\nrpm_suspend()\n usb_suspend_both() - here udev-\u003edev.power.runtime_status == RPM_SUSPENDING\n aqc111_suspend() - called for the usb device interface\n aqc111_write32_cmd()\n usb_autopm_get_interface()\n pm_runtime_resume_and_get()\n rpm_resume() - here we call rpm_resume() on our parent\n rpm_resume() - Here we wait for a status change that will never happen.\n\nAt this point we block another task which holds\nrtnl_lock and locks up the whole networking stack.\n\nFix this by replacing the write_cmd calls with their _nopm variants"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:58.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc06ac99fd78839b2d38850785731ef131d9ae26"
},
{
"url": "https://git.kernel.org/stable/c/b87f361d41f9a7f1f6c426947ca815651c481376"
},
{
"url": "https://git.kernel.org/stable/c/621f2f43741b51f62d767eb4752fbcefe2526926"
},
{
"url": "https://git.kernel.org/stable/c/4de6a43e8ecf961feabddf0e9d6911081d2ed218"
},
{
"url": "https://git.kernel.org/stable/c/3267bcb744ee8a2feabaa7ab69473f086f67fd71"
},
{
"url": "https://git.kernel.org/stable/c/d3e32a612c6391ca9b7c183aeec22b4fd24c300c"
},
{
"url": "https://git.kernel.org/stable/c/98e8aed64614b0c199d5f0391fbe1a4331cb5773"
},
{
"url": "https://git.kernel.org/stable/c/069c8f5aebe4d5224cf62acc7d4b3486091c658a"
}
],
"title": "net: usb: aqc111: Do not perform PM inside suspend callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23446",
"datePublished": "2026-04-03T15:15:29.863Z",
"dateReserved": "2026-01-13T15:37:46.019Z",
"dateUpdated": "2026-04-18T08:58:58.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23381 (GCVE-0-2026-23381)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:28 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. Then, if neigh_suppress is enabled and an ICMPv6
Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will
dereference ipv6_stub->nd_tbl which is NULL, passing it to
neigh_lookup(). This causes a kernel NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000268
Oops: 0000 [#1] PREEMPT SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x16/0xe0
[...]
Call Trace:
<IRQ>
? neigh_lookup+0x16/0xe0
br_do_suppress_nd+0x160/0x290 [bridge]
br_handle_frame_finish+0x500/0x620 [bridge]
br_handle_frame+0x353/0x440 [bridge]
__netif_receive_skb_core.constprop.0+0x298/0x1110
__netif_receive_skb_one_core+0x3d/0xa0
process_backlog+0xa0/0x140
__napi_poll+0x2c/0x170
net_rx_action+0x2c4/0x3a0
handle_softirqs+0xd0/0x270
do_softirq+0x3f/0x60
Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in
the callers. This is in essence disabling NS/NA suppression when IPv6 is
disabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed842faeb2bd49256f00485402f3113205f91d30 , < a9d712ccfeef737c0e700a4b5b98f310e07b6b60
(git)
Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < a5c56e65b685360dd3f2278aeff8c21061feb665 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 7a894eb5de246d79f13105c55a67381039a24d44 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < a12cdaa3375f0bd3c8f4e564be7c143529abfe5b (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < aa73deb3b6b730ec280d45b3f423bfa9e17bc122 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 33dec6f10777d5a8f71c0a200f690da5ae3c2e55 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < 20ef5c25422f97dd09d751e5ae6c18406cdc78e6 (git) Affected: ed842faeb2bd49256f00485402f3113205f91d30 , < e5e890630533bdc15b26a34bb8e7ef539bdf1322 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_device.c",
"net/bridge/br_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9d712ccfeef737c0e700a4b5b98f310e07b6b60",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "a5c56e65b685360dd3f2278aeff8c21061feb665",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "7a894eb5de246d79f13105c55a67381039a24d44",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "a12cdaa3375f0bd3c8f4e564be7c143529abfe5b",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "aa73deb3b6b730ec280d45b3f423bfa9e17bc122",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "33dec6f10777d5a8f71c0a200f690da5ae3c2e55",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "20ef5c25422f97dd09d751e5ae6c18406cdc78e6",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
},
{
"lessThan": "e5e890630533bdc15b26a34bb8e7ef539bdf1322",
"status": "affected",
"version": "ed842faeb2bd49256f00485402f3113205f91d30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_device.c",
"net/bridge/br_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub-\u003end_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n \u003cIRQ\u003e\n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:22.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9d712ccfeef737c0e700a4b5b98f310e07b6b60"
},
{
"url": "https://git.kernel.org/stable/c/a5c56e65b685360dd3f2278aeff8c21061feb665"
},
{
"url": "https://git.kernel.org/stable/c/7a894eb5de246d79f13105c55a67381039a24d44"
},
{
"url": "https://git.kernel.org/stable/c/a12cdaa3375f0bd3c8f4e564be7c143529abfe5b"
},
{
"url": "https://git.kernel.org/stable/c/aa73deb3b6b730ec280d45b3f423bfa9e17bc122"
},
{
"url": "https://git.kernel.org/stable/c/33dec6f10777d5a8f71c0a200f690da5ae3c2e55"
},
{
"url": "https://git.kernel.org/stable/c/20ef5c25422f97dd09d751e5ae6c18406cdc78e6"
},
{
"url": "https://git.kernel.org/stable/c/e5e890630533bdc15b26a34bb8e7ef539bdf1322"
}
],
"title": "net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23381",
"datePublished": "2026-03-25T10:28:00.416Z",
"dateReserved": "2026-01-13T15:37:46.007Z",
"dateUpdated": "2026-04-18T08:58:22.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23336 (GCVE-0-2026-23336)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
There is a use-after-free error in cfg80211_shutdown_all_interfaces found
by syzkaller:
BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220
Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326
CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events cfg80211_rfkill_block_work
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1f0
print_report+0xcd/0x630
kasan_report+0xe0/0x110
cfg80211_shutdown_all_interfaces+0x213/0x220
cfg80211_rfkill_block_work+0x1e/0x30
process_one_work+0x9cf/0x1b70
worker_thread+0x6c8/0xf10
kthread+0x3c5/0x780
ret_from_fork+0x56d/0x700
ret_from_fork_asm+0x1a/0x30
</TASK>
The problem arises due to the rfkill_block work is not cancelled when wiphy
is being unregistered. In order to fix the issue cancel the corresponding
work in wiphy_unregister().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < 82a35356b5c1f75fe6a8a561db44e8d0e49da8f9
(git)
Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < b2e9626a9d16b9bbbd06498c9e73c93be354dc7a (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < eeea8da43ab86ac0a6b9cec225eec91564346940 (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < fa18639deab4a3662d543200c5bfc29bf4e23173 (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < 57e39fe8da573435fa35975f414f4dc17d9f8449 (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < 584279ad9ff1e8e7c5494b9fce286201f7d1f9e2 (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5 (git) Affected: 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 , < 767d23ade706d5fa51c36168e92a9c5533c351a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82a35356b5c1f75fe6a8a561db44e8d0e49da8f9",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "b2e9626a9d16b9bbbd06498c9e73c93be354dc7a",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "eeea8da43ab86ac0a6b9cec225eec91564346940",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "fa18639deab4a3662d543200c5bfc29bf4e23173",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "57e39fe8da573435fa35975f414f4dc17d9f8449",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "584279ad9ff1e8e7c5494b9fce286201f7d1f9e2",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
},
{
"lessThan": "767d23ade706d5fa51c36168e92a9c5533c351a1",
"status": "affected",
"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()\n\nThere is a use-after-free error in cfg80211_shutdown_all_interfaces found\nby syzkaller:\n\nBUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220\nRead of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: events cfg80211_rfkill_block_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nThe problem arises due to the rfkill_block work is not cancelled when wiphy\nis being unregistered. In order to fix the issue cancel the corresponding\nwork in wiphy_unregister().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:01.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82a35356b5c1f75fe6a8a561db44e8d0e49da8f9"
},
{
"url": "https://git.kernel.org/stable/c/b2e9626a9d16b9bbbd06498c9e73c93be354dc7a"
},
{
"url": "https://git.kernel.org/stable/c/eeea8da43ab86ac0a6b9cec225eec91564346940"
},
{
"url": "https://git.kernel.org/stable/c/fa18639deab4a3662d543200c5bfc29bf4e23173"
},
{
"url": "https://git.kernel.org/stable/c/57e39fe8da573435fa35975f414f4dc17d9f8449"
},
{
"url": "https://git.kernel.org/stable/c/584279ad9ff1e8e7c5494b9fce286201f7d1f9e2"
},
{
"url": "https://git.kernel.org/stable/c/cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5"
},
{
"url": "https://git.kernel.org/stable/c/767d23ade706d5fa51c36168e92a9c5533c351a1"
}
],
"title": "wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23336",
"datePublished": "2026-03-25T10:27:26.061Z",
"dateReserved": "2026-01-13T15:37:45.997Z",
"dateUpdated": "2026-04-18T08:58:01.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23317 (GCVE-0-2026-23317)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04
VLAI?
EPSS
Title
drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
Before the referenced fixes these functions used a lookup function that
returned a pointer. This was changed to another lookup function that
returned an error code with the pointer becoming an out parameter.
The error path when the lookup failed was not changed to reflect this
change and the code continued to return the PTR_ERR of the now
uninitialized pointer. This could cause the vmw_translate_ptr functions
to return success when they actually failed causing further uninitialized
and OOB accesses.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ac9578e45b20e3f3c0c8eb71f5417a499a7226a , < ce3a5cf139787c186d5d54336107298cacaad2b9
(git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 7e55d0788b362c93660b80cc5603031bbbdefa98 (git) Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 36cb28b6d303a81e6ed4536017090e85e0143e42 (git) Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 531f45589787799aa81b63e1e1f8e71db5d93dd1 (git) Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 149f028772fa2879d9316b924ce948a6a0877e45 (git) Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 5023ca80f9589295cb60735016e39fc5cc714243 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce3a5cf139787c186d5d54336107298cacaad2b9",
"status": "affected",
"version": "7ac9578e45b20e3f3c0c8eb71f5417a499a7226a",
"versionType": "git"
},
{
"lessThan": "7e55d0788b362c93660b80cc5603031bbbdefa98",
"status": "affected",
"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
"versionType": "git"
},
{
"lessThan": "36cb28b6d303a81e6ed4536017090e85e0143e42",
"status": "affected",
"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
"versionType": "git"
},
{
"lessThan": "531f45589787799aa81b63e1e1f8e71db5d93dd1",
"status": "affected",
"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
"versionType": "git"
},
{
"lessThan": "149f028772fa2879d9316b924ce948a6a0877e45",
"status": "affected",
"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
"versionType": "git"
},
{
"lessThan": "5023ca80f9589295cb60735016e39fc5cc714243",
"status": "affected",
"version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:04:16.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce3a5cf139787c186d5d54336107298cacaad2b9"
},
{
"url": "https://git.kernel.org/stable/c/7e55d0788b362c93660b80cc5603031bbbdefa98"
},
{
"url": "https://git.kernel.org/stable/c/36cb28b6d303a81e6ed4536017090e85e0143e42"
},
{
"url": "https://git.kernel.org/stable/c/531f45589787799aa81b63e1e1f8e71db5d93dd1"
},
{
"url": "https://git.kernel.org/stable/c/149f028772fa2879d9316b924ce948a6a0877e45"
},
{
"url": "https://git.kernel.org/stable/c/5023ca80f9589295cb60735016e39fc5cc714243"
}
],
"title": "drm/vmwgfx: Return the correct value in vmw_translate_ptr functions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23317",
"datePublished": "2026-03-25T10:27:11.884Z",
"dateReserved": "2026-01-13T15:37:45.995Z",
"dateUpdated": "2026-04-13T06:04:16.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31467 (GCVE-0-2026-31467)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
erofs: add GFP_NOIO in the bio completion if needed
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: add GFP_NOIO in the bio completion if needed
The bio completion path in the process context (e.g. dm-verity)
will directly call into decompression rather than trigger another
workqueue context for minimal scheduling latencies, which can
then call vm_map_ram() with GFP_KERNEL.
Due to insufficient memory, vm_map_ram() may generate memory
swapping I/O, which can cause submit_bio_wait to deadlock
in some scenarios.
Trimmed down the call stack, as follows:
f2fs_submit_read_io
submit_bio //bio_list is initialized.
mmc_blk_mq_recovery
z_erofs_endio
vm_map_ram
__pte_alloc_kernel
__alloc_pages_direct_reclaim
shrink_folio_list
__swap_writepage
submit_bio_wait //bio_list is non-NULL, hang!!!
Use memalloc_noio_{save,restore}() to wrap up this path.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
648f2de053a882c87c05f0060f47d3b11841fdbe , < d6565ea662e17d45a577184b0011bd69de22dc2b
(git)
Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < d9d8360cb66e3b599d89d2526e7da8b530ebf2ff (git) Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < 5c8ecdcfbfb0b0c6a82a4ebadc1ddea61609b902 (git) Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < 378949f46e897204384f3f5f91e42e93e3f87568 (git) Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < da40464064599eefe78749f75cd2bba371044c04 (git) Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < e83e20b82859f0588e9a52a6fa9fea704a2061cf (git) Affected: 648f2de053a882c87c05f0060f47d3b11841fdbe , < c23df30915f83e7257c8625b690a1cece94142a0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6565ea662e17d45a577184b0011bd69de22dc2b",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "d9d8360cb66e3b599d89d2526e7da8b530ebf2ff",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "5c8ecdcfbfb0b0c6a82a4ebadc1ddea61609b902",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "378949f46e897204384f3f5f91e42e93e3f87568",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "da40464064599eefe78749f75cd2bba371044c04",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "e83e20b82859f0588e9a52a6fa9fea704a2061cf",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
},
{
"lessThan": "c23df30915f83e7257c8625b690a1cece94142a0",
"status": "affected",
"version": "648f2de053a882c87c05f0060f47d3b11841fdbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: add GFP_NOIO in the bio completion if needed\n\nThe bio completion path in the process context (e.g. dm-verity)\nwill directly call into decompression rather than trigger another\nworkqueue context for minimal scheduling latencies, which can\nthen call vm_map_ram() with GFP_KERNEL.\n\nDue to insufficient memory, vm_map_ram() may generate memory\nswapping I/O, which can cause submit_bio_wait to deadlock\nin some scenarios.\n\nTrimmed down the call stack, as follows:\n\nf2fs_submit_read_io\n submit_bio //bio_list is initialized.\n mmc_blk_mq_recovery\n z_erofs_endio\n vm_map_ram\n __pte_alloc_kernel\n __alloc_pages_direct_reclaim\n shrink_folio_list\n __swap_writepage\n submit_bio_wait //bio_list is non-NULL, hang!!!\n\nUse memalloc_noio_{save,restore}() to wrap up this path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:21.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6565ea662e17d45a577184b0011bd69de22dc2b"
},
{
"url": "https://git.kernel.org/stable/c/d9d8360cb66e3b599d89d2526e7da8b530ebf2ff"
},
{
"url": "https://git.kernel.org/stable/c/5c8ecdcfbfb0b0c6a82a4ebadc1ddea61609b902"
},
{
"url": "https://git.kernel.org/stable/c/378949f46e897204384f3f5f91e42e93e3f87568"
},
{
"url": "https://git.kernel.org/stable/c/da40464064599eefe78749f75cd2bba371044c04"
},
{
"url": "https://git.kernel.org/stable/c/e83e20b82859f0588e9a52a6fa9fea704a2061cf"
},
{
"url": "https://git.kernel.org/stable/c/c23df30915f83e7257c8625b690a1cece94142a0"
}
],
"title": "erofs: add GFP_NOIO in the bio completion if needed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31467",
"datePublished": "2026-04-22T13:53:56.910Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-04-27T14:03:21.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31545 (GCVE-0-2026-31545)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:33 – Updated: 2026-04-24 14:33
VLAI?
EPSS
Title
NFC: nxp-nci: allow GPIOs to sleep
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: nxp-nci: allow GPIOs to sleep
Allow the firmware and enable GPIOs to sleep.
This fixes a `WARN_ON' and allows the driver to operate GPIOs which are
connected to I2C GPIO expanders.
-- >8 --
kernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98
-- >8 --
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43201767b44cbd873c60dbd2acd370147588cb18 , < 0c2320c3c860d281cbc2f49fc574c1947a6b9e2a
(git)
Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 2a175bc3c338c6b2bc55004e93dd35a2467bdca2 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < c24dcac1a9d1b4fd164898df0c2f5b0adbf81a78 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 70662874f646871c2f08ef1cf2544ba9a5f71b96 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 548a1bfe591364e63bce4af7c5802bb434efdaf8 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 4de9ed2ea22d611b4149969266b45a86ea8daf35 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 783f05e560d761dee7ff602b97edb0e54f2e9727 (git) Affected: 43201767b44cbd873c60dbd2acd370147588cb18 , < 55dc632ab2ac2889b15995a9eef56c753d48ebc7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/nxp-nci/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c2320c3c860d281cbc2f49fc574c1947a6b9e2a",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "2a175bc3c338c6b2bc55004e93dd35a2467bdca2",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "c24dcac1a9d1b4fd164898df0c2f5b0adbf81a78",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "70662874f646871c2f08ef1cf2544ba9a5f71b96",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "548a1bfe591364e63bce4af7c5802bb434efdaf8",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "4de9ed2ea22d611b4149969266b45a86ea8daf35",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "783f05e560d761dee7ff602b97edb0e54f2e9727",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
},
{
"lessThan": "55dc632ab2ac2889b15995a9eef56c753d48ebc7",
"status": "affected",
"version": "43201767b44cbd873c60dbd2acd370147588cb18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/nxp-nci/i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nxp-nci: allow GPIOs to sleep\n\nAllow the firmware and enable GPIOs to sleep.\n\nThis fixes a `WARN_ON\u0027 and allows the driver to operate GPIOs which are\nconnected to I2C GPIO expanders.\n\n-- \u003e8 --\nkernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98\n-- \u003e8 --"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:33:13.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c2320c3c860d281cbc2f49fc574c1947a6b9e2a"
},
{
"url": "https://git.kernel.org/stable/c/2a175bc3c338c6b2bc55004e93dd35a2467bdca2"
},
{
"url": "https://git.kernel.org/stable/c/c24dcac1a9d1b4fd164898df0c2f5b0adbf81a78"
},
{
"url": "https://git.kernel.org/stable/c/70662874f646871c2f08ef1cf2544ba9a5f71b96"
},
{
"url": "https://git.kernel.org/stable/c/548a1bfe591364e63bce4af7c5802bb434efdaf8"
},
{
"url": "https://git.kernel.org/stable/c/4de9ed2ea22d611b4149969266b45a86ea8daf35"
},
{
"url": "https://git.kernel.org/stable/c/783f05e560d761dee7ff602b97edb0e54f2e9727"
},
{
"url": "https://git.kernel.org/stable/c/55dc632ab2ac2889b15995a9eef56c753d48ebc7"
}
],
"title": "NFC: nxp-nci: allow GPIOs to sleep",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31545",
"datePublished": "2026-04-24T14:33:13.885Z",
"dateReserved": "2026-03-09T15:48:24.114Z",
"dateUpdated": "2026-04-24T14:33:13.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23287 (GCVE-0-2026-23287)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-13 06:03
VLAI?
EPSS
Title
irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
PLIC ignores interrupt completion message for disabled interrupt, explained
by the specification:
The PLIC signals it has completed executing an interrupt handler by
writing the interrupt ID it received from the claim to the
claim/complete register. The PLIC does not check whether the completion
ID is the same as the last claim ID for that target. If the completion
ID does not match an interrupt source that is currently enabled for
the target, the completion is silently ignored.
This caused problems in the past, because an interrupt can be disabled
while still being handled and plic_irq_eoi() had no effect. That was fixed
by checking if the interrupt is disabled, and if so enable it, before
sending the completion message. That check is done with irqd_irq_disabled().
However, that is not sufficient because the enable bit for the handling
hart can be zero despite irqd_irq_disabled(d) being false. This can happen
when affinity setting is changed while a hart is still handling the
interrupt.
This problem is easily reproducible by dumping a large file to uart (which
generates lots of interrupts) and at the same time keep changing the uart
interrupt's affinity setting. The uart port becomes frozen almost
instantaneously.
Fix this by checking PLIC's enable bit instead of irqd_irq_disabled().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cc9f04f9a84f745949e325661550ed14bd0ff322 , < 8942fb1a5bc2dcbd88f7e656d109d42f778f298f
(git)
Affected: cc9f04f9a84f745949e325661550ed14bd0ff322 , < 2edbd173309165d103be6c73bd83e459dc45ae7b (git) Affected: cc9f04f9a84f745949e325661550ed14bd0ff322 , < 686eb378a4a51aa967e08337dd59daade16aec0f (git) Affected: cc9f04f9a84f745949e325661550ed14bd0ff322 , < 1883332bf21feb8871af09daf604fc4836a76925 (git) Affected: cc9f04f9a84f745949e325661550ed14bd0ff322 , < f611791a927141d05d7030607dea6372311c1413 (git) Affected: cc9f04f9a84f745949e325661550ed14bd0ff322 , < 1072020685f4b81f6efad3b412cdae0bd62bb043 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-sifive-plic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8942fb1a5bc2dcbd88f7e656d109d42f778f298f",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
},
{
"lessThan": "2edbd173309165d103be6c73bd83e459dc45ae7b",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
},
{
"lessThan": "686eb378a4a51aa967e08337dd59daade16aec0f",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
},
{
"lessThan": "1883332bf21feb8871af09daf604fc4836a76925",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
},
{
"lessThan": "f611791a927141d05d7030607dea6372311c1413",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
},
{
"lessThan": "1072020685f4b81f6efad3b412cdae0bd62bb043",
"status": "affected",
"version": "cc9f04f9a84f745949e325661550ed14bd0ff322",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-sifive-plic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/sifive-plic: Fix frozen interrupt due to affinity setting\n\nPLIC ignores interrupt completion message for disabled interrupt, explained\nby the specification:\n\n The PLIC signals it has completed executing an interrupt handler by\n writing the interrupt ID it received from the claim to the\n claim/complete register. The PLIC does not check whether the completion\n ID is the same as the last claim ID for that target. If the completion\n ID does not match an interrupt source that is currently enabled for\n the target, the completion is silently ignored.\n\nThis caused problems in the past, because an interrupt can be disabled\nwhile still being handled and plic_irq_eoi() had no effect. That was fixed\nby checking if the interrupt is disabled, and if so enable it, before\nsending the completion message. That check is done with irqd_irq_disabled().\n\nHowever, that is not sufficient because the enable bit for the handling\nhart can be zero despite irqd_irq_disabled(d) being false. This can happen\nwhen affinity setting is changed while a hart is still handling the\ninterrupt.\n\nThis problem is easily reproducible by dumping a large file to uart (which\ngenerates lots of interrupts) and at the same time keep changing the uart\ninterrupt\u0027s affinity setting. The uart port becomes frozen almost\ninstantaneously.\n\nFix this by checking PLIC\u0027s enable bit instead of irqd_irq_disabled()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:03:39.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8942fb1a5bc2dcbd88f7e656d109d42f778f298f"
},
{
"url": "https://git.kernel.org/stable/c/2edbd173309165d103be6c73bd83e459dc45ae7b"
},
{
"url": "https://git.kernel.org/stable/c/686eb378a4a51aa967e08337dd59daade16aec0f"
},
{
"url": "https://git.kernel.org/stable/c/1883332bf21feb8871af09daf604fc4836a76925"
},
{
"url": "https://git.kernel.org/stable/c/f611791a927141d05d7030607dea6372311c1413"
},
{
"url": "https://git.kernel.org/stable/c/1072020685f4b81f6efad3b412cdae0bd62bb043"
}
],
"title": "irqchip/sifive-plic: Fix frozen interrupt due to affinity setting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23287",
"datePublished": "2026-03-25T10:26:46.363Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-13T06:03:39.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23455 (GCVE-0-2026-23455)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e35941d990123f155b02d5663e51a24f816b6f3 , < 2121f5fbe88daff0f1fc5bc47d359426c74b86b0
(git)
Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 65fa92f79677858b14b9e4b7275f26639afe2710 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 495e97af9e7249ee02b72bb1d0848a6efc3700f4 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < f5e4f4e4cdb75ec36802059a94195a31f193da60 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 633e8f87dad32263f6a57dccdb873f042c062111 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < 9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8 (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < b652b05d51003ac074b912684f9ec7486231717b (git) Affected: 5e35941d990123f155b02d5663e51a24f816b6f3 , < f173d0f4c0f689173f8cdac79991043a4a89bf66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2121f5fbe88daff0f1fc5bc47d359426c74b86b0",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "65fa92f79677858b14b9e4b7275f26639afe2710",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "495e97af9e7249ee02b72bb1d0848a6efc3700f4",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f5e4f4e4cdb75ec36802059a94195a31f193da60",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "633e8f87dad32263f6a57dccdb873f042c062111",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "b652b05d51003ac074b912684f9ec7486231717b",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
},
{
"lessThan": "f173d0f4c0f689173f8cdac79991043a4a89bf66",
"status": "affected",
"version": "5e35941d990123f155b02d5663e51a24f816b6f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_h323_asn1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:33.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"
},
{
"url": "https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"
},
{
"url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"
},
{
"url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"
},
{
"url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"
},
{
"url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"
},
{
"url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"
},
{
"url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"
}
],
"title": "netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23455",
"datePublished": "2026-04-03T15:15:36.869Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-27T14:02:33.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31660 (GCVE-0-2026-31660)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
nfc: pn533: allocate rx skb before consuming bytes
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.
If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb
(git)
Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 8b71299d587d9e4c830c18afb884c80ddb30ad28 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 16649adc2e19509104245ea1f349b629d858f11f (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 07cb6c72e66ba548679f22ac29ad588da8999279 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < a9495069b43b8634c1ae0042e888766c34f66637 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 21ae2cda66a55c759607bbf1d23cbaa42019d2de (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 7e37da42eda45d7859d9273fc7e225d8df458038 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < c71ba669b570c7b3f86ec875be222ea11dacb352 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "8b71299d587d9e4c830c18afb884c80ddb30ad28",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "16649adc2e19509104245ea1f349b629d858f11f",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "07cb6c72e66ba548679f22ac29ad588da8999279",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "a9495069b43b8634c1ae0042e888766c34f66637",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "21ae2cda66a55c759607bbf1d23cbaa42019d2de",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "7e37da42eda45d7859d9273fc7e225d8df458038",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "c71ba669b570c7b3f86ec875be222ea11dacb352",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:11.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"
},
{
"url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"
},
{
"url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"
},
{
"url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"
},
{
"url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"
},
{
"url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"
},
{
"url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"
},
{
"url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"
}
],
"title": "nfc: pn533: allocate rx skb before consuming bytes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31660",
"datePublished": "2026-04-24T14:45:11.039Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:11.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31434 (GCVE-0-2026-31434)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-22 13:53
VLAI?
EPSS
Title
btrfs: fix leak of kobject name for sub-group space_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix leak of kobject name for sub-group space_info
When create_space_info_sub_group() allocates elements of
space_info->sub_group[], kobject_init_and_add() is called for each
element via btrfs_sysfs_add_space_info_type(). However, when
check_removing_space_info() frees these elements, it does not call
btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is
not called and the associated kobj->name objects are leaked.
This memory leak is reproduced by running the blktests test case
zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak
feature reports the following error:
unreferenced object 0xffff888112877d40 (size 16):
comm "mount", pid 1244, jiffies 4294996972
hex dump (first 16 bytes):
64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......
backtrace (crc 53ffde4d):
__kmalloc_node_track_caller_noprof+0x619/0x870
kstrdup+0x42/0xc0
kobject_set_name_vargs+0x44/0x110
kobject_init_and_add+0xcf/0x150
btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]
create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]
create_space_info+0x211/0x320 [btrfs]
btrfs_init_space_info+0x15a/0x1b0 [btrfs]
open_ctree+0x33c7/0x4a50 [btrfs]
btrfs_get_tree.cold+0x9f/0x1ee [btrfs]
vfs_get_tree+0x87/0x2f0
vfs_cmd_create+0xbd/0x280
__do_sys_fsconfig+0x3df/0x990
do_syscall_64+0x136/0x1540
entry_SYSCALL_64_after_hwframe+0x76/0x7e
To avoid the leak, call btrfs_sysfs_remove_space_info() instead of
kfree() for the elements.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64c7ddda83acfbaa0efb381a1928ce908c584607 , < 416484f21a9d1280cf6daa7ebc10c79b59c46e48
(git)
Affected: 0bd151ce4200ca847990e05cca29a76456982ca5 , < 94054ffd311a1f76b7093ba8ebf50bdb0d28337c (git) Affected: 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb , < 1737ddeafbb1304f41ec2eede4f7366082e7c96a (git) Affected: f92ee31e031c7819126d2febdda0c3e91f5d2eb9 , < 3c844d01f9874a43004c82970d8da94f9aba8949 (git) Affected: f92ee31e031c7819126d2febdda0c3e91f5d2eb9 , < 3c645c6f7e5470debbb81666b230056de48f36dc (git) Affected: f92ee31e031c7819126d2febdda0c3e91f5d2eb9 , < a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "416484f21a9d1280cf6daa7ebc10c79b59c46e48",
"status": "affected",
"version": "64c7ddda83acfbaa0efb381a1928ce908c584607",
"versionType": "git"
},
{
"lessThan": "94054ffd311a1f76b7093ba8ebf50bdb0d28337c",
"status": "affected",
"version": "0bd151ce4200ca847990e05cca29a76456982ca5",
"versionType": "git"
},
{
"lessThan": "1737ddeafbb1304f41ec2eede4f7366082e7c96a",
"status": "affected",
"version": "190d5a7c4fe42b8c9aa46e3336389e7cb10395bb",
"versionType": "git"
},
{
"lessThan": "3c844d01f9874a43004c82970d8da94f9aba8949",
"status": "affected",
"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
"versionType": "git"
},
{
"lessThan": "3c645c6f7e5470debbb81666b230056de48f36dc",
"status": "affected",
"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
"versionType": "git"
},
{
"lessThan": "a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41",
"status": "affected",
"version": "f92ee31e031c7819126d2febdda0c3e91f5d2eb9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info-\u003esub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj-\u003ename objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n comm \"mount\", pid 1244, jiffies 4294996972\n hex dump (first 16 bytes):\n 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\n backtrace (crc 53ffde4d):\n __kmalloc_node_track_caller_noprof+0x619/0x870\n kstrdup+0x42/0xc0\n kobject_set_name_vargs+0x44/0x110\n kobject_init_and_add+0xcf/0x150\n btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n create_space_info+0x211/0x320 [btrfs]\n btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n open_ctree+0x33c7/0x4a50 [btrfs]\n btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n vfs_get_tree+0x87/0x2f0\n vfs_cmd_create+0xbd/0x280\n __do_sys_fsconfig+0x3df/0x990\n do_syscall_64+0x136/0x1540\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:53:34.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48"
},
{
"url": "https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c"
},
{
"url": "https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a"
},
{
"url": "https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949"
},
{
"url": "https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc"
},
{
"url": "https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41"
}
],
"title": "btrfs: fix leak of kobject name for sub-group space_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31434",
"datePublished": "2026-04-22T13:53:34.357Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-04-22T13:53:34.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23271 (GCVE-0-2026-23271)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-13 06:03
VLAI?
EPSS
Title
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Make sure that __perf_event_overflow() runs with IRQs disabled for all
possible callchains. Specifically the software events can end up running
it with only preemption disabled.
This opens up a race vs perf_event_exit_event() and friends that will go
and free various things the overflow path expects to be present, like
the BPF program.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
592903cdcbf606a838056bae6d03fc557806c914 , < 4df1a45819e50993cb351682a6ae8e7ed2d233a0
(git)
Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 4f8d5812337871227bb2c98669a87c306a2f86ef (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 5c48fdc4b4623533d86e279f51531a7ba212eb87 (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 3f89b61dd504c5b6711de9759e053b082f9abf12 (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < bb190628fe5f2a73ba762a9972ba16c5e895f73e (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4df1a45819e50993cb351682a6ae8e7ed2d233a0",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
},
{
"lessThan": "4f8d5812337871227bb2c98669a87c306a2f86ef",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
},
{
"lessThan": "5c48fdc4b4623533d86e279f51531a7ba212eb87",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
},
{
"lessThan": "3f89b61dd504c5b6711de9759e053b082f9abf12",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
},
{
"lessThan": "bb190628fe5f2a73ba762a9972ba16c5e895f73e",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
},
{
"lessThan": "c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae",
"status": "affected",
"version": "592903cdcbf606a838056bae6d03fc557806c914",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix __perf_event_overflow() vs perf_remove_from_context() race\n\nMake sure that __perf_event_overflow() runs with IRQs disabled for all\npossible callchains. Specifically the software events can end up running\nit with only preemption disabled.\n\nThis opens up a race vs perf_event_exit_event() and friends that will go\nand free various things the overflow path expects to be present, like\nthe BPF program."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:03:20.071Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0"
},
{
"url": "https://git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef"
},
{
"url": "https://git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87"
},
{
"url": "https://git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12"
},
{
"url": "https://git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e"
},
{
"url": "https://git.kernel.org/stable/c/c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae"
}
],
"title": "perf: Fix __perf_event_overflow() vs perf_remove_from_context() race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23271",
"datePublished": "2026-03-20T08:08:46.711Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-04-13T06:03:20.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31452 (GCVE-0-2026-31452)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
ext4: convert inline data to extents when truncate exceeds inline size
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: convert inline data to extents when truncate exceeds inline size
Add a check in ext4_setattr() to convert files from inline data storage
to extent-based storage when truncate() grows the file size beyond the
inline capacity. This prevents the filesystem from entering an
inconsistent state where the inline data flag is set but the file size
exceeds what can be stored inline.
Without this fix, the following sequence causes a kernel BUG_ON():
1. Mount filesystem with inode that has inline flag set and small size
2. truncate(file, 50MB) - grows size but inline flag remains set
3. sendfile() attempts to write data
4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)
The crash occurs because ext4_write_inline_data() expects inline storage
to accommodate the write, but the actual inline capacity (~60 bytes for
i_block + ~96 bytes for xattrs) is far smaller than the file size and
write request.
The fix checks if the new size from setattr exceeds the inode's actual
inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to
extent-based storage before proceeding with the size change.
This addresses the root cause by ensuring the inline data flag and file
size remain consistent during truncate operations.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67cf5b09a46f72e048501b84996f2f77bc42e947 , < 110d7ef602659ce4d7947c5480f7ca2779696aaf
(git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < f53a5d9f32924bc2a810d2df243b7714da58b636 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < c047332be7195833a5c5126816c2502df8269fe4 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 699bac4d4c951974d55b045c983d1de777215949 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 7920dcc571cef3d8aa9ee109c136125d61d41669 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 07c1a31af18290054da3d18221b8bf58983c5d3a (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < ed9356a30e59c7cc3198e7fc46cfedf3767b9b17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "110d7ef602659ce4d7947c5480f7ca2779696aaf",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "f53a5d9f32924bc2a810d2df243b7714da58b636",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "c047332be7195833a5c5126816c2502df8269fe4",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "699bac4d4c951974d55b045c983d1de777215949",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "7920dcc571cef3d8aa9ee109c136125d61d41669",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "07c1a31af18290054da3d18221b8bf58983c5d3a",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "ed9356a30e59c7cc3198e7fc46cfedf3767b9b17",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: convert inline data to extents when truncate exceeds inline size\n\nAdd a check in ext4_setattr() to convert files from inline data storage\nto extent-based storage when truncate() grows the file size beyond the\ninline capacity. This prevents the filesystem from entering an\ninconsistent state where the inline data flag is set but the file size\nexceeds what can be stored inline.\n\nWithout this fix, the following sequence causes a kernel BUG_ON():\n\n1. Mount filesystem with inode that has inline flag set and small size\n2. truncate(file, 50MB) - grows size but inline flag remains set\n3. sendfile() attempts to write data\n4. ext4_write_inline_data() hits BUG_ON(write_size \u003e inline_capacity)\n\nThe crash occurs because ext4_write_inline_data() expects inline storage\nto accommodate the write, but the actual inline capacity (~60 bytes for\ni_block + ~96 bytes for xattrs) is far smaller than the file size and\nwrite request.\n\nThe fix checks if the new size from setattr exceeds the inode\u0027s actual\ninline capacity (EXT4_I(inode)-\u003ei_inline_size) and converts the file to\nextent-based storage before proceeding with the size change.\n\nThis addresses the root cause by ensuring the inline data flag and file\nsize remain consistent during truncate operations."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:30.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/110d7ef602659ce4d7947c5480f7ca2779696aaf"
},
{
"url": "https://git.kernel.org/stable/c/f53a5d9f32924bc2a810d2df243b7714da58b636"
},
{
"url": "https://git.kernel.org/stable/c/c047332be7195833a5c5126816c2502df8269fe4"
},
{
"url": "https://git.kernel.org/stable/c/699bac4d4c951974d55b045c983d1de777215949"
},
{
"url": "https://git.kernel.org/stable/c/7920dcc571cef3d8aa9ee109c136125d61d41669"
},
{
"url": "https://git.kernel.org/stable/c/93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6"
},
{
"url": "https://git.kernel.org/stable/c/07c1a31af18290054da3d18221b8bf58983c5d3a"
},
{
"url": "https://git.kernel.org/stable/c/ed9356a30e59c7cc3198e7fc46cfedf3767b9b17"
}
],
"title": "ext4: convert inline data to extents when truncate exceeds inline size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31452",
"datePublished": "2026-04-22T13:53:46.917Z",
"dateReserved": "2026-03-09T15:48:24.091Z",
"dateUpdated": "2026-04-23T15:18:30.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38192 (GCVE-0-2025-38192)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
net: clear the dst when changing skb protocol
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: clear the dst when changing skb protocol
A not-so-careful NAT46 BPF program can crash the kernel
if it indiscriminately flips ingress packets from v4 to v6:
BUG: kernel NULL pointer dereference, address: 0000000000000000
ip6_rcv_core (net/ipv6/ip6_input.c:190:20)
ipv6_rcv (net/ipv6/ip6_input.c:306:8)
process_backlog (net/core/dev.c:6186:4)
napi_poll (net/core/dev.c:6906:9)
net_rx_action (net/core/dev.c:7028:13)
do_softirq (kernel/softirq.c:462:3)
netif_rx (net/core/dev.c:5326:3)
dev_loopback_xmit (net/core/dev.c:4015:2)
ip_mc_finish_output (net/ipv4/ip_output.c:363:8)
NF_HOOK (./include/linux/netfilter.h:314:9)
ip_mc_output (net/ipv4/ip_output.c:400:5)
dst_output (./include/net/dst.h:459:9)
ip_local_out (net/ipv4/ip_output.c:130:9)
ip_send_skb (net/ipv4/ip_output.c:1496:8)
udp_send_skb (net/ipv4/udp.c:1040:8)
udp_sendmsg (net/ipv4/udp.c:1328:10)
The output interface has a 4->6 program attached at ingress.
We try to loop the multicast skb back to the sending socket.
Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr
and changes skb->protocol to v6. We enter ip6_rcv_core which
tries to use skb_dst(). But the dst is still an IPv4 one left
after IPv4 mcast output.
Clear the dst in all BPF helpers which change the protocol.
Try to preserve metadata dsts, those may carry non-routing
metadata.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6578171a7ff0c31dc73258f93da7407510abf085 , < 98b1d8dc9a3170b2614f1e8c93854e75cdd83980
(git)
Affected: 6578171a7ff0c31dc73258f93da7407510abf085 , < bfa4d86e130a09f67607482e988313430e38f6c4 (git) Affected: 6578171a7ff0c31dc73258f93da7407510abf085 , < 2a3ad42a57b43145839f2f233fb562247658a6d9 (git) Affected: 6578171a7ff0c31dc73258f93da7407510abf085 , < e9994e7b9f7bbb882d13c8191731649249150d21 (git) Affected: 6578171a7ff0c31dc73258f93da7407510abf085 , < ba9db6f907ac02215e30128770f85fbd7db2fcf9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98b1d8dc9a3170b2614f1e8c93854e75cdd83980",
"status": "affected",
"version": "6578171a7ff0c31dc73258f93da7407510abf085",
"versionType": "git"
},
{
"lessThan": "bfa4d86e130a09f67607482e988313430e38f6c4",
"status": "affected",
"version": "6578171a7ff0c31dc73258f93da7407510abf085",
"versionType": "git"
},
{
"lessThan": "2a3ad42a57b43145839f2f233fb562247658a6d9",
"status": "affected",
"version": "6578171a7ff0c31dc73258f93da7407510abf085",
"versionType": "git"
},
{
"lessThan": "e9994e7b9f7bbb882d13c8191731649249150d21",
"status": "affected",
"version": "6578171a7ff0c31dc73258f93da7407510abf085",
"versionType": "git"
},
{
"lessThan": "ba9db6f907ac02215e30128770f85fbd7db2fcf9",
"status": "affected",
"version": "6578171a7ff0c31dc73258f93da7407510abf085",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: clear the dst when changing skb protocol\n\nA not-so-careful NAT46 BPF program can crash the kernel\nif it indiscriminately flips ingress packets from v4 to v6:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ip6_rcv_core (net/ipv6/ip6_input.c:190:20)\n ipv6_rcv (net/ipv6/ip6_input.c:306:8)\n process_backlog (net/core/dev.c:6186:4)\n napi_poll (net/core/dev.c:6906:9)\n net_rx_action (net/core/dev.c:7028:13)\n do_softirq (kernel/softirq.c:462:3)\n netif_rx (net/core/dev.c:5326:3)\n dev_loopback_xmit (net/core/dev.c:4015:2)\n ip_mc_finish_output (net/ipv4/ip_output.c:363:8)\n NF_HOOK (./include/linux/netfilter.h:314:9)\n ip_mc_output (net/ipv4/ip_output.c:400:5)\n dst_output (./include/net/dst.h:459:9)\n ip_local_out (net/ipv4/ip_output.c:130:9)\n ip_send_skb (net/ipv4/ip_output.c:1496:8)\n udp_send_skb (net/ipv4/udp.c:1040:8)\n udp_sendmsg (net/ipv4/udp.c:1328:10)\n\nThe output interface has a 4-\u003e6 program attached at ingress.\nWe try to loop the multicast skb back to the sending socket.\nIngress BPF runs as part of netif_rx(), pushes a valid v6 hdr\nand changes skb-\u003eprotocol to v6. We enter ip6_rcv_core which\ntries to use skb_dst(). But the dst is still an IPv4 one left\nafter IPv4 mcast output.\n\nClear the dst in all BPF helpers which change the protocol.\nTry to preserve metadata dsts, those may carry non-routing\nmetadata."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:27.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98b1d8dc9a3170b2614f1e8c93854e75cdd83980"
},
{
"url": "https://git.kernel.org/stable/c/bfa4d86e130a09f67607482e988313430e38f6c4"
},
{
"url": "https://git.kernel.org/stable/c/2a3ad42a57b43145839f2f233fb562247658a6d9"
},
{
"url": "https://git.kernel.org/stable/c/e9994e7b9f7bbb882d13c8191731649249150d21"
},
{
"url": "https://git.kernel.org/stable/c/ba9db6f907ac02215e30128770f85fbd7db2fcf9"
}
],
"title": "net: clear the dst when changing skb protocol",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38192",
"datePublished": "2025-07-04T13:37:16.642Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2026-03-25T10:19:27.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23367 (GCVE-0-2026-23367)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
wifi: radiotap: reject radiotap with unknown bits
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: radiotap: reject radiotap with unknown bits
The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.
Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
33e5a2f776e331dc8a4379b6efb660d38f182d96 , < 6f80f6a60f5d87e5de5fb2732751fce799991c24
(git)
Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < d1d1d3c50095928624a95b67a6d7ccc3a18f2215 (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < 703fa979badbba83d31cd011606d060bfb8b0d1d (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < 129c8bb320a7cef692c78056ef8e89a2a12ba448 (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < 2a60c588d5d39ad187628f58395c776a97fd4323 (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < 2f8ceeba670610d66f77def32011f48de951d781 (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < e664971759a0e5570b50c6592e58a7f97d55e992 (git) Affected: 33e5a2f776e331dc8a4379b6efb660d38f182d96 , < c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/radiotap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f80f6a60f5d87e5de5fb2732751fce799991c24",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "d1d1d3c50095928624a95b67a6d7ccc3a18f2215",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "703fa979badbba83d31cd011606d060bfb8b0d1d",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "129c8bb320a7cef692c78056ef8e89a2a12ba448",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "2a60c588d5d39ad187628f58395c776a97fd4323",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "2f8ceeba670610d66f77def32011f48de951d781",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "e664971759a0e5570b50c6592e58a7f97d55e992",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
},
{
"lessThan": "c854758abe0b8d86f9c43dc060ff56a0ee5b31e0",
"status": "affected",
"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/radiotap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator-\u003e_next_ns_data isn\u0027t initialized (it\u0027s\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator-\u003e_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:14.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f80f6a60f5d87e5de5fb2732751fce799991c24"
},
{
"url": "https://git.kernel.org/stable/c/d1d1d3c50095928624a95b67a6d7ccc3a18f2215"
},
{
"url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"
},
{
"url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"
},
{
"url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"
},
{
"url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"
},
{
"url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"
},
{
"url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"
}
],
"title": "wifi: radiotap: reject radiotap with unknown bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23367",
"datePublished": "2026-03-25T10:27:49.068Z",
"dateReserved": "2026-01-13T15:37:46.003Z",
"dateUpdated": "2026-04-18T08:58:14.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31478 (GCVE-0-2026-31478)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
response buffer management was changed to use dynamic iov array.
In the new design, smb2_calc_max_out_buf_len() expects the second
argument (hdr2_len) to be the offset of ->Buffer field in the
response structure, not a hardcoded magic number.
Fix the remaining call sites to use the correct offsetof() value.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2283680a80571ca82d710bc6ecd8f8beac67d63 , < 70b4c414889492c522b6e4331562360f49be2361
(git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 , < 9a7166f0ef8cbb7bb48dd05e2471d995566003f5 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 6aef1765d6807e0f027cd87f6ac973eb0879a46d (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 80824c7e527b70cf9039534e60aff592e8f209d1 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 4cb537ae4f37d7d0f617815ed4bed7173fb50861 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 0e55f63dd08f09651d39e1b709a91705a8a0ddcb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70b4c414889492c522b6e4331562360f49be2361",
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"lessThan": "9a7166f0ef8cbb7bb48dd05e2471d995566003f5",
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
},
{
"lessThan": "c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "6aef1765d6807e0f027cd87f6ac973eb0879a46d",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "80824c7e527b70cf9039534e60aff592e8f209d1",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "4cb537ae4f37d7d0f617815ed4bed7173fb50861",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "0e55f63dd08f09651d39e1b709a91705a8a0ddcb",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of -\u003eBuffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:32.354Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70b4c414889492c522b6e4331562360f49be2361"
},
{
"url": "https://git.kernel.org/stable/c/9a7166f0ef8cbb7bb48dd05e2471d995566003f5"
},
{
"url": "https://git.kernel.org/stable/c/c3a89e3ec1ccf64fa6a34e391e1581ebbcba8683"
},
{
"url": "https://git.kernel.org/stable/c/6aef1765d6807e0f027cd87f6ac973eb0879a46d"
},
{
"url": "https://git.kernel.org/stable/c/80824c7e527b70cf9039534e60aff592e8f209d1"
},
{
"url": "https://git.kernel.org/stable/c/4cb537ae4f37d7d0f617815ed4bed7173fb50861"
},
{
"url": "https://git.kernel.org/stable/c/0e55f63dd08f09651d39e1b709a91705a8a0ddcb"
}
],
"title": "ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31478",
"datePublished": "2026-04-22T13:54:06.157Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-04-27T14:03:32.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31524 (GCVE-0-2026-31524)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
HID: asus: avoid memory leak in asus_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: avoid memory leak in asus_report_fixup()
The asus_report_fixup() function was returning a newly allocated
kmemdup()-allocated buffer, but never freeing it. Switch to
devm_kzalloc() to ensure the memory is managed and freed automatically
when the device is removed.
The caller of report_fixup() does not take ownership of the returned
pointer, but it is permitted to return a pointer whose lifetime is at
least that of the input buffer.
Also fix a harmless out-of-bounds read by copying only the original
descriptor size.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5703e52cc711bc01e72cf12b86a126909c79d213 , < 726765b43deb2b4723869d673cc5fc6f7a3b2059
(git)
Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < ede95cfcab8064d9a08813fbd7ed42cea8843dcf (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < 2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973 (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < f20f17cffbe34fb330267e0f8084f5565f807444 (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < 7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < 84724ac4821a160d47b84289adf139023027bdbb (git) Affected: 5703e52cc711bc01e72cf12b86a126909c79d213 , < 2bad24c17742fc88973d6aea526ce1353f5334a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "726765b43deb2b4723869d673cc5fc6f7a3b2059",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "ede95cfcab8064d9a08813fbd7ed42cea8843dcf",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "f20f17cffbe34fb330267e0f8084f5565f807444",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "84724ac4821a160d47b84289adf139023027bdbb",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
},
{
"lessThan": "2bad24c17742fc88973d6aea526ce1353f5334a3",
"status": "affected",
"version": "5703e52cc711bc01e72cf12b86a126909c79d213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: avoid memory leak in asus_report_fixup()\n\nThe asus_report_fixup() function was returning a newly allocated\nkmemdup()-allocated buffer, but never freeing it. Switch to\ndevm_kzalloc() to ensure the memory is managed and freed automatically\nwhen the device is removed.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it is permitted to return a pointer whose lifetime is at\nleast that of the input buffer.\n\nAlso fix a harmless out-of-bounds read by copying only the original\ndescriptor size."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:42.494Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/726765b43deb2b4723869d673cc5fc6f7a3b2059"
},
{
"url": "https://git.kernel.org/stable/c/ede95cfcab8064d9a08813fbd7ed42cea8843dcf"
},
{
"url": "https://git.kernel.org/stable/c/2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973"
},
{
"url": "https://git.kernel.org/stable/c/f20f17cffbe34fb330267e0f8084f5565f807444"
},
{
"url": "https://git.kernel.org/stable/c/7a6d6e4d8af044f94fa97e97af5ff2771e1fbebd"
},
{
"url": "https://git.kernel.org/stable/c/a41cc7c1668e44ff2c2d36f9a6353253ffc43e3c"
},
{
"url": "https://git.kernel.org/stable/c/84724ac4821a160d47b84289adf139023027bdbb"
},
{
"url": "https://git.kernel.org/stable/c/2bad24c17742fc88973d6aea526ce1353f5334a3"
}
],
"title": "HID: asus: avoid memory leak in asus_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31524",
"datePublished": "2026-04-22T13:54:38.389Z",
"dateReserved": "2026-03-09T15:48:24.110Z",
"dateUpdated": "2026-04-23T15:18:42.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31657 (GCVE-0-2026-31657)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
batman-adv: hold claim backbone gateways by reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: hold claim backbone gateways by reference
batadv_bla_add_claim() can replace claim->backbone_gw and drop the old
gateway's last reference while readers still follow the pointer.
The netlink claim dump path dereferences claim->backbone_gw->orig and
takes claim->backbone_gw->crc_lock without pinning the underlying
backbone gateway. batadv_bla_check_claim() still has the same naked
pointer access pattern.
Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate
on a stable gateway reference until the read-side work is complete.
This keeps the dump and claim-check paths aligned with the lifetime
rules introduced for the other BLA claim readers.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23721387c409087fd3b97e274f34d3ddc0970b74 , < f4858832ddef2f39f21e30b7226bbcd3c4b2bc96
(git)
Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 2f55b58b5a0bbed192d60c444a45a49cdf1b545f (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 7962b522222628596ca9ecc8722efc95367aadbd (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 4dee4c0688443aaf5bbec74aa203c851d1d53c35 (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 1f2dc36c297d27733f1b380ea644cf15a361bd7b (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 82d8701b2c930d0e96b0dbc9115a218d791cb0d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4858832ddef2f39f21e30b7226bbcd3c4b2bc96",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "2f55b58b5a0bbed192d60c444a45a49cdf1b545f",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "7962b522222628596ca9ecc8722efc95367aadbd",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "4dee4c0688443aaf5bbec74aa203c851d1d53c35",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "1f2dc36c297d27733f1b380ea644cf15a361bd7b",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "82d8701b2c930d0e96b0dbc9115a218d791cb0d2",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim-\u003ebackbone_gw and drop the old\ngateway\u0027s last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim-\u003ebackbone_gw-\u003eorig and\ntakes claim-\u003ebackbone_gw-\u003ecrc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:44.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96"
},
{
"url": "https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f"
},
{
"url": "https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd"
},
{
"url": "https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35"
},
{
"url": "https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b"
},
{
"url": "https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2"
}
],
"title": "batman-adv: hold claim backbone gateways by reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31657",
"datePublished": "2026-04-24T14:45:08.867Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:44.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38303 (GCVE-0-2025-38303)
Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER
without checking if that would fit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < 2d4588f55cc10fc228f3b46469dbfb3f0a8b13c8
(git)
Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < 2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f (git) Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < b9db0c27e73b7c8a19384a44af527edfda74ff3d (git) Affected: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 , < 47c03902269aff377f959dc3fd94a9733aa31d6e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/eir.c",
"net/bluetooth/eir.h",
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d4588f55cc10fc228f3b46469dbfb3f0a8b13c8",
"status": "affected",
"version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
"versionType": "git"
},
{
"lessThan": "2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f",
"status": "affected",
"version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
"versionType": "git"
},
{
"lessThan": "b9db0c27e73b7c8a19384a44af527edfda74ff3d",
"status": "affected",
"version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
"versionType": "git"
},
{
"lessThan": "47c03902269aff377f959dc3fd94a9733aa31d6e",
"status": "affected",
"version": "01ce70b0a274bd76a5a311fb90d4d446d9bdfea1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/eir.c",
"net/bluetooth/eir.h",
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix possible crashes on eir_create_adv_data\n\neir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER\nwithout checking if that would fit."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:36.082Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d4588f55cc10fc228f3b46469dbfb3f0a8b13c8"
},
{
"url": "https://git.kernel.org/stable/c/2af40d795d3fb0ee5c074b7ac56ab22402aa6e4f"
},
{
"url": "https://git.kernel.org/stable/c/b9db0c27e73b7c8a19384a44af527edfda74ff3d"
},
{
"url": "https://git.kernel.org/stable/c/47c03902269aff377f959dc3fd94a9733aa31d6e"
}
],
"title": "Bluetooth: eir: Fix possible crashes on eir_create_adv_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38303",
"datePublished": "2025-07-10T07:42:14.728Z",
"dateReserved": "2025-04-16T04:51:24.002Z",
"dateUpdated": "2026-04-11T12:45:36.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37945 (GCVE-0-2025-37945)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:58 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY
DSA has 2 kinds of drivers:
1. Those who call dsa_switch_suspend() and dsa_switch_resume() from
their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz
2. Those who don't: all others. The above methods should be optional.
For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(),
and dsa_switch_resume() calls dsa_user_resume() -> phylink_start().
These seem good candidates for setting mac_managed_pm = true because
that is essentially its definition [1], but that does not seem to be the
biggest problem for now, and is not what this change focuses on.
Talking strictly about the 2nd category of DSA drivers here (which
do not have MAC managed PM, meaning that for their attached PHYs,
mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full),
I have noticed that the following warning from mdio_bus_phy_resume() is
triggered:
WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY &&
phydev->state != PHY_UP);
because the PHY state machine is running.
It's running as a result of a previous dsa_user_open() -> ... ->
phylink_start() -> phy_start() having been initiated by the user.
The previous mdio_bus_phy_suspend() was supposed to have called
phy_stop_machine(), but it didn't. So this is why the PHY is in state
PHY_NOLINK by the time mdio_bus_phy_resume() runs.
mdio_bus_phy_suspend() did not call phy_stop_machine() because for
phylink, the phydev->adjust_link function pointer is NULL. This seems a
technicality introduced by commit fddd91016d16 ("phylib: fix PAL state
machine restart on resume"). That commit was written before phylink
existed, and was intended to avoid crashing with consumer drivers which
don't use the PHY state machine - phylink always does, when using a PHY.
But phylink itself has historically not been developed with
suspend/resume in mind, and apparently not tested too much in that
scenario, allowing this bug to exist unnoticed for so long. Plus, prior
to the WARN_ON(), it would have likely been invisible.
This issue is not in fact restricted to type 2 DSA drivers (according to
the above ad-hoc classification), but can be extrapolated to any MAC
driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where
the issue was reported. Assuming mac_managed_pm is set correctly, a
quick search indicates the following other drivers might be affected:
$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm
drivers/net/ethernet/atheros/ag71xx.c
drivers/net/ethernet/microchip/sparx5/sparx5_main.c
drivers/net/ethernet/microchip/lan966x/lan966x_main.c
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
drivers/net/ethernet/freescale/ucc_geth.c
drivers/net/ethernet/freescale/enetc/enetc_pf_common.c
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
drivers/net/ethernet/marvell/mvneta.c
drivers/net/ethernet/marvell/prestera/prestera_main.c
drivers/net/ethernet/mediatek/mtk_eth_soc.c
drivers/net/ethernet/altera/altera_tse_main.c
drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
drivers/net/ethernet/meta/fbnic/fbnic_phylink.c
drivers/net/ethernet/tehuti/tn40_phy.c
drivers/net/ethernet/mscc/ocelot_net.c
Make the existing conditions dependent on the PHY device having a
phydev->phy_link_change() implementation equal to the default
phy_link_change() provided by phylib. Otherwise, we implicitly know that
the phydev has the phylink-provided phylink_phy_change() callback, and
when phylink is used, the PHY state machine always needs to be stopped/
started on the suspend/resume path. The code is structured as such that
if phydev->phy_link_change() is absent, it is a matter of time until the
kernel will crash - no need to further complicate the test.
Thus, for the situation where the PM is not managed b
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < 17eef1e44883845b9567afc893dc41e004c08d65
(git)
Affected: 744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < 043aa41c43f8cb9cce75367ea07895ce68b5abb0 (git) Affected: 744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < a6ed6f8ec81b8ca7100dcd9e62bdbc0dff1b2259 (git) Affected: 744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < 54e5d00a8de6c13f6c01a94ed48025e882cd15f7 (git) Affected: 744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < bd4037d51d3f6667636a1383e78e48a5b7b60755 (git) Affected: 744d23c71af39c7dc77ac7c3cac87ae86a181a85 , < fc75ea20ffb452652f0d4033f38fe88d7cfdae35 (git) Affected: 47ac7b2f6a1ffef76e55a9ec146881a36673284b (git) Affected: 7dc0ed411de3450e75b2a9600b5742cbf0908167 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17eef1e44883845b9567afc893dc41e004c08d65",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"lessThan": "043aa41c43f8cb9cce75367ea07895ce68b5abb0",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"lessThan": "a6ed6f8ec81b8ca7100dcd9e62bdbc0dff1b2259",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"lessThan": "54e5d00a8de6c13f6c01a94ed48025e882cd15f7",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"lessThan": "bd4037d51d3f6667636a1383e78e48a5b7b60755",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"lessThan": "fc75ea20ffb452652f0d4033f38fe88d7cfdae35",
"status": "affected",
"version": "744d23c71af39c7dc77ac7c3cac87ae86a181a85",
"versionType": "git"
},
{
"status": "affected",
"version": "47ac7b2f6a1ffef76e55a9ec146881a36673284b",
"versionType": "git"
},
{
"status": "affected",
"version": "7dc0ed411de3450e75b2a9600b5742cbf0908167",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY\n\nDSA has 2 kinds of drivers:\n\n1. Those who call dsa_switch_suspend() and dsa_switch_resume() from\n their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz\n2. Those who don\u0027t: all others. The above methods should be optional.\n\nFor type 1, dsa_switch_suspend() calls dsa_user_suspend() -\u003e phylink_stop(),\nand dsa_switch_resume() calls dsa_user_resume() -\u003e phylink_start().\nThese seem good candidates for setting mac_managed_pm = true because\nthat is essentially its definition [1], but that does not seem to be the\nbiggest problem for now, and is not what this change focuses on.\n\nTalking strictly about the 2nd category of DSA drivers here (which\ndo not have MAC managed PM, meaning that for their attached PHYs,\nmdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full),\nI have noticed that the following warning from mdio_bus_phy_resume() is\ntriggered:\n\n\tWARN_ON(phydev-\u003estate != PHY_HALTED \u0026\u0026 phydev-\u003estate != PHY_READY \u0026\u0026\n\t\tphydev-\u003estate != PHY_UP);\n\nbecause the PHY state machine is running.\n\nIt\u0027s running as a result of a previous dsa_user_open() -\u003e ... -\u003e\nphylink_start() -\u003e phy_start() having been initiated by the user.\n\nThe previous mdio_bus_phy_suspend() was supposed to have called\nphy_stop_machine(), but it didn\u0027t. So this is why the PHY is in state\nPHY_NOLINK by the time mdio_bus_phy_resume() runs.\n\nmdio_bus_phy_suspend() did not call phy_stop_machine() because for\nphylink, the phydev-\u003eadjust_link function pointer is NULL. This seems a\ntechnicality introduced by commit fddd91016d16 (\"phylib: fix PAL state\nmachine restart on resume\"). That commit was written before phylink\nexisted, and was intended to avoid crashing with consumer drivers which\ndon\u0027t use the PHY state machine - phylink always does, when using a PHY.\nBut phylink itself has historically not been developed with\nsuspend/resume in mind, and apparently not tested too much in that\nscenario, allowing this bug to exist unnoticed for so long. Plus, prior\nto the WARN_ON(), it would have likely been invisible.\n\nThis issue is not in fact restricted to type 2 DSA drivers (according to\nthe above ad-hoc classification), but can be extrapolated to any MAC\ndriver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where\nthe issue was reported. Assuming mac_managed_pm is set correctly, a\nquick search indicates the following other drivers might be affected:\n\n$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm\ndrivers/net/ethernet/atheros/ag71xx.c\ndrivers/net/ethernet/microchip/sparx5/sparx5_main.c\ndrivers/net/ethernet/microchip/lan966x/lan966x_main.c\ndrivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c\ndrivers/net/ethernet/freescale/fs_enet/fs_enet-main.c\ndrivers/net/ethernet/freescale/dpaa/dpaa_eth.c\ndrivers/net/ethernet/freescale/ucc_geth.c\ndrivers/net/ethernet/freescale/enetc/enetc_pf_common.c\ndrivers/net/ethernet/marvell/mvpp2/mvpp2_main.c\ndrivers/net/ethernet/marvell/mvneta.c\ndrivers/net/ethernet/marvell/prestera/prestera_main.c\ndrivers/net/ethernet/mediatek/mtk_eth_soc.c\ndrivers/net/ethernet/altera/altera_tse_main.c\ndrivers/net/ethernet/wangxun/txgbe/txgbe_phy.c\ndrivers/net/ethernet/meta/fbnic/fbnic_phylink.c\ndrivers/net/ethernet/tehuti/tn40_phy.c\ndrivers/net/ethernet/mscc/ocelot_net.c\n\nMake the existing conditions dependent on the PHY device having a\nphydev-\u003ephy_link_change() implementation equal to the default\nphy_link_change() provided by phylib. Otherwise, we implicitly know that\nthe phydev has the phylink-provided phylink_phy_change() callback, and\nwhen phylink is used, the PHY state machine always needs to be stopped/\nstarted on the suspend/resume path. The code is structured as such that\nif phydev-\u003ephy_link_change() is absent, it is a matter of time until the\nkernel will crash - no need to further complicate the test.\n\nThus, for the situation where the PM is not managed b\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:33.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17eef1e44883845b9567afc893dc41e004c08d65"
},
{
"url": "https://git.kernel.org/stable/c/043aa41c43f8cb9cce75367ea07895ce68b5abb0"
},
{
"url": "https://git.kernel.org/stable/c/a6ed6f8ec81b8ca7100dcd9e62bdbc0dff1b2259"
},
{
"url": "https://git.kernel.org/stable/c/54e5d00a8de6c13f6c01a94ed48025e882cd15f7"
},
{
"url": "https://git.kernel.org/stable/c/bd4037d51d3f6667636a1383e78e48a5b7b60755"
},
{
"url": "https://git.kernel.org/stable/c/fc75ea20ffb452652f0d4033f38fe88d7cfdae35"
}
],
"title": "net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37945",
"datePublished": "2025-05-20T15:58:20.841Z",
"dateReserved": "2025-04-16T04:51:23.972Z",
"dateUpdated": "2026-04-11T12:45:33.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31426 (GCVE-0-2026-31426)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware
platforms, it has already started the EC and installed the address
space handler with the struct acpi_ec pointer as handler context.
However, acpi_ec_setup() propagates the error without any cleanup.
The caller acpi_ec_add() then frees the struct acpi_ec for non-boot
instances, leaving a dangling handler context in ACPICA.
Any subsequent AML evaluation that accesses an EC OpRegion field
dispatches into acpi_ec_space_handler() with the freed pointer,
causing a use-after-free:
BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)
Write of size 8 at addr ffff88800721de38 by task init/1
Call Trace:
<TASK>
mutex_lock (kernel/locking/mutex.c:289)
acpi_ec_space_handler (drivers/acpi/ec.c:1362)
acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)
acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)
acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)
acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)
acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)
acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)
</TASK>
Allocated by task 1:
acpi_ec_alloc (drivers/acpi/ec.c:1424)
acpi_ec_add (drivers/acpi/ec.c:1692)
Freed by task 1:
kfree (mm/slub.c:6876)
acpi_ec_add (drivers/acpi/ec.c:1751)
The bug triggers on reduced-hardware EC platforms (ec->gpe < 0)
when the GPIO IRQ provider defers probing. Once the stale handler
exists, any unprivileged sysfs read that causes AML to touch an
EC OpRegion (battery, thermal, backlight) exercises the dangling
pointer.
Fix this by calling ec_remove_handlers() in the error path of
acpi_ec_setup() before clearing first_ec. ec_remove_handlers()
checks each EC_FLAGS_* bit before acting, so it is safe to call
regardless of how far ec_install_handlers() progressed:
-ENODEV (handler not installed): only calls acpi_ec_stop()
-EPROBE_DEFER (handler installed): removes handler, stops EC
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
03e9a0e05739cf872fee494b06c75c0469704a21 , < 022d1727f33ff90b3e1775125264e3023901952e
(git)
Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < 9c886e63b69658959633937e3acb7ca8addf7499 (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < 808c0f156f48d5b8ca34088cbbfba8444e606cbc (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < d04c007047c88158141d9bd5eac761cdadd3782c (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < be1a827e15991e874e0d5222d0ea5fdad01960fe (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < f6484cadbcaf26b5844b51bd7307a663dda48ef6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "022d1727f33ff90b3e1775125264e3023901952e",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "9c886e63b69658959633937e3acb7ca8addf7499",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "808c0f156f48d5b8ca34088cbbfba8444e606cbc",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "d04c007047c88158141d9bd5eac761cdadd3782c",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "be1a827e15991e874e0d5222d0ea5fdad01960fe",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "f6484cadbcaf26b5844b51bd7307a663dda48ef6",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: clean up handlers on probe failure in acpi_ec_setup()\n\nWhen ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware\nplatforms, it has already started the EC and installed the address\nspace handler with the struct acpi_ec pointer as handler context.\nHowever, acpi_ec_setup() propagates the error without any cleanup.\n\nThe caller acpi_ec_add() then frees the struct acpi_ec for non-boot\ninstances, leaving a dangling handler context in ACPICA.\n\nAny subsequent AML evaluation that accesses an EC OpRegion field\ndispatches into acpi_ec_space_handler() with the freed pointer,\ncausing a use-after-free:\n\n BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)\n Write of size 8 at addr ffff88800721de38 by task init/1\n Call Trace:\n \u003cTASK\u003e\n mutex_lock (kernel/locking/mutex.c:289)\n acpi_ec_space_handler (drivers/acpi/ec.c:1362)\n acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)\n acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)\n acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)\n acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)\n acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)\n acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)\n \u003c/TASK\u003e\n\n Allocated by task 1:\n acpi_ec_alloc (drivers/acpi/ec.c:1424)\n acpi_ec_add (drivers/acpi/ec.c:1692)\n\n Freed by task 1:\n kfree (mm/slub.c:6876)\n acpi_ec_add (drivers/acpi/ec.c:1751)\n\nThe bug triggers on reduced-hardware EC platforms (ec-\u003egpe \u003c 0)\nwhen the GPIO IRQ provider defers probing. Once the stale handler\nexists, any unprivileged sysfs read that causes AML to touch an\nEC OpRegion (battery, thermal, backlight) exercises the dangling\npointer.\n\nFix this by calling ec_remove_handlers() in the error path of\nacpi_ec_setup() before clearing first_ec. ec_remove_handlers()\nchecks each EC_FLAGS_* bit before acting, so it is safe to call\nregardless of how far ec_install_handlers() progressed:\n\n -ENODEV (handler not installed): only calls acpi_ec_stop()\n -EPROBE_DEFER (handler installed): removes handler, stops EC"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:02.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/022d1727f33ff90b3e1775125264e3023901952e"
},
{
"url": "https://git.kernel.org/stable/c/9c886e63b69658959633937e3acb7ca8addf7499"
},
{
"url": "https://git.kernel.org/stable/c/808c0f156f48d5b8ca34088cbbfba8444e606cbc"
},
{
"url": "https://git.kernel.org/stable/c/d04c007047c88158141d9bd5eac761cdadd3782c"
},
{
"url": "https://git.kernel.org/stable/c/be1a827e15991e874e0d5222d0ea5fdad01960fe"
},
{
"url": "https://git.kernel.org/stable/c/f6484cadbcaf26b5844b51bd7307a663dda48ef6"
}
],
"title": "ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31426",
"datePublished": "2026-04-13T13:40:29.635Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-27T14:03:02.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31759 (GCVE-0-2026-31759)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: ulpi: fix double free in ulpi_register_interface() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: ulpi: fix double free in ulpi_register_interface() error path
When device_register() fails, ulpi_register() calls put_device() on
ulpi->dev.
The device release callback ulpi_dev_release() drops the OF node
reference and frees ulpi, but the current error path in
ulpi_register_interface() then calls kfree(ulpi) again, causing a
double free.
Let put_device() handle the cleanup through ulpi_dev_release() and
avoid freeing ulpi again in ulpi_register_interface().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 2f70ba9dae13a190673cc3f9b4aad52179738f60
(git)
Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < ee248e6e941e4f2e634df2bd43e5f1ef810ab6df (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 272a9b26c336a295e4e209157fed809706c1b1f7 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < aaeae6533d77e6ed4def85baec01e2815ebbef61 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 8763f8317bb389aded32a32b08f6751cfff657d2 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 38c28fe25611099230f0965c925499bfcf46a795 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < a6e5461f076c2ef63159f18e5cdbd30b50f0bc15 (git) Affected: 289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f , < 01af542392b5d41fd659d487015a71f627accce3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/common/ulpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f70ba9dae13a190673cc3f9b4aad52179738f60",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "ee248e6e941e4f2e634df2bd43e5f1ef810ab6df",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "272a9b26c336a295e4e209157fed809706c1b1f7",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "aaeae6533d77e6ed4def85baec01e2815ebbef61",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "8763f8317bb389aded32a32b08f6751cfff657d2",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "38c28fe25611099230f0965c925499bfcf46a795",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "a6e5461f076c2ef63159f18e5cdbd30b50f0bc15",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
},
{
"lessThan": "01af542392b5d41fd659d487015a71f627accce3",
"status": "affected",
"version": "289fcff4bcdb1dcc0ce8788b7ea0f58a9e4a495f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/common/ulpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi-\u003edev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:51.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f70ba9dae13a190673cc3f9b4aad52179738f60"
},
{
"url": "https://git.kernel.org/stable/c/ee248e6e941e4f2e634df2bd43e5f1ef810ab6df"
},
{
"url": "https://git.kernel.org/stable/c/272a9b26c336a295e4e209157fed809706c1b1f7"
},
{
"url": "https://git.kernel.org/stable/c/aaeae6533d77e6ed4def85baec01e2815ebbef61"
},
{
"url": "https://git.kernel.org/stable/c/8763f8317bb389aded32a32b08f6751cfff657d2"
},
{
"url": "https://git.kernel.org/stable/c/38c28fe25611099230f0965c925499bfcf46a795"
},
{
"url": "https://git.kernel.org/stable/c/a6e5461f076c2ef63159f18e5cdbd30b50f0bc15"
},
{
"url": "https://git.kernel.org/stable/c/01af542392b5d41fd659d487015a71f627accce3"
}
],
"title": "usb: ulpi: fix double free in ulpi_register_interface() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31759",
"datePublished": "2026-05-01T14:14:51.895Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:51.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31392 (GCVE-0-2026-31392)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
smb: client: fix krb5 mount with username option
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix krb5 mount with username option
Customer reported that some of their krb5 mounts were failing against
a single server as the client was trying to mount the shares with
wrong credentials. It turned out the client was reusing SMB session
from first mount to try mounting the other shares, even though a
different username= option had been specified to the other mounts.
By using username mount option along with sec=krb5 to search for
principals from keytab is supported by cifs.upcall(8) since
cifs-utils-4.8. So fix this by matching username mount option in
match_session() even with Kerberos.
For example, the second mount below should fail with -ENOKEY as there
is no 'foobar' principal in keytab (/etc/krb5.keytab). The client
ends up reusing SMB session from first mount to perform the second
one, which is wrong.
```
$ ktutil
ktutil: add_entry -password -p testuser -k 1 -e aes256-cts
Password for testuser@ZELDA.TEST:
ktutil: write_kt /etc/krb5.keytab
ktutil: quit
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ----------------------------------------------------------------
1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
$ mount -t cifs | grep -Po 'username=\K\w+'
testuser
testuser
```
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < fd4547830720647d4af02ee50f883c4b1cca06e4
(git)
Affected: 4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < 9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2 (git) Affected: 4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < d33cbf0bf8979d779900da9be2505d68d9d8da25 (git) Affected: 4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < 9ee803bfdba0cf739038dbdabdd4c02582c8f2b2 (git) Affected: 4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < 6e9ff1eb7feedcf46ff2d0503759960ab58e7775 (git) Affected: 4ff67b720c02c36e54d55b88c2931879b7db1cd2 , < 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 (git) Affected: 223c7f082d2836ac719b3b228bdcfab35e5e5330 (git) Affected: 88720224330a655ab6268e20109b65b11cfd7f6a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd4547830720647d4af02ee50f883c4b1cca06e4",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"lessThan": "9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"lessThan": "d33cbf0bf8979d779900da9be2505d68d9d8da25",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"lessThan": "9ee803bfdba0cf739038dbdabdd4c02582c8f2b2",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"lessThan": "6e9ff1eb7feedcf46ff2d0503759960ab58e7775",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"lessThan": "12b4c5d98cd7ca46d5035a57bcd995df614c14e1",
"status": "affected",
"version": "4ff67b720c02c36e54d55b88c2931879b7db1cd2",
"versionType": "git"
},
{
"status": "affected",
"version": "223c7f082d2836ac719b3b228bdcfab35e5e5330",
"versionType": "git"
},
{
"status": "affected",
"version": "88720224330a655ab6268e20109b65b11cfd7f6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/connect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix krb5 mount with username option\n\nCustomer reported that some of their krb5 mounts were failing against\na single server as the client was trying to mount the shares with\nwrong credentials. It turned out the client was reusing SMB session\nfrom first mount to try mounting the other shares, even though a\ndifferent username= option had been specified to the other mounts.\n\nBy using username mount option along with sec=krb5 to search for\nprincipals from keytab is supported by cifs.upcall(8) since\ncifs-utils-4.8. So fix this by matching username mount option in\nmatch_session() even with Kerberos.\n\nFor example, the second mount below should fail with -ENOKEY as there\nis no \u0027foobar\u0027 principal in keytab (/etc/krb5.keytab). The client\nends up reusing SMB session from first mount to perform the second\none, which is wrong.\n\n```\n$ ktutil\nktutil: add_entry -password -p testuser -k 1 -e aes256-cts\nPassword for testuser@ZELDA.TEST:\nktutil: write_kt /etc/krb5.keytab\nktutil: quit\n$ klist -ke\nKeytab name: FILE:/etc/krb5.keytab\nKVNO Principal\n ---- ----------------------------------------------------------------\n 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)\n$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser\n$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar\n$ mount -t cifs | grep -Po \u0027username=\\K\\w+\u0027\ntestuser\ntestuser\n```"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:42.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd4547830720647d4af02ee50f883c4b1cca06e4"
},
{
"url": "https://git.kernel.org/stable/c/9229709ec8bf85ae7ca53aeee9aa14814cdc1bd2"
},
{
"url": "https://git.kernel.org/stable/c/d33cbf0bf8979d779900da9be2505d68d9d8da25"
},
{
"url": "https://git.kernel.org/stable/c/9ee803bfdba0cf739038dbdabdd4c02582c8f2b2"
},
{
"url": "https://git.kernel.org/stable/c/6e9ff1eb7feedcf46ff2d0503759960ab58e7775"
},
{
"url": "https://git.kernel.org/stable/c/12b4c5d98cd7ca46d5035a57bcd995df614c14e1"
}
],
"title": "smb: client: fix krb5 mount with username option",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31392",
"datePublished": "2026-04-03T15:15:57.491Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-04-27T14:02:42.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31412 (GCVE-0-2026-31412)
Vulnerability from cvelistv5 – Published: 2026-04-10 10:35 – Updated: 2026-04-13 06:08
VLAI?
EPSS
Title
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.
Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < 91817ad5452defe69bc7bc0e355f0ed5d01125cc
(git)
Affected: 144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < ce0caaed5940162780c5c223b8ae54968a5f059b (git) Affected: 144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < 228b37936376143f4b60cc6828663f6eaceb81b5 (git) Affected: 144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < 3428dc5520c811e66622b2f5fa43341bf9a1f8b3 (git) Affected: 144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < 387ebb0453b99d71491419a5dc4ab4bee0cacbac (git) Affected: 144974e7f9e32b53b02f6c8632be45d8f43d6ab5 , < 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_mass_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91817ad5452defe69bc7bc0e355f0ed5d01125cc",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
},
{
"lessThan": "ce0caaed5940162780c5c223b8ae54968a5f059b",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
},
{
"lessThan": "228b37936376143f4b60cc6828663f6eaceb81b5",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
},
{
"lessThan": "3428dc5520c811e66622b2f5fa43341bf9a1f8b3",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
},
{
"lessThan": "387ebb0453b99d71491419a5dc4ab4bee0cacbac",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
},
{
"lessThan": "8479891d1f04a8ce55366fe4ca361ccdb96f02e1",
"status": "affected",
"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_mass_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common-\u003edata_size_from_cmnd` by the block\nsize (`common-\u003ecurlun-\u003eblkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common-\u003edata_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common-\u003edata_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:08:41.150Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc"
},
{
"url": "https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"
},
{
"url": "https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5"
},
{
"url": "https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3"
},
{
"url": "https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac"
},
{
"url": "https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1"
}
],
"title": "usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31412",
"datePublished": "2026-04-10T10:35:05.796Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-13T06:08:41.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38162 (GCVE-0-2025-38162)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
When calculating the lookup table size, ensure the following
multiplication does not overflow:
- desc->field_len[] maximum value is U8_MAX multiplied by
NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.
- NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case.
- sizeof(unsigned long), from sizeof(*f->lt), lt in
struct nft_pipapo_field.
Then, use check_mul_overflow() to multiply by bucket size and then use
check_add_overflow() to the alignment for avx2 (if needed). Finally, add
lt_size_check_overflow() helper and use it to consolidate this.
While at it, replace leftover allocation using the GFP_KERNEL to
GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 91edc076439c9e2f34b176149f1c84a47a8ec32f
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < a9e757473561da93c6a4136f0e59aba91ec777fc (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < c1360ac8156c0a3f2385baef91d8d26fd9d39701 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 43fe1181f738295624696ae9ff611790edb65b5e (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 4c5c6aa9967dbe55bd017bb509885928d0f31206 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91edc076439c9e2f34b176149f1c84a47a8ec32f",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "a9e757473561da93c6a4136f0e59aba91ec777fc",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "c1360ac8156c0a3f2385baef91d8d26fd9d39701",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "43fe1181f738295624696ae9ff611790edb65b5e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "4c5c6aa9967dbe55bd017bb509885928d0f31206",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.125",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: prevent overflow in lookup table allocation\n\nWhen calculating the lookup table size, ensure the following\nmultiplication does not overflow:\n\n- desc-\u003efield_len[] maximum value is U8_MAX multiplied by\n NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.\n- NFT_PIPAPO_BUCKETS(f-\u003ebb) is 2^8, worst case.\n- sizeof(unsigned long), from sizeof(*f-\u003elt), lt in\n struct nft_pipapo_field.\n\nThen, use check_mul_overflow() to multiply by bucket size and then use\ncheck_add_overflow() to the alignment for avx2 (if needed). Finally, add\nlt_size_check_overflow() helper and use it to consolidate this.\n\nWhile at it, replace leftover allocation using the GFP_KERNEL to\nGFP_KERNEL_ACCOUNT for consistency, in pipapo_resize()."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:24.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91edc076439c9e2f34b176149f1c84a47a8ec32f"
},
{
"url": "https://git.kernel.org/stable/c/a9e757473561da93c6a4136f0e59aba91ec777fc"
},
{
"url": "https://git.kernel.org/stable/c/c1360ac8156c0a3f2385baef91d8d26fd9d39701"
},
{
"url": "https://git.kernel.org/stable/c/43fe1181f738295624696ae9ff611790edb65b5e"
},
{
"url": "https://git.kernel.org/stable/c/4c5c6aa9967dbe55bd017bb509885928d0f31206"
}
],
"title": "netfilter: nft_set_pipapo: prevent overflow in lookup table allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38162",
"datePublished": "2025-07-03T08:36:03.731Z",
"dateReserved": "2025-04-16T04:51:23.990Z",
"dateUpdated": "2026-03-25T10:19:24.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23304 (GCVE-0-2026-23304)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
l3mdev_master_dev_rcu() can return NULL when the slave device is being
un-slaved from a VRF. All other callers deal with this, but we lost
the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()
with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on
device with address").
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)
Call Trace:
ip6_pol_route (net/ipv6/route.c:2318)
fib6_rule_lookup (net/ipv6/fib6_rules.c:115)
ip6_route_output_flags (net/ipv6/route.c:2607)
vrf_process_v6_outbound (drivers/net/vrf.c:437)
I was tempted to rework the un-slaving code to clear the flag first
and insert synchronize_rcu() before we remove the upper. But looks like
the explicit fallback to loopback_dev is an established pattern.
And I guess avoiding the synchronize_rcu() is nice, too.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < d542e2ac7f9e288d49735be0775611547ca4e0ee
(git)
Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < a73fe9f4ae84a239d5b2686f47a58c158aee2eb4 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 4a48fe59f29f673a3d042d679f26629a9c3e29d4 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 581800298313c9fd75e94985e6d37d21b7e35d34 (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 3310fc11fc47387d1dd4759b0bc961643ea11c7f (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 0b5a7826020706057cc5a9d9009e667027f221ee (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < ae88c8256547b63980770a9ea7be73a15900d27e (git) Affected: 4832c30d5458387ff2533ff66fbde26ad8bb5a2d , < 2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d542e2ac7f9e288d49735be0775611547ca4e0ee",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "a73fe9f4ae84a239d5b2686f47a58c158aee2eb4",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "4a48fe59f29f673a3d042d679f26629a9c3e29d4",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "581800298313c9fd75e94985e6d37d21b7e35d34",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "3310fc11fc47387d1dd4759b0bc961643ea11c7f",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "0b5a7826020706057cc5a9d9009e667027f221ee",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "ae88c8256547b63980770a9ea7be73a15900d27e",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
},
{
"lessThan": "2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a",
"status": "affected",
"version": "4832c30d5458387ff2533ff66fbde26ad8bb5a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()\n\nl3mdev_master_dev_rcu() can return NULL when the slave device is being\nun-slaved from a VRF. All other callers deal with this, but we lost\nthe fallback to loopback in ip6_rt_pcpu_alloc() -\u003e ip6_rt_get_dev_rcu()\nwith commit 4832c30d5458 (\"net: ipv6: put host and anycast routes on\ndevice with address\").\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)\n Call Trace:\n ip6_pol_route (net/ipv6/route.c:2318)\n fib6_rule_lookup (net/ipv6/fib6_rules.c:115)\n ip6_route_output_flags (net/ipv6/route.c:2607)\n vrf_process_v6_outbound (drivers/net/vrf.c:437)\n\nI was tempted to rework the un-slaving code to clear the flag first\nand insert synchronize_rcu() before we remove the upper. But looks like\nthe explicit fallback to loopback_dev is an established pattern.\nAnd I guess avoiding the synchronize_rcu() is nice, too."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:51.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d542e2ac7f9e288d49735be0775611547ca4e0ee"
},
{
"url": "https://git.kernel.org/stable/c/a73fe9f4ae84a239d5b2686f47a58c158aee2eb4"
},
{
"url": "https://git.kernel.org/stable/c/4a48fe59f29f673a3d042d679f26629a9c3e29d4"
},
{
"url": "https://git.kernel.org/stable/c/581800298313c9fd75e94985e6d37d21b7e35d34"
},
{
"url": "https://git.kernel.org/stable/c/3310fc11fc47387d1dd4759b0bc961643ea11c7f"
},
{
"url": "https://git.kernel.org/stable/c/0b5a7826020706057cc5a9d9009e667027f221ee"
},
{
"url": "https://git.kernel.org/stable/c/ae88c8256547b63980770a9ea7be73a15900d27e"
},
{
"url": "https://git.kernel.org/stable/c/2ffb4f5c2ccb2fa1c049dd11899aee7967deef5a"
}
],
"title": "ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23304",
"datePublished": "2026-03-25T10:26:59.015Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:51.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31671 (GCVE-0-2026-31671)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-25 05:48
VLAI?
EPSS
Title
xfrm_user: fix info leak in build_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm_user: fix info leak in build_report()
struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to userspace. Fix that up by
zeroing the structure before setting individual member variables.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d27c02eec529f78055a46a5c9e6c62684382b2d8
(git)
Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 716c546e88cfe49d841658240e10cb57bc50a2cc (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < e0c8542c3d097ed4205ded51868195d5d6ddac62 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < ff5ee507302303b15859753c3e0d67d38fd12c88 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 6c55714c931051cd7f4839c19ce0867179fd22fe (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d27c02eec529f78055a46a5c9e6c62684382b2d8",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "716c546e88cfe49d841658240e10cb57bc50a2cc",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "e0c8542c3d097ed4205ded51868195d5d6ddac62",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "ff5ee507302303b15859753c3e0d67d38fd12c88",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "6c55714c931051cd7f4839c19ce0867179fd22fe",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "d10119968d0e1f2b669604baf2a8b5fdb72fa6b4",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:48:30.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8"
},
{
"url": "https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc"
},
{
"url": "https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9"
},
{
"url": "https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62"
},
{
"url": "https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"
},
{
"url": "https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe"
},
{
"url": "https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72"
},
{
"url": "https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4"
}
],
"title": "xfrm_user: fix info leak in build_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31671",
"datePublished": "2026-04-24T14:45:18.669Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-25T05:48:30.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31522 (GCVE-0-2026-31522)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
The magicmouse_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.
The caller of report_fixup() does not take ownership of the returned
pointer, but it *is* permitted to return a sub-portion of the input
rdesc, whose lifetime is managed by the caller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e6ad399596bd234be4722022146e33e15c7e424d , < 579c4c9857acdc8380fa99803f355f878bd766cb
(git)
Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < d84c21aabaab517b9aaf9bc1d785922cb9db2f31 (git) Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < 7edfe4346b052b708645d0acc0f186425766b785 (git) Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < 79e5dcc95d9abed6f8203cfd529f4ec71f0e505d (git) Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < 136f605e246b4bfe7ac2259471d1ff814aed0084 (git) Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < fa95b0146358b49f9858139b67314591fd5871b0 (git) Affected: 0b91b4e4dae63cd43871fc2012370b86ee588f91 , < 91e8c6e601bdc1ccdf886479b6513c01c7e51c2c (git) Affected: c394bd1bc8537e61593b6b6799e01495c7cf9008 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-magicmouse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "579c4c9857acdc8380fa99803f355f878bd766cb",
"status": "affected",
"version": "e6ad399596bd234be4722022146e33e15c7e424d",
"versionType": "git"
},
{
"lessThan": "d84c21aabaab517b9aaf9bc1d785922cb9db2f31",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"lessThan": "7edfe4346b052b708645d0acc0f186425766b785",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"lessThan": "79e5dcc95d9abed6f8203cfd529f4ec71f0e505d",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"lessThan": "136f605e246b4bfe7ac2259471d1ff814aed0084",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"lessThan": "fa95b0146358b49f9858139b67314591fd5871b0",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"lessThan": "91e8c6e601bdc1ccdf886479b6513c01c7e51c2c",
"status": "affected",
"version": "0b91b4e4dae63cd43871fc2012370b86ee588f91",
"versionType": "git"
},
{
"status": "affected",
"version": "c394bd1bc8537e61593b6b6799e01495c7cf9008",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-magicmouse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: avoid memory leak in magicmouse_report_fixup()\n\nThe magicmouse_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:39.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/579c4c9857acdc8380fa99803f355f878bd766cb"
},
{
"url": "https://git.kernel.org/stable/c/d84c21aabaab517b9aaf9bc1d785922cb9db2f31"
},
{
"url": "https://git.kernel.org/stable/c/7edfe4346b052b708645d0acc0f186425766b785"
},
{
"url": "https://git.kernel.org/stable/c/79e5dcc95d9abed6f8203cfd529f4ec71f0e505d"
},
{
"url": "https://git.kernel.org/stable/c/136f605e246b4bfe7ac2259471d1ff814aed0084"
},
{
"url": "https://git.kernel.org/stable/c/fa95b0146358b49f9858139b67314591fd5871b0"
},
{
"url": "https://git.kernel.org/stable/c/91e8c6e601bdc1ccdf886479b6513c01c7e51c2c"
}
],
"title": "HID: magicmouse: avoid memory leak in magicmouse_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31522",
"datePublished": "2026-04-22T13:54:36.885Z",
"dateReserved": "2026-03-09T15:48:24.110Z",
"dateUpdated": "2026-04-23T15:18:39.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31749 (GCVE-0-2026-31749)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
comedi: ni_atmio16d: Fix invalid clean-up after failed attach
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: ni_atmio16d: Fix invalid clean-up after failed attach
If the driver's COMEDI "attach" handler function (`atmio16d_attach()`)
returns an error, the COMEDI core will call the driver's "detach"
handler function (`atmio16d_detach()`) to clean up. This calls
`reset_atmio16d()` unconditionally, but depending on where the error
occurred in the attach handler, the device may not have been
sufficiently initialized to call `reset_atmio16d()`. It uses
`dev->iobase` as the I/O port base address and `dev->private` as the
pointer to the COMEDI device's private data structure. `dev->iobase`
may still be set to its initial value of 0, which would result in
undesired writes to low I/O port addresses. `dev->private` may still be
`NULL`, which would result in null pointer dereferences.
Fix `atmio16d_detach()` by checking that `dev->private` is valid
(non-null) before calling `reset_atmio16d()`. This implies that
`dev->iobase` was set correctly since that is set up before
`dev->private`.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2323b276308a5da5774b778f39c7fd94b2a3022a , < a01dd339ea6ac58b0967a50085622a6017351140
(git)
Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < 933a2d6a95f9bfb203e562c9be1dd990c735535c (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < 5d8d88c8c0eec230de8f1f60e0920a4337939a88 (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < f517646e008fe99ca1800601cd011b110f8684ae (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < 3848ae00b1642e2c98ff8cbfd2d3b38c6f53b5c3 (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < 43c68a2c7cc35b7c2a83c285cb4ad3d472b8caa2 (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < d07d97ca4f7fac467cdcf4a012690853958b7e89 (git) Affected: 2323b276308a5da5774b778f39c7fd94b2a3022a , < 101ab946b79ad83b36d5cfd47de587492a80acf0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/ni_atmio16d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a01dd339ea6ac58b0967a50085622a6017351140",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "933a2d6a95f9bfb203e562c9be1dd990c735535c",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "5d8d88c8c0eec230de8f1f60e0920a4337939a88",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "f517646e008fe99ca1800601cd011b110f8684ae",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "3848ae00b1642e2c98ff8cbfd2d3b38c6f53b5c3",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "43c68a2c7cc35b7c2a83c285cb4ad3d472b8caa2",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "d07d97ca4f7fac467cdcf4a012690853958b7e89",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
},
{
"lessThan": "101ab946b79ad83b36d5cfd47de587492a80acf0",
"status": "affected",
"version": "2323b276308a5da5774b778f39c7fd94b2a3022a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/ni_atmio16d.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: ni_atmio16d: Fix invalid clean-up after failed attach\n\nIf the driver\u0027s COMEDI \"attach\" handler function (`atmio16d_attach()`)\nreturns an error, the COMEDI core will call the driver\u0027s \"detach\"\nhandler function (`atmio16d_detach()`) to clean up. This calls\n`reset_atmio16d()` unconditionally, but depending on where the error\noccurred in the attach handler, the device may not have been\nsufficiently initialized to call `reset_atmio16d()`. It uses\n`dev-\u003eiobase` as the I/O port base address and `dev-\u003eprivate` as the\npointer to the COMEDI device\u0027s private data structure. `dev-\u003eiobase`\nmay still be set to its initial value of 0, which would result in\nundesired writes to low I/O port addresses. `dev-\u003eprivate` may still be\n`NULL`, which would result in null pointer dereferences.\n\nFix `atmio16d_detach()` by checking that `dev-\u003eprivate` is valid\n(non-null) before calling `reset_atmio16d()`. This implies that\n`dev-\u003eiobase` was set correctly since that is set up before\n`dev-\u003eprivate`."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:42.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a01dd339ea6ac58b0967a50085622a6017351140"
},
{
"url": "https://git.kernel.org/stable/c/933a2d6a95f9bfb203e562c9be1dd990c735535c"
},
{
"url": "https://git.kernel.org/stable/c/5d8d88c8c0eec230de8f1f60e0920a4337939a88"
},
{
"url": "https://git.kernel.org/stable/c/f517646e008fe99ca1800601cd011b110f8684ae"
},
{
"url": "https://git.kernel.org/stable/c/3848ae00b1642e2c98ff8cbfd2d3b38c6f53b5c3"
},
{
"url": "https://git.kernel.org/stable/c/43c68a2c7cc35b7c2a83c285cb4ad3d472b8caa2"
},
{
"url": "https://git.kernel.org/stable/c/d07d97ca4f7fac467cdcf4a012690853958b7e89"
},
{
"url": "https://git.kernel.org/stable/c/101ab946b79ad83b36d5cfd47de587492a80acf0"
}
],
"title": "comedi: ni_atmio16d: Fix invalid clean-up after failed attach",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31749",
"datePublished": "2026-05-01T14:14:42.227Z",
"dateReserved": "2026-03-09T15:48:24.139Z",
"dateUpdated": "2026-05-01T14:14:42.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23318 (GCVE-0-2026-23318)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
ALSA: usb-audio: Use correct version for UAC3 header validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Use correct version for UAC3 header validation
The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3. This results in the validator never matching
for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
header descriptors to bypass validation entirely. A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.
The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and appears to be from the same copy-paste
error when the UAC3 section was created from the UAC2 section.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 82a7d0a1b88798de1a609130080ce0c65dd869e9
(git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 8307d93e63d5f54ef10412d4db2dd551e920dee4 (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < d3904ca40515272681ae61ad6f561c24f190957f (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 1e5753ff4c2e86aa88516f97a224c90a3d0b133e (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 499ffd15b00dc91ac95c28f76959dfb5cdcc84d5 (git) Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 54f9d645a5453d0bfece0c465d34aaf072ea99fa (git) Affected: 17821e2fb16752f5d363fb5c3f8aab4df41b9bcc (git) Affected: bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82a7d0a1b88798de1a609130080ce0c65dd869e9",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "8307d93e63d5f54ef10412d4db2dd551e920dee4",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "d3904ca40515272681ae61ad6f561c24f190957f",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "1e5753ff4c2e86aa88516f97a224c90a3d0b133e",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "499ffd15b00dc91ac95c28f76959dfb5cdcc84d5",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"lessThan": "54f9d645a5453d0bfece0c465d34aaf072ea99fa",
"status": "affected",
"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
"versionType": "git"
},
{
"status": "affected",
"version": "17821e2fb16752f5d363fb5c3f8aab4df41b9bcc",
"versionType": "git"
},
{
"status": "affected",
"version": "bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/validate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:55.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9"
},
{
"url": "https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4"
},
{
"url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"
},
{
"url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"
},
{
"url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"
},
{
"url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"
},
{
"url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"
},
{
"url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"
}
],
"title": "ALSA: usb-audio: Use correct version for UAC3 header validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23318",
"datePublished": "2026-03-25T10:27:12.884Z",
"dateReserved": "2026-01-13T15:37:45.995Z",
"dateUpdated": "2026-04-18T08:57:55.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31521 (GCVE-0-2026-31521)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-23 15:18
VLAI?
EPSS
Title
module: Fix kernel panic when a symbol st_shndx is out of bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
module: Fix kernel panic when a symbol st_shndx is out of bounds
The module loader doesn't check for bounds of the ELF section index in
simplify_symbols():
for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
const char *name = info->strtab + sym[i].st_name;
switch (sym[i].st_shndx) {
case SHN_COMMON:
[...]
default:
/* Divert to percpu allocation if a percpu var. */
if (sym[i].st_shndx == info->index.pcpu)
secbase = (unsigned long)mod_percpu(mod);
else
/** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
sym[i].st_value += secbase;
break;
}
}
A symbol with an out-of-bounds st_shndx value, for example 0xffff
(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:
BUG: unable to handle page fault for address: ...
RIP: 0010:simplify_symbols+0x2b2/0x480
...
Kernel panic - not syncing: Fatal exception
This can happen when module ELF is legitimately using SHN_XINDEX or
when it is corrupted.
Add a bounds check in simplify_symbols() to validate that st_shndx is
within the valid range before using it.
This issue was discovered due to a bug in llvm-objcopy, see relevant
discussion for details [1].
[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d16f519b6eb1d071807e57efe0df2baa8d32ad6
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4bbdb0e48176fd281c2b9a211b110db6fd94e175 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 082f15d2887329e0f43fd3727e69365f5bfe5d2c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec2b22a58073f80739013588af448ff6e2ab906f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef75dc1401d8e797ee51559a0dd0336c225e1776 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6ba6957c640f58dc8ef046981a045da43e47ea23 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9d69d5e7bde2295eb7488a56f094ac8f5383b92 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/module/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d16f519b6eb1d071807e57efe0df2baa8d32ad6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4bbdb0e48176fd281c2b9a211b110db6fd94e175",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "082f15d2887329e0f43fd3727e69365f5bfe5d2c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec2b22a58073f80739013588af448ff6e2ab906f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef75dc1401d8e797ee51559a0dd0336c225e1776",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ba6957c640f58dc8ef046981a045da43e47ea23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9d69d5e7bde2295eb7488a56f094ac8f5383b92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/module/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: Fix kernel panic when a symbol st_shndx is out of bounds\n\nThe module loader doesn\u0027t check for bounds of the ELF section index in\nsimplify_symbols():\n\n for (i = 1; i \u003c symsec-\u003esh_size / sizeof(Elf_Sym); i++) {\n\t\tconst char *name = info-\u003estrtab + sym[i].st_name;\n\n\t\tswitch (sym[i].st_shndx) {\n\t\tcase SHN_COMMON:\n\n\t\t[...]\n\n\t\tdefault:\n\t\t\t/* Divert to percpu allocation if a percpu var. */\n\t\t\tif (sym[i].st_shndx == info-\u003eindex.pcpu)\n\t\t\t\tsecbase = (unsigned long)mod_percpu(mod);\n\t\t\telse\n /** HERE --\u003e **/\t\tsecbase = info-\u003esechdrs[sym[i].st_shndx].sh_addr;\n\t\t\tsym[i].st_value += secbase;\n\t\t\tbreak;\n\t\t}\n\t}\n\nA symbol with an out-of-bounds st_shndx value, for example 0xffff\n(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:\n\n BUG: unable to handle page fault for address: ...\n RIP: 0010:simplify_symbols+0x2b2/0x480\n ...\n Kernel panic - not syncing: Fatal exception\n\nThis can happen when module ELF is legitimately using SHN_XINDEX or\nwhen it is corrupted.\n\nAdd a bounds check in simplify_symbols() to validate that st_shndx is\nwithin the valid range before using it.\n\nThis issue was discovered due to a bug in llvm-objcopy, see relevant\ndiscussion for details [1].\n\n[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:18:38.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6"
},
{
"url": "https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175"
},
{
"url": "https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c"
},
{
"url": "https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f"
},
{
"url": "https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776"
},
{
"url": "https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23"
},
{
"url": "https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92"
}
],
"title": "module: Fix kernel panic when a symbol st_shndx is out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31521",
"datePublished": "2026-04-22T13:54:36.211Z",
"dateReserved": "2026-03-09T15:48:24.109Z",
"dateUpdated": "2026-04-23T15:18:38.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38626 (GCVE-0-2025-38626)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
w/ "mode=lfs" mount option, generic/299 will cause system panic as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2835!
Call Trace:
<TASK>
f2fs_allocate_data_block+0x6f4/0xc50
f2fs_map_blocks+0x970/0x1550
f2fs_iomap_begin+0xb2/0x1e0
iomap_iter+0x1d6/0x430
__iomap_dio_rw+0x208/0x9a0
f2fs_file_write_iter+0x6b3/0xfa0
aio_write+0x15d/0x2e0
io_submit_one+0x55e/0xab0
__x64_sys_io_submit+0xa5/0x230
do_syscall_64+0x84/0x2f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0010:new_curseg+0x70f/0x720
The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may
trigger foreground gc only if it allocates any physical block, it will be
a little bit later when there is multiple threads writing data w/
aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so
f2fs_map_blocks() does block allocations aggressively.
In order to fix this issue, let's give a chance to trigger foreground
gc in prior to block allocation in f2fs_map_blocks().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
36abef4e796d382e81a0c2d21ea5327481dd7154 , < d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5
(git)
Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < f289690f50a01c3e085d87853392d5b7436a4cee (git) Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 82765ce5c7a56f9309ee45328e763610eaf11253 (git) Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5 (git) Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 385e64a0744584397b4b52b27c96703516f39968 (git) Affected: 36abef4e796d382e81a0c2d21ea5327481dd7154 , < 1005a3ca28e90c7a64fa43023f866b960a60f791 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
},
{
"lessThan": "f289690f50a01c3e085d87853392d5b7436a4cee",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
},
{
"lessThan": "82765ce5c7a56f9309ee45328e763610eaf11253",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
},
{
"lessThan": "264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
},
{
"lessThan": "385e64a0744584397b4b52b27c96703516f39968",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
},
{
"lessThan": "1005a3ca28e90c7a64fa43023f866b960a60f791",
"status": "affected",
"version": "36abef4e796d382e81a0c2d21ea5327481dd7154",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\n\nw/ \"mode=lfs\" mount option, generic/299 will cause system panic as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2835!\nCall Trace:\n \u003cTASK\u003e\n f2fs_allocate_data_block+0x6f4/0xc50\n f2fs_map_blocks+0x970/0x1550\n f2fs_iomap_begin+0xb2/0x1e0\n iomap_iter+0x1d6/0x430\n __iomap_dio_rw+0x208/0x9a0\n f2fs_file_write_iter+0x6b3/0xfa0\n aio_write+0x15d/0x2e0\n io_submit_one+0x55e/0xab0\n __x64_sys_io_submit+0xa5/0x230\n do_syscall_64+0x84/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0010:new_curseg+0x70f/0x720\n\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\ntrigger foreground gc only if it allocates any physical block, it will be\na little bit later when there is multiple threads writing data w/\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\nf2fs_map_blocks() does block allocations aggressively.\n\nIn order to fix this issue, let\u0027s give a chance to trigger foreground\ngc in prior to block allocation in f2fs_map_blocks()."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:31.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5"
},
{
"url": "https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee"
},
{
"url": "https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253"
},
{
"url": "https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5"
},
{
"url": "https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968"
},
{
"url": "https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791"
}
],
"title": "f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38626",
"datePublished": "2025-08-22T16:00:34.867Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2026-03-25T10:19:31.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31737 (GCVE-0-2026-31737)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
net: ftgmac100: fix ring allocation unwind on open failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ftgmac100: fix ring allocation unwind on open failure
ftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and
rx_scratch in stages. On intermediate failures it returned -ENOMEM
directly, leaking resources allocated earlier in the function.
Rework the failure path to use staged local unwind labels and free
allocated resources in reverse order before returning -ENOMEM. This
matches common netdev allocation cleanup style.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < 184b3a500d60ea48d1b176103cff1706c456edf3
(git)
Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < 78da43320d9d6ed788147fb085184e4fc801f057 (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < a7e1bf392acf11dc4209820fef75758f6e42bd65 (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < 8a71911fc7eeea930153322bc1efc065db8cd97e (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < d45230081f19c280096241353c26b0de457de795 (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < 8351d18989c8642fc53e2e12d94e42314a39b078 (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < 82f86111f0704ab2ded11a2033bc6cf0be3e09ea (git) Affected: d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e , < c0fd0fe745f5e8c568d898cd1513d0083e46204a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/faraday/ftgmac100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "184b3a500d60ea48d1b176103cff1706c456edf3",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "78da43320d9d6ed788147fb085184e4fc801f057",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "a7e1bf392acf11dc4209820fef75758f6e42bd65",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "8a71911fc7eeea930153322bc1efc065db8cd97e",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "d45230081f19c280096241353c26b0de457de795",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "8351d18989c8642fc53e2e12d94e42314a39b078",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "82f86111f0704ab2ded11a2033bc6cf0be3e09ea",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
},
{
"lessThan": "c0fd0fe745f5e8c568d898cd1513d0083e46204a",
"status": "affected",
"version": "d72e01a0430f8a1ae7adb3cbf0b2e73fcd99252e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/faraday/ftgmac100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ftgmac100: fix ring allocation unwind on open failure\n\nftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and\nrx_scratch in stages. On intermediate failures it returned -ENOMEM\ndirectly, leaking resources allocated earlier in the function.\n\nRework the failure path to use staged local unwind labels and free\nallocated resources in reverse order before returning -ENOMEM. This\nmatches common netdev allocation cleanup style."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:34.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/184b3a500d60ea48d1b176103cff1706c456edf3"
},
{
"url": "https://git.kernel.org/stable/c/78da43320d9d6ed788147fb085184e4fc801f057"
},
{
"url": "https://git.kernel.org/stable/c/a7e1bf392acf11dc4209820fef75758f6e42bd65"
},
{
"url": "https://git.kernel.org/stable/c/8a71911fc7eeea930153322bc1efc065db8cd97e"
},
{
"url": "https://git.kernel.org/stable/c/d45230081f19c280096241353c26b0de457de795"
},
{
"url": "https://git.kernel.org/stable/c/8351d18989c8642fc53e2e12d94e42314a39b078"
},
{
"url": "https://git.kernel.org/stable/c/82f86111f0704ab2ded11a2033bc6cf0be3e09ea"
},
{
"url": "https://git.kernel.org/stable/c/c0fd0fe745f5e8c568d898cd1513d0083e46204a"
}
],
"title": "net: ftgmac100: fix ring allocation unwind on open failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31737",
"datePublished": "2026-05-01T14:14:34.229Z",
"dateReserved": "2026-03-09T15:48:24.137Z",
"dateUpdated": "2026-05-01T14:14:34.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43040 (GCVE-0-2026-43040)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak
When processing Router Advertisements with user options the kernel
builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct
has three padding fields that are never zeroed and can leak kernel data
The fix is simple, just zeroes the padding fields.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
31910575a9de61e78065e93846e8e7a4894a18bf , < 1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c
(git)
Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 11d7fe97421cfc81549940c20ed5ac9472d6db05 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 7f56d87e527bb5a13c3e8b0d5840cb6332822f6d (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < 4f810c686fde509d1cdaa706322d9d2531f8f1a4 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < b485eef3d97b7aae55ce669b6de555ec81f3d21c (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < ef3645606e4a635d5062a492f22b7f490852ee67 (git) Affected: 31910575a9de61e78065e93846e8e7a4894a18bf , < ae05340ccaa9d347fe85415609e075545bec589f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "11d7fe97421cfc81549940c20ed5ac9472d6db05",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "7f56d87e527bb5a13c3e8b0d5840cb6332822f6d",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "4f810c686fde509d1cdaa706322d9d2531f8f1a4",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "b485eef3d97b7aae55ce669b6de555ec81f3d21c",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "ef3645606e4a635d5062a492f22b7f490852ee67",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
},
{
"lessThan": "ae05340ccaa9d347fe85415609e075545bec589f",
"status": "affected",
"version": "31910575a9de61e78065e93846e8e7a4894a18bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak\n\nWhen processing Router Advertisements with user options the kernel\nbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct\nhas three padding fields that are never zeroed and can leak kernel data\n\nThe fix is simple, just zeroes the padding fields."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:37.364Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1da9023f6b071a38e5430ffbce4b70b2b1ac4f9c"
},
{
"url": "https://git.kernel.org/stable/c/2fe4d0ba690a69ad6ae9f7ab9bdc96e02610b648"
},
{
"url": "https://git.kernel.org/stable/c/11d7fe97421cfc81549940c20ed5ac9472d6db05"
},
{
"url": "https://git.kernel.org/stable/c/7f56d87e527bb5a13c3e8b0d5840cb6332822f6d"
},
{
"url": "https://git.kernel.org/stable/c/4f810c686fde509d1cdaa706322d9d2531f8f1a4"
},
{
"url": "https://git.kernel.org/stable/c/b485eef3d97b7aae55ce669b6de555ec81f3d21c"
},
{
"url": "https://git.kernel.org/stable/c/ef3645606e4a635d5062a492f22b7f490852ee67"
},
{
"url": "https://git.kernel.org/stable/c/ae05340ccaa9d347fe85415609e075545bec589f"
}
],
"title": "net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43040",
"datePublished": "2026-05-01T14:15:37.364Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-05-01T14:15:37.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31433 (GCVE-0-2026-31433)
Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
ksmbd: fix potencial OOB in get_file_all_info() for compound requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix potencial OOB in get_file_all_info() for compound requests
When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
with PATH_MAX, causing out-of-bounds write beyond the response buffer.
In get_file_all_info(), there was a missing validation check for
the client-provided OutputBufferLength before copying the filename into
FileName field of the smb2_file_all_info structure.
If the filename length exceeds the available buffer space, it could lead to
potential buffer overflows or memory corruption during smbConvertToUTF16
conversion. This calculating the actual free buffer size using
smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
insufficient and updating smbConvertToUTF16 to use the actual filename
length (clamped by PATH_MAX) to ensure a safe copy operation.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2283680a80571ca82d710bc6ecd8f8beac67d63 , < 3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7
(git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 , < 4cca3eff2099b18672934a39cee70aed835d652c (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 7aec5a769d2356cbf344d85bcfd36de592ac96a5 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < b0cd9725fe2bcc9f37d096b132318a9060373f5d (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 9d7032851d6f5adbe2739601ca456c0ad3b422f0 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < beef2634f81f1c086208191f7228bce1d366493d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7",
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"lessThan": "4cca3eff2099b18672934a39cee70aed835d652c",
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
},
{
"lessThan": "358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "7aec5a769d2356cbf344d85bcfd36de592ac96a5",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "b0cd9725fe2bcc9f37d096b132318a9060373f5d",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "9d7032851d6f5adbe2739601ca456c0ad3b422f0",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "beef2634f81f1c086208191f7228bce1d366493d",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial OOB in get_file_all_info() for compound requests\n\nWhen a compound request consists of QUERY_DIRECTORY + QUERY_INFO\n(FILE_ALL_INFORMATION) and the first command consumes nearly the entire\nmax_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()\nwith PATH_MAX, causing out-of-bounds write beyond the response buffer.\nIn get_file_all_info(), there was a missing validation check for\nthe client-provided OutputBufferLength before copying the filename into\nFileName field of the smb2_file_all_info structure.\nIf the filename length exceeds the available buffer space, it could lead to\npotential buffer overflows or memory corruption during smbConvertToUTF16\nconversion. This calculating the actual free buffer size using\nsmb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is\ninsufficient and updating smbConvertToUTF16 to use the actual filename\nlength (clamped by PATH_MAX) to ensure a safe copy operation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:05.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a852f9d1c981fb14f6bf4e24999e0ea8088a7d7"
},
{
"url": "https://git.kernel.org/stable/c/4cca3eff2099b18672934a39cee70aed835d652c"
},
{
"url": "https://git.kernel.org/stable/c/358cdaa1f7fbf2712cb4c5f6b59cb9a5c673c5fe"
},
{
"url": "https://git.kernel.org/stable/c/7aec5a769d2356cbf344d85bcfd36de592ac96a5"
},
{
"url": "https://git.kernel.org/stable/c/b0cd9725fe2bcc9f37d096b132318a9060373f5d"
},
{
"url": "https://git.kernel.org/stable/c/9d7032851d6f5adbe2739601ca456c0ad3b422f0"
},
{
"url": "https://git.kernel.org/stable/c/beef2634f81f1c086208191f7228bce1d366493d"
}
],
"title": "ksmbd: fix potencial OOB in get_file_all_info() for compound requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31433",
"datePublished": "2026-04-22T08:15:11.719Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-04-27T14:03:05.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23398 (GCVE-0-2026-23398)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
icmp: fix NULL pointer dereference in icmp_tag_validation()
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation()
icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>
Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 571d9d7b650f02d1e38c01128817868bceac9edd
(git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < d783fa413c702ff0f8f8bea63f862e28eeaf39e3 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < b61529c357f1ee4d64836eb142a542d2e7ad67ce (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 9647e99d2a617c355d2b378be0ff6d0e848fd579 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < d938dd5a0ad780c891ea3bc94cae7405f11e618a (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 614aefe56af8e13331e50220c936fc0689cf5675 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "571d9d7b650f02d1e38c01128817868bceac9edd",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "d783fa413c702ff0f8f8bea63f862e28eeaf39e3",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "614aefe56af8e13331e50220c936fc0689cf5675",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n \u003cIRQ\u003e\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:33.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd"
},
{
"url": "https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3"
},
{
"url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
},
{
"url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"
},
{
"url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"
},
{
"url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"
},
{
"url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
},
{
"url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"
}
],
"title": "icmp: fix NULL pointer dereference in icmp_tag_validation()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23398",
"datePublished": "2026-03-26T10:22:50.606Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-18T08:58:33.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43030 (GCVE-0-2026-43030)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
bpf: Fix regsafe() for pointers to packet
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix regsafe() for pointers to packet
In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N
regsafe() may return true which may lead to current state with
valid packet range not being explored. Fix the bug.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95b6ec733752b31bfd166c4609d2c1b5cdde9b47 , < b52f6d0ef7b308f9d05bbddb78749852f28e8e40
(git)
Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 37db6b9726d0bcf91cbdf9d63b558c50da49f968 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 015a74476dc1ab6923d89f1ee009aaf43faa7185 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < b99d82706bd1511bb875e3de7154698fd9215c99 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 7241da033fdc507b920e092dab1f97b945cb0370 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < 8aebe18069394f4a79d2d82080a0f806da449996 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < ca995b1462ec6db1e869100ba1fb7356bd3f22f0 (git) Affected: 6d94e741a8ff818e5518da8257f5ca0aaed1f269 , < a8502a79e832b861e99218cbd2d8f4312d62e225 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b52f6d0ef7b308f9d05bbddb78749852f28e8e40",
"status": "affected",
"version": "95b6ec733752b31bfd166c4609d2c1b5cdde9b47",
"versionType": "git"
},
{
"lessThan": "37db6b9726d0bcf91cbdf9d63b558c50da49f968",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "015a74476dc1ab6923d89f1ee009aaf43faa7185",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "b99d82706bd1511bb875e3de7154698fd9215c99",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "7241da033fdc507b920e092dab1f97b945cb0370",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "8aebe18069394f4a79d2d82080a0f806da449996",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "ca995b1462ec6db1e869100ba1fb7356bd3f22f0",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
},
{
"lessThan": "a8502a79e832b861e99218cbd2d8f4312d62e225",
"status": "affected",
"version": "6d94e741a8ff818e5518da8257f5ca0aaed1f269",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix regsafe() for pointers to packet\n\nIn case rold-\u003ereg-\u003erange == BEYOND_PKT_END \u0026\u0026 rcur-\u003ereg-\u003erange == N\nregsafe() may return true which may lead to current state with\nvalid packet range not being explored. Fix the bug."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:12.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b52f6d0ef7b308f9d05bbddb78749852f28e8e40"
},
{
"url": "https://git.kernel.org/stable/c/37db6b9726d0bcf91cbdf9d63b558c50da49f968"
},
{
"url": "https://git.kernel.org/stable/c/015a74476dc1ab6923d89f1ee009aaf43faa7185"
},
{
"url": "https://git.kernel.org/stable/c/b99d82706bd1511bb875e3de7154698fd9215c99"
},
{
"url": "https://git.kernel.org/stable/c/7241da033fdc507b920e092dab1f97b945cb0370"
},
{
"url": "https://git.kernel.org/stable/c/8aebe18069394f4a79d2d82080a0f806da449996"
},
{
"url": "https://git.kernel.org/stable/c/ca995b1462ec6db1e869100ba1fb7356bd3f22f0"
},
{
"url": "https://git.kernel.org/stable/c/a8502a79e832b861e99218cbd2d8f4312d62e225"
}
],
"title": "bpf: Fix regsafe() for pointers to packet",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43030",
"datePublished": "2026-05-01T14:15:30.564Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-03T05:46:12.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53228 (GCVE-0-2023-53228)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
drm/amdgpu: drop redundant sched job cleanup when cs is aborted
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: drop redundant sched job cleanup when cs is aborted
Once command submission failed due to userptr invalidation in
amdgpu_cs_submit, legacy code will perform cleanup of scheduler
job. However, it's not needed at all, as former commit has integrated
job cleanup stuff into amdgpu_job_free. Otherwise, because of double
free, a NULL pointer dereference will occur in such scenario.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2457
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
49aa99f05dbc75b9ae360a74648c420a80f7ee49 , < cdce1644d85e858c68fb5fa67d78eb1035bf34f4
(git)
Affected: f7d66fb2ea43a3016e78a700a2ca6c77a74579f9 , < c1564d4b105ae535eb3183ecaaa987685b20a888 (git) Affected: f7d66fb2ea43a3016e78a700a2ca6c77a74579f9 , < ec02a29c3c2ef8ad3e15a0e3f96b99a00e5d97b4 (git) Affected: f7d66fb2ea43a3016e78a700a2ca6c77a74579f9 , < 1253685f0d3eb3eab0bfc4bf15ab341a5f3da0c8 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:51:27.851489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:59.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cdce1644d85e858c68fb5fa67d78eb1035bf34f4",
"status": "affected",
"version": "49aa99f05dbc75b9ae360a74648c420a80f7ee49",
"versionType": "git"
},
{
"lessThan": "c1564d4b105ae535eb3183ecaaa987685b20a888",
"status": "affected",
"version": "f7d66fb2ea43a3016e78a700a2ca6c77a74579f9",
"versionType": "git"
},
{
"lessThan": "ec02a29c3c2ef8ad3e15a0e3f96b99a00e5d97b4",
"status": "affected",
"version": "f7d66fb2ea43a3016e78a700a2ca6c77a74579f9",
"versionType": "git"
},
{
"lessThan": "1253685f0d3eb3eab0bfc4bf15ab341a5f3da0c8",
"status": "affected",
"version": "f7d66fb2ea43a3016e78a700a2ca6c77a74579f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: drop redundant sched job cleanup when cs is aborted\n\nOnce command submission failed due to userptr invalidation in\namdgpu_cs_submit, legacy code will perform cleanup of scheduler\njob. However, it\u0027s not needed at all, as former commit has integrated\njob cleanup stuff into amdgpu_job_free. Otherwise, because of double\nfree, a NULL pointer dereference will occur in such scenario.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2457"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:03.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cdce1644d85e858c68fb5fa67d78eb1035bf34f4"
},
{
"url": "https://git.kernel.org/stable/c/c1564d4b105ae535eb3183ecaaa987685b20a888"
},
{
"url": "https://git.kernel.org/stable/c/ec02a29c3c2ef8ad3e15a0e3f96b99a00e5d97b4"
},
{
"url": "https://git.kernel.org/stable/c/1253685f0d3eb3eab0bfc4bf15ab341a5f3da0c8"
}
],
"title": "drm/amdgpu: drop redundant sched job cleanup when cs is aborted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53228",
"datePublished": "2025-09-15T14:21:59.550Z",
"dateReserved": "2025-09-15T14:19:21.846Z",
"dateUpdated": "2026-03-25T10:19:03.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40242 (GCVE-0-2025-40242)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-04-11 12:45
VLAI?
EPSS
Title
gfs2: Fix unlikely race in gdlm_put_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix unlikely race in gdlm_put_lock
In gdlm_put_lock(), there is a small window of time in which the
DFL_UNMOUNT flag has been set but the lockspace hasn't been released,
yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().
To prevent it from dereferencing freed glock objects, only free the
glock if the lockspace has actually been released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d1340f80f0b8066321b499a376780da00560e857 , < 5fdc1474e678eea1700aa266c0b7c2c96f81dd0d
(git)
Affected: d1340f80f0b8066321b499a376780da00560e857 , < 4913592a3358f6ec366b8346b733d5e2360b08e1 (git) Affected: d1340f80f0b8066321b499a376780da00560e857 , < 279bde3bbb0ac0bad5c729dfa85983d75a5d7641 (git) Affected: d1340f80f0b8066321b499a376780da00560e857 , < 64c61b4ac645222fa7b724cef616c1f862a72a40 (git) Affected: d1340f80f0b8066321b499a376780da00560e857 , < 28c4d9bc0708956c1a736a9e49fee71b65deee81 (git) Affected: 6aa628c45875e7b8cca81ed9447a12a0e8f3504a (git) Affected: a97e75203733be0a4263a78fb7b29352be150c1c (git) Affected: 3554b46204e67333e1fb8be0e93936fb08267c80 (git) Affected: 5cff77b9827a956d076168b56775aad23bce87e4 (git) Affected: 8deedce385d220f90e435f534d71d27526273515 (git) Affected: 2225a5cd2fbc2ef0e0f78e585db3844f60416a39 (git) Affected: 02e838963fdaa6ce8570b5389aecdc6cf1fb40b0 (git) Affected: 01eb3106f43335fdc02111358dae80a5c3fd324d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5fdc1474e678eea1700aa266c0b7c2c96f81dd0d",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "4913592a3358f6ec366b8346b733d5e2360b08e1",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "279bde3bbb0ac0bad5c729dfa85983d75a5d7641",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "64c61b4ac645222fa7b724cef616c1f862a72a40",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "28c4d9bc0708956c1a736a9e49fee71b65deee81",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"status": "affected",
"version": "6aa628c45875e7b8cca81ed9447a12a0e8f3504a",
"versionType": "git"
},
{
"status": "affected",
"version": "a97e75203733be0a4263a78fb7b29352be150c1c",
"versionType": "git"
},
{
"status": "affected",
"version": "3554b46204e67333e1fb8be0e93936fb08267c80",
"versionType": "git"
},
{
"status": "affected",
"version": "5cff77b9827a956d076168b56775aad23bce87e4",
"versionType": "git"
},
{
"status": "affected",
"version": "8deedce385d220f90e435f534d71d27526273515",
"versionType": "git"
},
{
"status": "affected",
"version": "2225a5cd2fbc2ef0e0f78e585db3844f60416a39",
"versionType": "git"
},
{
"status": "affected",
"version": "02e838963fdaa6ce8570b5389aecdc6cf1fb40b0",
"versionType": "git"
},
{
"status": "affected",
"version": "01eb3106f43335fdc02111358dae80a5c3fd324d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix unlikely race in gdlm_put_lock\n\nIn gdlm_put_lock(), there is a small window of time in which the\nDFL_UNMOUNT flag has been set but the lockspace hasn\u0027t been released,\nyet. In that window, dlm may still call gdlm_ast() and gdlm_bast().\nTo prevent it from dereferencing freed glock objects, only free the\nglock if the lockspace has actually been released."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T12:45:40.664Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5fdc1474e678eea1700aa266c0b7c2c96f81dd0d"
},
{
"url": "https://git.kernel.org/stable/c/4913592a3358f6ec366b8346b733d5e2360b08e1"
},
{
"url": "https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641"
},
{
"url": "https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40"
},
{
"url": "https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81"
}
],
"title": "gfs2: Fix unlikely race in gdlm_put_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40242",
"datePublished": "2025-12-04T15:31:31.497Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-04-11T12:45:40.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31494 (GCVE-0-2026-31494)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net: macb: use the current queue number for stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: use the current queue number for stats
There's a potential mismatch between the memory reserved for statistics
and the amount of memory written.
gem_get_sset_count() correctly computes the number of stats based on the
active queues, whereas gem_get_ethtool_stats() indiscriminately copies
data using the maximum number of queues, and in the case the number of
active queues is less than MACB_MAX_QUEUES, this results in a OOB write
as observed in the KASAN splat.
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78
[macb]
Write of size 760 at addr ffff80008080b000 by task ethtool/1027
CPU: [...]
Tainted: [E]=UNSIGNED_MODULE
Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
print_report+0x384/0x5e0
kasan_report+0xa0/0xf0
kasan_check_range+0xe8/0x190
__asan_memcpy+0x54/0x98
gem_get_ethtool_stats+0x54/0x78 [macb
926c13f3af83b0c6fe64badb21ec87d5e93fcf65]
dev_ethtool+0x1220/0x38c0
dev_ioctl+0x4ac/0xca8
sock_do_ioctl+0x170/0x1d8
sock_ioctl+0x484/0x5d8
__arm64_sys_ioctl+0x12c/0x1b8
invoke_syscall+0xd4/0x258
el0_svc_common.constprop.0+0xb4/0x240
do_el0_svc+0x48/0x68
el0_svc+0x40/0xf8
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1b0/0x1b8
The buggy address belongs to a 1-page vmalloc region starting at
0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff00000a333000 pfn:0xa333
flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)
raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Fix it by making sure the copied size only considers the active number of
queues.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 9738be665544281aa624842812c2fbfed6f88226
(git)
Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 240c5302eed83e34e98db18f6795ee5f40814024 (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 9596759a84e1dbf2670518d85e969208960041f9 (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 95246341945163ad9a250a87ca5bd1c1252777ae (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 9d74d10e4e26672e139a8bcf8bf95957bf2d160f (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 7ff87da099210856cbfe2f2f7f52ddfa57af4f0c (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < e182fe273cdf5a8931592228196ef514ffac392b (git) Affected: 512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd , < 72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9738be665544281aa624842812c2fbfed6f88226",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "240c5302eed83e34e98db18f6795ee5f40814024",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "9596759a84e1dbf2670518d85e969208960041f9",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "95246341945163ad9a250a87ca5bd1c1252777ae",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "9d74d10e4e26672e139a8bcf8bf95957bf2d160f",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "7ff87da099210856cbfe2f2f7f52ddfa57af4f0c",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "e182fe273cdf5a8931592228196ef514ffac392b",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
},
{
"lessThan": "72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5",
"status": "affected",
"version": "512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: use the current queue number for stats\n\nThere\u0027s a potential mismatch between the memory reserved for statistics\nand the amount of memory written.\n\ngem_get_sset_count() correctly computes the number of stats based on the\nactive queues, whereas gem_get_ethtool_stats() indiscriminately copies\ndata using the maximum number of queues, and in the case the number of\nactive queues is less than MACB_MAX_QUEUES, this results in a OOB write\nas observed in the KASAN splat.\n\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78\n [macb]\nWrite of size 760 at addr ffff80008080b000 by task ethtool/1027\n\nCPU: [...]\nTainted: [E]=UNSIGNED_MODULE\nHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025\nCall trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n print_report+0x384/0x5e0\n kasan_report+0xa0/0xf0\n kasan_check_range+0xe8/0x190\n __asan_memcpy+0x54/0x98\n gem_get_ethtool_stats+0x54/0x78 [macb\n 926c13f3af83b0c6fe64badb21ec87d5e93fcf65]\n dev_ethtool+0x1220/0x38c0\n dev_ioctl+0x4ac/0xca8\n sock_do_ioctl+0x170/0x1d8\n sock_ioctl+0x484/0x5d8\n __arm64_sys_ioctl+0x12c/0x1b8\n invoke_syscall+0xd4/0x258\n el0_svc_common.constprop.0+0xb4/0x240\n do_el0_svc+0x48/0x68\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8\n\nThe buggy address belongs to a 1-page vmalloc region starting at\n 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff00000a333000 pfn:0xa333\nflags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)\nraw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\n\nFix it by making sure the copied size only considers the active number of\nqueues."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:38.961Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9738be665544281aa624842812c2fbfed6f88226"
},
{
"url": "https://git.kernel.org/stable/c/240c5302eed83e34e98db18f6795ee5f40814024"
},
{
"url": "https://git.kernel.org/stable/c/9596759a84e1dbf2670518d85e969208960041f9"
},
{
"url": "https://git.kernel.org/stable/c/95246341945163ad9a250a87ca5bd1c1252777ae"
},
{
"url": "https://git.kernel.org/stable/c/9d74d10e4e26672e139a8bcf8bf95957bf2d160f"
},
{
"url": "https://git.kernel.org/stable/c/7ff87da099210856cbfe2f2f7f52ddfa57af4f0c"
},
{
"url": "https://git.kernel.org/stable/c/e182fe273cdf5a8931592228196ef514ffac392b"
},
{
"url": "https://git.kernel.org/stable/c/72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5"
}
],
"title": "net: macb: use the current queue number for stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31494",
"datePublished": "2026-04-22T13:54:16.922Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-04-27T14:03:38.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31628 (GCVE-0-2026-31628)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 11:01
VLAI?
EPSS
Title
x86/CPU: Fix FPDSS on Zen1
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU: Fix FPDSS on Zen1
Zen1's hardware divider can leave, under certain circumstances, partial
results from previous operations. Those results can be leaked by
another, attacker thread.
Fix that with a chicken bit.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < ed7a3a246309ccc807238f1b4f159ee6d37ff9c4
(git)
Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 0548529af20e68c6552817834b766646dd3bd7a7 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 1272cfedf4cd1019ddf583917a99b62f2d3645bb (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 91f02726b2203b71545713ecb7fb006e60a2d66f (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < b731aca06387b195058a9f6449a03b62efa1bd10 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < ad17f07e95e6e8505e2153e5b391f0d27eacce25 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < e6af5286efe5a56128b34032572c9ce9ebeccda3 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 546785c719418c6166834a47e372a88f5f7ae893 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < e55d98e7756135f32150b9b8f75d580d0d4b2dd3 (git) Affected: 5abd1583e06b3963e5c9d915760367de86808b78 (git) Affected: 4ba461d426490b6ed7e8298c4d3b7a13aa5d2686 (git) Affected: 5a63725cd18fcee2af6ec46ccb856b64ad3077b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/msr-index.h",
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed7a3a246309ccc807238f1b4f159ee6d37ff9c4",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "0548529af20e68c6552817834b766646dd3bd7a7",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "1272cfedf4cd1019ddf583917a99b62f2d3645bb",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "91f02726b2203b71545713ecb7fb006e60a2d66f",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "b731aca06387b195058a9f6449a03b62efa1bd10",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "ad17f07e95e6e8505e2153e5b391f0d27eacce25",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "e6af5286efe5a56128b34032572c9ce9ebeccda3",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "546785c719418c6166834a47e372a88f5f7ae893",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "e55d98e7756135f32150b9b8f75d580d0d4b2dd3",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"status": "affected",
"version": "5abd1583e06b3963e5c9d915760367de86808b78",
"versionType": "git"
},
{
"status": "affected",
"version": "4ba461d426490b6ed7e8298c4d3b7a13aa5d2686",
"versionType": "git"
},
{
"status": "affected",
"version": "5a63725cd18fcee2af6ec46ccb856b64ad3077b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/msr-index.h",
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.144",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1\u0027s hardware divider can leave, under certain circumstances, partial\nresults from previous operations. Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T11:01:33.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed7a3a246309ccc807238f1b4f159ee6d37ff9c4"
},
{
"url": "https://git.kernel.org/stable/c/0548529af20e68c6552817834b766646dd3bd7a7"
},
{
"url": "https://git.kernel.org/stable/c/1272cfedf4cd1019ddf583917a99b62f2d3645bb"
},
{
"url": "https://git.kernel.org/stable/c/91f02726b2203b71545713ecb7fb006e60a2d66f"
},
{
"url": "https://git.kernel.org/stable/c/b731aca06387b195058a9f6449a03b62efa1bd10"
},
{
"url": "https://git.kernel.org/stable/c/ad17f07e95e6e8505e2153e5b391f0d27eacce25"
},
{
"url": "https://git.kernel.org/stable/c/e6af5286efe5a56128b34032572c9ce9ebeccda3"
},
{
"url": "https://git.kernel.org/stable/c/546785c719418c6166834a47e372a88f5f7ae893"
},
{
"url": "https://git.kernel.org/stable/c/e55d98e7756135f32150b9b8f75d580d0d4b2dd3"
}
],
"title": "x86/CPU: Fix FPDSS on Zen1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31628",
"datePublished": "2026-04-24T14:42:49.181Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T11:01:33.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31662 (GCVE-0-2026-31662)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
bc_ackers on every inbound group ACK, even when the same member has
already acknowledged the current broadcast round.
Because bc_ackers is a u16, a duplicate ACK received after the last
legitimate ACK wraps the counter to 65535. Once wrapped,
tipc_group_bc_cong() keeps reporting congestion and later group
broadcasts on the affected socket stay blocked until the group is
recreated.
Fix this by ignoring duplicate or stale ACKs before touching bc_acked or
bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and
prevents the underflow path.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2f487712b89376fce267223bbb0db93d393d4b09 , < a7db57ccca21f5801609065473c89a38229ecb92
(git)
Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 575faea557f1a184a5f09661bd47ebd3ef3769f8 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 3bcf7aca63f0bcd679ae28e9b99823c608e59ce3 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < a2ea1ef0167d7a84730638d05c20ccdc421b14b6 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 1b6f13f626665cac67ba5a012765427680518711 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 48a5fe38772b6f039522469ee6131a67838221a8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7db57ccca21f5801609065473c89a38229ecb92",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "575faea557f1a184a5f09661bd47ebd3ef3769f8",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "3bcf7aca63f0bcd679ae28e9b99823c608e59ce3",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "a2ea1ef0167d7a84730638d05c20ccdc421b14b6",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "1b6f13f626665cac67ba5a012765427680518711",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "48a5fe38772b6f039522469ee6131a67838221a8",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:47.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92"
},
{
"url": "https://git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412"
},
{
"url": "https://git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3"
},
{
"url": "https://git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6"
},
{
"url": "https://git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711"
},
{
"url": "https://git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682"
},
{
"url": "https://git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8"
}
],
"title": "tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31662",
"datePublished": "2026-04-24T14:45:12.593Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:47.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23357 (GCVE-0-2026-23357)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
can: mcp251x: fix deadlock in error path of mcp251x_open
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: mcp251x: fix deadlock in error path of mcp251x_open
The mcp251x_open() function call free_irq() in its error path with the
mpc_lock mutex held. But if an interrupt already occurred the
interrupt handler will be waiting for the mpc_lock and free_irq() will
deadlock waiting for the handler to finish.
This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can:
mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but
for the error path.
To solve this issue move the call to free_irq() after the lock is
released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ
handler will exit right away once it acquired the lock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < 739454057572cb0948658d1142f3fa2c6966465c
(git)
Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < 416c18ecddafab0ed09be1e7b9d2f448f3d4db16 (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < 256f0cff6e946c570392bda1d01a65e789a7afd0 (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < b73832292cd914e87a55e863ba4413a907e7db6b (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < 38063cc435b69d56e76f947c10d336fcb2953508 (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < d27f12c3f5e85efc479896af4a69eccb37f75e8e (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < e728f444c913a91d290d1824b4770780bbd6378e (git) Affected: bf66f3736a945dd4e92d86427276c6eeab0a6c1d , < ab3f894de216f4a62adc3b57e9191888cbf26885 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/mcp251x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "739454057572cb0948658d1142f3fa2c6966465c",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "416c18ecddafab0ed09be1e7b9d2f448f3d4db16",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "256f0cff6e946c570392bda1d01a65e789a7afd0",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "b73832292cd914e87a55e863ba4413a907e7db6b",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "38063cc435b69d56e76f947c10d336fcb2953508",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "d27f12c3f5e85efc479896af4a69eccb37f75e8e",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "e728f444c913a91d290d1824b4770780bbd6378e",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
},
{
"lessThan": "ab3f894de216f4a62adc3b57e9191888cbf26885",
"status": "affected",
"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/spi/mcp251x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix deadlock in error path of mcp251x_open\n\nThe mcp251x_open() function call free_irq() in its error path with the\nmpc_lock mutex held. But if an interrupt already occurred the\ninterrupt handler will be waiting for the mpc_lock and free_irq() will\ndeadlock waiting for the handler to finish.\n\nThis issue is similar to the one fixed in commit 7dd9c26bd6cf (\"can:\nmcp251x: fix deadlock if an interrupt occurs during mcp251x_open\") but\nfor the error path.\n\nTo solve this issue move the call to free_irq() after the lock is\nreleased. Setting `priv-\u003eforce_quit = 1` beforehand ensure that the IRQ\nhandler will exit right away once it acquired the lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:09.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/739454057572cb0948658d1142f3fa2c6966465c"
},
{
"url": "https://git.kernel.org/stable/c/416c18ecddafab0ed09be1e7b9d2f448f3d4db16"
},
{
"url": "https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0"
},
{
"url": "https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b"
},
{
"url": "https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508"
},
{
"url": "https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e"
},
{
"url": "https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e"
},
{
"url": "https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885"
}
],
"title": "can: mcp251x: fix deadlock in error path of mcp251x_open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23357",
"datePublished": "2026-03-25T10:27:41.299Z",
"dateReserved": "2026-01-13T15:37:46.000Z",
"dateUpdated": "2026-04-18T08:58:09.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23204 (GCVE-0-2026-23204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-04-03 13:32
VLAI?
EPSS
Title
net/sched: cls_u32: use skb_header_pointer_careful()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cfa745830e45ecb75c061aa34330ee0cac941cc7
(git)
Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < e41a23e61259f5526af875c3b86b3d42a9bae0e5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 8a672f177ebe19c93d795fbe967846084fbc7943 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cabd1a976375780dabab888784e356f574bbaed8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfa745830e45ecb75c061aa34330ee0cac941cc7",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:32:30.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"
},
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
],
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23204",
"datePublished": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-04-03T13:32:30.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43037 (GCVE-0-2026-43037)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Oskar Kjos reported the following problem.
ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < ea9f65b27c8404e164848ebff1443310fd187629
(git)
Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < d6621f60192fe10c047a4487be42a6f4c150707f (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < a0c4ce9900a108eaf55d0f3b399cb55999647d39 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 1063515ce15ff31065c4e7f8265f4c2fd3c54876 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 4a622658f384b03560834cbe8ffcfe69a278f7c8 (git) Affected: c4d3efafcc933fd2ffd169d7dc4f980393a13796 , < 2edfa31769a4add828a7e604b21cb82aaaa05925 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea9f65b27c8404e164848ebff1443310fd187629",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "d6621f60192fe10c047a4487be42a6f4c150707f",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "a0c4ce9900a108eaf55d0f3b399cb55999647d39",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "1063515ce15ff31065c4e7f8265f4c2fd3c54876",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "4a622658f384b03560834cbe8ffcfe69a278f7c8",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
},
{
"lessThan": "2edfa31769a4add828a7e604b21cb82aaaa05925",
"status": "affected",
"version": "c4d3efafcc933fd2ffd169d7dc4f980393a13796",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt-\u003e__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2-\u003ecb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl \u003e= 5)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:16.322Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"
},
{
"url": "https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f"
},
{
"url": "https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"
},
{
"url": "https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39"
},
{
"url": "https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876"
},
{
"url": "https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"
},
{
"url": "https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8"
},
{
"url": "https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925"
}
],
"title": "ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43037",
"datePublished": "2026-05-01T14:15:35.314Z",
"dateReserved": "2026-05-01T14:12:55.978Z",
"dateUpdated": "2026-05-03T05:46:16.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23292 (GCVE-0-2026-23292)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-13 06:03
VLAI?
EPSS
Title
scsi: target: Fix recursive locking in __configfs_open_file()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Fix recursive locking in __configfs_open_file()
In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
function is called, which, here, is target_core_item_dbroot_store(). This
function called filp_open(), following which these functions were called
(in reverse order), according to the call trace:
down_read
__configfs_open_file
do_dentry_open
vfs_open
do_open
path_openat
do_filp_open
file_open_name
filp_open
target_core_item_dbroot_store
flush_write_buffer
configfs_write_iter
target_core_item_dbroot_store() tries to validate the new file path by
trying to open the file path provided to it; however, in this case, the bug
report shows:
db_root: not a directory: /sys/kernel/config/target/dbroot
indicating that the same configfs file was tried to be opened, on which it
is currently working on. Thus, it is trying to acquire frag_sem semaphore
of the same file of which it already holds the semaphore obtained in
flush_write_buffer(), leading to acquiring the semaphore in a nested manner
and a possibility of recursive locking.
Fix this by modifying target_core_item_dbroot_store() to use kern_path()
instead of filp_open() to avoid opening the file using filesystem-specific
function __configfs_open_file(), and further modifying it to make this fix
compatible.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b0841eefd9693827afb9888235e26ddd098f9cef , < 3161ef61f121d4573cad5b57c92188dcd9b284b3
(git)
Affected: b0841eefd9693827afb9888235e26ddd098f9cef , < e8ef82cb6443d5f3260b1b830e17f03dda4229ea (git) Affected: b0841eefd9693827afb9888235e26ddd098f9cef , < 4fcfa424a581d823cb1a9676e3eefe6ca17e453a (git) Affected: b0841eefd9693827afb9888235e26ddd098f9cef , < 9a5641024fbfd9b24fe65984ad85fea10a3ae438 (git) Affected: b0841eefd9693827afb9888235e26ddd098f9cef , < 142eacb50fb903a4c10dee7e67b6e79ebb36a582 (git) Affected: b0841eefd9693827afb9888235e26ddd098f9cef , < 14d4ac19d1895397532eec407433c5d74d9da53b (git) Affected: 49824b5c875087a52672b0c8e8ecbefe6f773532 (git) Affected: 09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1 (git) Affected: 0dfc45be875a378c2a3a4d6ed8e668ec8eb75073 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3161ef61f121d4573cad5b57c92188dcd9b284b3",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "e8ef82cb6443d5f3260b1b830e17f03dda4229ea",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "4fcfa424a581d823cb1a9676e3eefe6ca17e453a",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "9a5641024fbfd9b24fe65984ad85fea10a3ae438",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "142eacb50fb903a4c10dee7e67b6e79ebb36a582",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"lessThan": "14d4ac19d1895397532eec407433c5d74d9da53b",
"status": "affected",
"version": "b0841eefd9693827afb9888235e26ddd098f9cef",
"versionType": "git"
},
{
"status": "affected",
"version": "49824b5c875087a52672b0c8e8ecbefe6f773532",
"versionType": "git"
},
{
"status": "affected",
"version": "09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1",
"versionType": "git"
},
{
"status": "affected",
"version": "0dfc45be875a378c2a3a4d6ed8e668ec8eb75073",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.201",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix recursive locking in __configfs_open_file()\n\nIn flush_write_buffer, \u0026p-\u003efrag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\n\n down_read\n __configfs_open_file\n do_dentry_open\n vfs_open\n do_open\n path_openat\n do_filp_open\n file_open_name\n filp_open\n target_core_item_dbroot_store\n flush_write_buffer\n configfs_write_iter\n\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\n\ndb_root: not a directory: /sys/kernel/config/target/dbroot\n\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\n\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:03:45.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3161ef61f121d4573cad5b57c92188dcd9b284b3"
},
{
"url": "https://git.kernel.org/stable/c/e8ef82cb6443d5f3260b1b830e17f03dda4229ea"
},
{
"url": "https://git.kernel.org/stable/c/4fcfa424a581d823cb1a9676e3eefe6ca17e453a"
},
{
"url": "https://git.kernel.org/stable/c/9a5641024fbfd9b24fe65984ad85fea10a3ae438"
},
{
"url": "https://git.kernel.org/stable/c/142eacb50fb903a4c10dee7e67b6e79ebb36a582"
},
{
"url": "https://git.kernel.org/stable/c/14d4ac19d1895397532eec407433c5d74d9da53b"
}
],
"title": "scsi: target: Fix recursive locking in __configfs_open_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23292",
"datePublished": "2026-03-25T10:26:50.408Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-13T06:03:45.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31405 (GCVE-0-2026-31405)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:33 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
media: dvb-net: fix OOB access in ULE extension header tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-net: fix OOB access in ULE extension header tables
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e51238718217c4abdb3ccc3b0c0cde265c7ec629
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b2bd2ee73b697c177157bba534e1b1064c2e66a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29ef43ceb121d67b87f4cbb08439e4e9e732eff8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a6da3dbb9985d00743073a1cc1f96e59f5abc30 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 145e50c2c700fa52b840df7bab206043997dd18e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2b65dcb78c8990e4c68a906627433be1fe38a92 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 24d87712727a5017ad142d63940589a36cd25647 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e51238718217c4abdb3ccc3b0c0cde265c7ec629",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2bd2ee73b697c177157bba534e1b1064c2e66a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29ef43ceb121d67b87f4cbb08439e4e9e732eff8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a6da3dbb9985d00743073a1cc1f96e59f5abc30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "145e50c2c700fa52b840df7bab206043997dd18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2b65dcb78c8990e4c68a906627433be1fe38a92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24d87712727a5017ad142d63940589a36cd25647",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-net: fix OOB access in ULE extension header tables\n\nThe ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables\nin handle_one_ule_extension() are declared with 255 elements (valid\nindices 0-254), but the index htype is derived from network-controlled\ndata as (ule_sndu_type \u0026 0x00FF), giving a range of 0-255. When\nhtype equals 255, an out-of-bounds read occurs on the function pointer\ntable, and the OOB value may be called as a function pointer.\n\nAdd a bounds check on htype against the array size before either table\nis accessed. Out-of-range values now cause the SNDU to be discarded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:52.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e51238718217c4abdb3ccc3b0c0cde265c7ec629"
},
{
"url": "https://git.kernel.org/stable/c/b2bd2ee73b697c177157bba534e1b1064c2e66a0"
},
{
"url": "https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8"
},
{
"url": "https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30"
},
{
"url": "https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e"
},
{
"url": "https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe"
},
{
"url": "https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92"
},
{
"url": "https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647"
}
],
"title": "media: dvb-net: fix OOB access in ULE extension header tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31405",
"datePublished": "2026-04-06T07:33:00.544Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-04-27T14:02:52.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23458 (GCVE-0-2026-23458)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
conntrack reference immediately after netlink_dump_start(). When the
dump spans multiple rounds, the second recvmsg() triggers the dump
callback which dereferences the now-freed conntrack via nfct_help(ct),
leading to a use-after-free on ct->ext.
The bug is that the netlink_dump_control has no .start or .done
callbacks to manage the conntrack reference across dump rounds. Other
dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
use .start/.done callbacks for this purpose.
Fix this by adding .start and .done callbacks that hold and release the
conntrack reference for the duration of the dump, and move the
nfct_help() call after the cb->args[0] early-return check in the dump
callback to avoid dereferencing ct->ext unnecessarily.
BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
Call Trace:
<TASK>
ctnetlink_exp_ct_dump_table+0x4f/0x2e0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
? aa_sk_perm+0x184/0x450
sock_recvmsg+0xde/0xf0
Allocated by task 133:
kmem_cache_alloc_noprof+0x134/0x440
__nf_conntrack_alloc+0xa8/0x2b0
ctnetlink_create_conntrack+0xa1/0x900
ctnetlink_new_conntrack+0x3cf/0x7d0
nfnetlink_rcv_msg+0x48e/0x510
netlink_rcv_skb+0xc9/0x1f0
nfnetlink_rcv+0xdb/0x220
netlink_unicast+0x3ec/0x590
netlink_sendmsg+0x397/0x690
__sys_sendmsg+0xf4/0x180
Freed by task 0:
slab_free_after_rcu_debug+0xad/0x1e0
rcu_core+0x5c3/0x9c0
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < d8cd0efbccc5cfb0a80da744a7da76e1333ab925
(git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 9821b47f669eb82791fa0b1a6ebaf9aa219bea72 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < bdf2724eefd4455a66863abb025bab8d3aa98c57 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f04cc86d59906513d2d62183b882966fc0ae0390 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f025171feef2ac65663d7986f1d5ff0c28d6b2a9 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < cd541f15b60e2257441398cf495d978f816d09f8 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 5cb81eeda909dbb2def209dd10636b51549a3f8a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "bdf2724eefd4455a66863abb025bab8d3aa98c57",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f04cc86d59906513d2d62183b882966fc0ae0390",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "cd541f15b60e2257441398cf495d978f816d09f8",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "5cb81eeda909dbb2def209dd10636b51549a3f8a",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n \u003cTASK\u003e\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:36.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
},
{
"url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
},
{
"url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"
},
{
"url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"
},
{
"url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
},
{
"url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
},
{
"url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"
},
{
"url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"
}
],
"title": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23458",
"datePublished": "2026-04-03T15:15:39.041Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-04-27T14:02:36.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31509 (GCVE-0-2026-31509)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
nfc: nci: fix circular locking dependency in nci_close_device
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: fix circular locking dependency in nci_close_device
nci_close_device() flushes rx_wq and tx_wq while holding req_lock.
This causes a circular locking dependency because nci_rx_work()
running on rx_wq can end up taking req_lock too:
nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete
-> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target
-> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)
Move the flush of rx_wq after req_lock has been released.
This should safe (I think) because NCI_UP has already been cleared
and the transport is closed, so the work will see it and return
-ENETDOWN.
NIPA has been hitting this running the nci selftest with a debug
kernel on roughly 4% of the runs.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 7ed00a3edc8597fe2333f524401e2889aa1b5edf
(git)
Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 5eef9ebec7f5738f12cadede3545c05b34bf5ac3 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < ca54e904a071aa65ef3ad46ba42d51aaac6b73b4 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < eb435d150ca74b4d40f77f1a2266f3636ed64a79 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < d89b74bf08f067b55c03d7f999ba0a0e73177eb3 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 09143c0e8f3b03517e6233aad42f45c794d8df8e (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 4527025d440ce84bf56e75ce1df2e84cb8178616 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ed00a3edc8597fe2333f524401e2889aa1b5edf",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "5eef9ebec7f5738f12cadede3545c05b34bf5ac3",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "ca54e904a071aa65ef3ad46ba42d51aaac6b73b4",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "eb435d150ca74b4d40f77f1a2266f3636ed64a79",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "d89b74bf08f067b55c03d7f999ba0a0e73177eb3",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "09143c0e8f3b03517e6233aad42f45c794d8df8e",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "4527025d440ce84bf56e75ce1df2e84cb8178616",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -\u003e nci_rx_data_packet -\u003e nci_data_exchange_complete\n -\u003e __sk_destruct -\u003e rawsock_destruct -\u003e nfc_deactivate_target\n -\u003e nci_deactivate_target -\u003e nci_request -\u003e mutex_lock(\u0026ndev-\u003ereq_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:27.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"
},
{
"url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"
},
{
"url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"
},
{
"url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"
},
{
"url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"
},
{
"url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"
},
{
"url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"
},
{
"url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"
}
],
"title": "nfc: nci: fix circular locking dependency in nci_close_device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31509",
"datePublished": "2026-04-22T13:54:27.436Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-04-22T13:54:27.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31425 (GCVE-0-2026-31425)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
rds: ib: reject FRMR registration before IB connection is established
Summary
In the Linux kernel, the following vulnerability has been resolved:
rds: ib: reject FRMR registration before IB connection is established
rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data
and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a
fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with
i_cm_id = NULL because the connection worker has not yet called
rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with
RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses
the control message before any connection establishment, allowing
rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the
kernel.
The existing guard in rds_ib_reg_frmr() only checks for !ic (added in
commit 9e630bcb7701), which does not catch this case since ic is allocated
early and is always non-NULL once the connection object exists.
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920
Call Trace:
rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)
rds_ib_map_frmr (net/rds/ib_frmr.c:252)
rds_ib_reg_frmr (net/rds/ib_frmr.c:430)
rds_ib_get_mr (net/rds/ib_rdma.c:615)
__rds_rdma_map (net/rds/rdma.c:295)
rds_cmsg_rdma_map (net/rds/rdma.c:860)
rds_sendmsg (net/rds/send.c:1363)
____sys_sendmsg
do_syscall_64
Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all
non-NULL before proceeding with FRMR registration, mirroring the guard
already present in rds_ib_post_inv(). Return -ENODEV when the connection
is not ready, which the existing error handling in rds_cmsg_send() converts
to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to
start the connection worker.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1659185fb4d0025835eb2058a141f0746c5cab00 , < c506456ebf84c50ed9327473d4e9bd905def212b
(git)
Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < 82e4a3b56b23b844802056c9e75a39d24169b0a4 (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < 450ec93c0f172374acbf236f1f5f02d53650aa2d (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < 6b0a8de67ac0c74e1a7df92b73c862cb36780dfc (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < a5bfd14c9a299e6db4add4440430ee5e010b03ad (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < 23e07c340c445f0ebff7757ba15434cb447eb662 (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < 47de5b73db3b88f45c107393f26aeba26e9e8fae (git) Affected: 1659185fb4d0025835eb2058a141f0746c5cab00 , < a54ecccfae62c5c85259ae5ea5d9c20009519049 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/ib_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c506456ebf84c50ed9327473d4e9bd905def212b",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "82e4a3b56b23b844802056c9e75a39d24169b0a4",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "450ec93c0f172374acbf236f1f5f02d53650aa2d",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "6b0a8de67ac0c74e1a7df92b73c862cb36780dfc",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "a5bfd14c9a299e6db4add4440430ee5e010b03ad",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "23e07c340c445f0ebff7757ba15434cb447eb662",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "47de5b73db3b88f45c107393f26aeba26e9e8fae",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
},
{
"lessThan": "a54ecccfae62c5c85259ae5ea5d9c20009519049",
"status": "affected",
"version": "1659185fb4d0025835eb2058a141f0746c5cab00",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/ib_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn-\u003ec_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic-\u003ei_cm_id-\u003eqp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n rds_ib_get_mr (net/rds/ib_rdma.c:615)\n __rds_rdma_map (net/rds/rdma.c:295)\n rds_cmsg_rdma_map (net/rds/rdma.c:860)\n rds_sendmsg (net/rds/send.c:1363)\n ____sys_sendmsg\n do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:40.222Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b"
},
{
"url": "https://git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4"
},
{
"url": "https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d"
},
{
"url": "https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc"
},
{
"url": "https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"
},
{
"url": "https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662"
},
{
"url": "https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae"
},
{
"url": "https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049"
}
],
"title": "rds: ib: reject FRMR registration before IB connection is established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31425",
"datePublished": "2026-04-13T13:40:28.911Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-04-18T08:59:40.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31416 (GCVE-0-2026-31416)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:21 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
netfilter: nfnetlink_log: account for netlink header size
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: account for netlink header size
This is a followup to an old bug fix: NLMSG_DONE needs to account
for the netlink header size, not just the attribute size.
This can result in a WARN splat + drop of the netlink message,
but other than this there are no ill effects.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 4ec216410fac9de83c99177a160ebb8d42fad075
(git)
Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 09883bf257f4243ed5a1fd35078ec6f0d0f3696a (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 761b45c661af48da6a065868d59ab1e1f64fd9b6 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 607245c4dbb86d9a10dd8388da0fb82170a99b61 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 6b419700e459fbf707ca1543b7c1b57a60fedb73 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 88a8f56e6276f616baad4274c6b8e4683e26e520 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < f08ffa3e1c8e36b6131f69c5eb23700c28cbd262 (git) Affected: 9dfa1dfe4d5e5e66a991321ab08afe69759d797a , < 6d52a4a0520a6696bdde51caa11f2d6821cd0c01 (git) Affected: 3a758a2b78da2f49f7165678faf999e946a0c4b5 (git) Affected: 131172845aa2c804ffa9423455aee585061ea35e (git) Affected: b1fef6b81871a396f3b8702077333e769673c87b (git) Affected: add9183d993c12fb61ce0a674a424341d5be5b36 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ec216410fac9de83c99177a160ebb8d42fad075",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "09883bf257f4243ed5a1fd35078ec6f0d0f3696a",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "761b45c661af48da6a065868d59ab1e1f64fd9b6",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "607245c4dbb86d9a10dd8388da0fb82170a99b61",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "6b419700e459fbf707ca1543b7c1b57a60fedb73",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "88a8f56e6276f616baad4274c6b8e4683e26e520",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "f08ffa3e1c8e36b6131f69c5eb23700c28cbd262",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"lessThan": "6d52a4a0520a6696bdde51caa11f2d6821cd0c01",
"status": "affected",
"version": "9dfa1dfe4d5e5e66a991321ab08afe69759d797a",
"versionType": "git"
},
{
"status": "affected",
"version": "3a758a2b78da2f49f7165678faf999e946a0c4b5",
"versionType": "git"
},
{
"status": "affected",
"version": "131172845aa2c804ffa9423455aee585061ea35e",
"versionType": "git"
},
{
"status": "affected",
"version": "b1fef6b81871a396f3b8702077333e769673c87b",
"versionType": "git"
},
{
"status": "affected",
"version": "add9183d993c12fb61ce0a674a424341d5be5b36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:29.494Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ec216410fac9de83c99177a160ebb8d42fad075"
},
{
"url": "https://git.kernel.org/stable/c/09883bf257f4243ed5a1fd35078ec6f0d0f3696a"
},
{
"url": "https://git.kernel.org/stable/c/761b45c661af48da6a065868d59ab1e1f64fd9b6"
},
{
"url": "https://git.kernel.org/stable/c/607245c4dbb86d9a10dd8388da0fb82170a99b61"
},
{
"url": "https://git.kernel.org/stable/c/6b419700e459fbf707ca1543b7c1b57a60fedb73"
},
{
"url": "https://git.kernel.org/stable/c/88a8f56e6276f616baad4274c6b8e4683e26e520"
},
{
"url": "https://git.kernel.org/stable/c/f08ffa3e1c8e36b6131f69c5eb23700c28cbd262"
},
{
"url": "https://git.kernel.org/stable/c/6d52a4a0520a6696bdde51caa11f2d6821cd0c01"
}
],
"title": "netfilter: nfnetlink_log: account for netlink header size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31416",
"datePublished": "2026-04-13T13:21:03.974Z",
"dateReserved": "2026-03-09T15:48:24.087Z",
"dateUpdated": "2026-04-18T08:59:29.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31651 (GCVE-0-2026-31651)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
mmc: vub300: fix NULL-deref on disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: vub300: fix NULL-deref on disconnect
Make sure to deregister the controller before dropping the reference to
the driver data on disconnect to avoid NULL-pointer dereferences or
use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 6446516e626ce7c44bdadbcbb3d7677a2c52ce93
(git)
Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < ba3b9429de94958dc0060d9816a915dd75c34919 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 517b58e1d067115f80d198feee10192da4c424d0 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 53f2642d77ab5f1f303388bff5500363c6cf962c (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < c83a282615d8f7ba28cebddd54600b419d562d82 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 8d09e75759cb2afc0732acfb5a14a93c03805a61 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < dff34ef879c5e73298443956a8b391311ba78d57 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6446516e626ce7c44bdadbcbb3d7677a2c52ce93",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "ba3b9429de94958dc0060d9816a915dd75c34919",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "517b58e1d067115f80d198feee10192da4c424d0",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "53f2642d77ab5f1f303388bff5500363c6cf962c",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "c83a282615d8f7ba28cebddd54600b419d562d82",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "8d09e75759cb2afc0732acfb5a14a93c03805a61",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "dff34ef879c5e73298443956a8b391311ba78d57",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:03.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93"
},
{
"url": "https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919"
},
{
"url": "https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0"
},
{
"url": "https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a"
},
{
"url": "https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c"
},
{
"url": "https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82"
},
{
"url": "https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61"
},
{
"url": "https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57"
}
],
"title": "mmc: vub300: fix NULL-deref on disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31651",
"datePublished": "2026-04-24T14:45:03.905Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-04-24T14:45:03.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43026 (GCVE-0-2026-43026)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
ctnetlink_alloc_expect() allocates expectations from a non-zeroing
slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not
present in the netlink message, saved_addr and saved_proto are
never initialized. Stale data from a previous slab occupant can
then be dumped to userspace by ctnetlink_exp_dump_expect(), which
checks these fields to decide whether to emit CTA_EXPECT_NAT.
The safe sibling nf_ct_expect_init(), used by the packet path,
explicitly zeroes these fields.
Zero saved_addr, saved_proto and dir in the else branch, guarded
by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when
NAT is enabled.
Confirmed by priming the expect slab with NAT-bearing expectations,
freeing them, creating a new expectation without CTA_EXPECT_NAT,
and observing that the ctnetlink dump emits a spurious
CTA_EXPECT_NAT containing stale data from the prior allocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
076a0ca02644657b13e4af363f487ced2942e9cb , < a5a89db6981a1ddf2314bf50cb49db5a3146185f
(git)
Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 1c2ebdeff8d088a2e47ae25d7b38447249adace2 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < a64b7bf84b4d5ea54218c5d374ec87fff9000f43 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 2898080c054ea4d6ddfaaf21bbedbc229a9a8376 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < fd002ff2ea030cbfb0188a11b3c60ce7f84485f4 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 929f7a9a7aad9404a5867216c3f8738232355b38 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36 (git) Affected: 076a0ca02644657b13e4af363f487ced2942e9cb , < 35177c6877134a21315f37d57a5577846225623e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5a89db6981a1ddf2314bf50cb49db5a3146185f",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "1c2ebdeff8d088a2e47ae25d7b38447249adace2",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "a64b7bf84b4d5ea54218c5d374ec87fff9000f43",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "2898080c054ea4d6ddfaaf21bbedbc229a9a8376",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "fd002ff2ea030cbfb0188a11b3c60ce7f84485f4",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "929f7a9a7aad9404a5867216c3f8738232355b38",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
},
{
"lessThan": "35177c6877134a21315f37d57a5577846225623e",
"status": "affected",
"version": "076a0ca02644657b13e4af363f487ced2942e9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent\n\nctnetlink_alloc_expect() allocates expectations from a non-zeroing\nslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not\npresent in the netlink message, saved_addr and saved_proto are\nnever initialized. Stale data from a previous slab occupant can\nthen be dumped to userspace by ctnetlink_exp_dump_expect(), which\nchecks these fields to decide whether to emit CTA_EXPECT_NAT.\n\nThe safe sibling nf_ct_expect_init(), used by the packet path,\nexplicitly zeroes these fields.\n\nZero saved_addr, saved_proto and dir in the else branch, guarded\nby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when\nNAT is enabled.\n\nConfirmed by priming the expect slab with NAT-bearing expectations,\nfreeing them, creating a new expectation without CTA_EXPECT_NAT,\nand observing that the ctnetlink dump emits a spurious\nCTA_EXPECT_NAT containing stale data from the prior allocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:27.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f"
},
{
"url": "https://git.kernel.org/stable/c/1c2ebdeff8d088a2e47ae25d7b38447249adace2"
},
{
"url": "https://git.kernel.org/stable/c/a64b7bf84b4d5ea54218c5d374ec87fff9000f43"
},
{
"url": "https://git.kernel.org/stable/c/2898080c054ea4d6ddfaaf21bbedbc229a9a8376"
},
{
"url": "https://git.kernel.org/stable/c/fd002ff2ea030cbfb0188a11b3c60ce7f84485f4"
},
{
"url": "https://git.kernel.org/stable/c/929f7a9a7aad9404a5867216c3f8738232355b38"
},
{
"url": "https://git.kernel.org/stable/c/bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36"
},
{
"url": "https://git.kernel.org/stable/c/35177c6877134a21315f37d57a5577846225623e"
}
],
"title": "netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43026",
"datePublished": "2026-05-01T14:15:27.854Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-01T14:15:27.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23290 (GCVE-0-2026-23290)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net: usb: pegasus: validate USB endpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: pegasus: validate USB endpoints
The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it. If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d5d9086211877361f1bda44a0aec538ddb04042a
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < af7369ae572f53cb701731a4289ec3b3889bc501 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 43d7c4114b1ec14f41f09306525d3b9382286fc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 95556b4e879711693c9865ba0938c148f62d5ea4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c3f1672eaea68c5cb6e1ec081cdb92045453218f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 11de1d3ae5565ed22ef1f89d73d8f2d00322c699 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d9086211877361f1bda44a0aec538ddb04042a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "af7369ae572f53cb701731a4289ec3b3889bc501",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43d7c4114b1ec14f41f09306525d3b9382286fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "95556b4e879711693c9865ba0938c148f62d5ea4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c3f1672eaea68c5cb6e1ec081cdb92045453218f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11de1d3ae5565ed22ef1f89d73d8f2d00322c699",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/pegasus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: validate USB endpoints\n\nThe pegasus driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:40.813Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d9086211877361f1bda44a0aec538ddb04042a"
},
{
"url": "https://git.kernel.org/stable/c/af7369ae572f53cb701731a4289ec3b3889bc501"
},
{
"url": "https://git.kernel.org/stable/c/43d7c4114b1ec14f41f09306525d3b9382286fc1"
},
{
"url": "https://git.kernel.org/stable/c/7f8505c7ce3f186ef9d2495f3c0bd6ad6fce999f"
},
{
"url": "https://git.kernel.org/stable/c/95556b4e879711693c9865ba0938c148f62d5ea4"
},
{
"url": "https://git.kernel.org/stable/c/c3f1672eaea68c5cb6e1ec081cdb92045453218f"
},
{
"url": "https://git.kernel.org/stable/c/ee31ec8cf1eafeefa85ef934ba688d27f88bf0e2"
},
{
"url": "https://git.kernel.org/stable/c/11de1d3ae5565ed22ef1f89d73d8f2d00322c699"
}
],
"title": "net: usb: pegasus: validate USB endpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23290",
"datePublished": "2026-03-25T10:26:48.886Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:40.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31408 (GCVE-0-2026-31408)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:38 – Updated: 2026-04-27 14:02
VLAI?
EPSS
Title
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.
Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.
Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d57384e27d1ebf0047e3f00a6e1181b8be9857a2
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b0a7da0e3f7442545f071499beb36374714bb9de (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 108b81514d8f2535eb16651495cefb2250528db3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e76e8f0581ef555eacc11dbb095e602fb30a5361 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 598dbba9919c5e36c54fe1709b557d64120cb94b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d57384e27d1ebf0047e3f00a6e1181b8be9857a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b0a7da0e3f7442545f071499beb36374714bb9de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "45aaca995e4a7a05b272a58e7ab2fff4f611b8f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "108b81514d8f2535eb16651495cefb2250528db3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e76e8f0581ef555eacc11dbb095e602fb30a5361",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "598dbba9919c5e36c54fe1709b557d64120cb94b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\nsco_recv_frame() reads conn-\u003esk under sco_conn_lock() but immediately\nreleases the lock without holding a reference to the socket. A concurrent\nclose() can free the socket between the lock release and the subsequent\nsk-\u003esk_state access, resulting in a use-after-free.\n\nOther functions in the same file (sco_sock_timeout(), sco_conn_del())\ncorrectly use sco_sock_hold() to safely hold a reference under the lock.\n\nFix by using sco_sock_hold() to take a reference before releasing the\nlock, and adding sock_put() on all exit paths."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:02:55.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2"
},
{
"url": "https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de"
},
{
"url": "https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1"
},
{
"url": "https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3"
},
{
"url": "https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e"
},
{
"url": "https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361"
},
{
"url": "https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b"
}
],
"title": "Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31408",
"datePublished": "2026-04-06T07:38:20.533Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-04-27T14:02:55.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43027 (GCVE-0-2026-43027)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
netfilter: nf_conntrack_helper: pass helper to expect cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_helper: pass helper to expect cleanup
nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.
After unregister returns, nfnl_cthelper_del() frees the helper
object immediately. Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp->helper,
causing a use-after-free.
Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.
BUG: KASAN: slab-use-after-free in string+0x38f/0x430
Read of size 1 at addr ffff888003b14d20 by task poc/103
Call Trace:
string+0x38f/0x430
vsnprintf+0x3cc/0x1170
seq_printf+0x17a/0x240
exp_seq_show+0x2e5/0x560
seq_read_iter+0x419/0x1280
proc_reg_read+0x1ac/0x270
vfs_read+0x179/0x930
ksys_read+0xef/0x1c0
Freed by task 103:
The buggy address is located 32 bytes inside of
freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac7b848390036dadd4351899d2a23748075916bd , < 5cf28d5c8dcbbe8af6d3b145babe491906d7bad1
(git)
Affected: ac7b848390036dadd4351899d2a23748075916bd , < 504ba4168466c91210c45acdc332479cfd5f2da6 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < dc1739eff48e34cc71d4e2f03715493fbcebd8af (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 2cf2737c85a2ba2b52024dafe68ffad2676f97be (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 2c16e4d64dd91227742dfe196a3e7b0568bef65a (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 620f3d14c1ef51d425060a3056ad8dbae8f998a3 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < 90bd7e8501349db3006d21fbc09df9ffcb172965 (git) Affected: ac7b848390036dadd4351899d2a23748075916bd , < a242a9ae58aa46ff7dae51ce64150a93957abe65 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5cf28d5c8dcbbe8af6d3b145babe491906d7bad1",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "504ba4168466c91210c45acdc332479cfd5f2da6",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "dc1739eff48e34cc71d4e2f03715493fbcebd8af",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "2cf2737c85a2ba2b52024dafe68ffad2676f97be",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "2c16e4d64dd91227742dfe196a3e7b0568bef65a",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "620f3d14c1ef51d425060a3056ad8dbae8f998a3",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "90bd7e8501349db3006d21fbc09df9ffcb172965",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
},
{
"lessThan": "a242a9ae58aa46ff7dae51ce64150a93957abe65",
"status": "affected",
"version": "ac7b848390036dadd4351899d2a23748075916bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately. Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp-\u003ehelper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n Read of size 1 at addr ffff888003b14d20 by task poc/103\n Call Trace:\n string+0x38f/0x430\n vsnprintf+0x3cc/0x1170\n seq_printf+0x17a/0x240\n exp_seq_show+0x2e5/0x560\n seq_read_iter+0x419/0x1280\n proc_reg_read+0x1ac/0x270\n vfs_read+0x179/0x930\n ksys_read+0xef/0x1c0\n Freed by task 103:\n The buggy address is located 32 bytes inside of\n freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:28.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1"
},
{
"url": "https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6"
},
{
"url": "https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af"
},
{
"url": "https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be"
},
{
"url": "https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a"
},
{
"url": "https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3"
},
{
"url": "https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965"
},
{
"url": "https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65"
}
],
"title": "netfilter: nf_conntrack_helper: pass helper to expect cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43027",
"datePublished": "2026-05-01T14:15:28.521Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-05-01T14:15:28.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31669 (GCVE-0-2026-31669)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
mptcp: fix slab-use-after-free in __inet_lookup_established
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b19bc2945b40b9fd38e835700907ffe8534ef0de , < f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
(git)
Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < fb1f54b7d16f393b8b65d328410f78b4beea8fcc (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 3fd6547f5b8ac99687be6d937a0321efda760597 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < eb9c6aeb512f877cf397deb1e4526f646c70e4a7 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 15fa9ead4d5e6b6b9c794e84144146c917f2cb62 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < b313e9037d98c13938740e5ebda7852929366dff (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 9b55b253907e7431210483519c5ad711a37dafa1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "fb1f54b7d16f393b8b65d328410f78b4beea8fcc",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "3fd6547f5b8ac99687be6d937a0321efda760597",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "eb9c6aeb512f877cf397deb1e4526f646c70e4a7",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "15fa9ead4d5e6b6b9c794e84144146c917f2cb62",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "b313e9037d98c13938740e5ebda7852929366dff",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "9b55b253907e7431210483519c5ad711a37dafa1",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP\u0027s mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(\u0026tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:53.478Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"
},
{
"url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"
},
{
"url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"
},
{
"url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"
},
{
"url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"
},
{
"url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"
},
{
"url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"
}
],
"title": "mptcp: fix slab-use-after-free in __inet_lookup_established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31669",
"datePublished": "2026-04-24T14:45:17.295Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:53.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31570 (GCVE-0-2026-31570)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:35 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
can: gw: fix OOB heap access in cgw_csum_crc8_rel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gw: fix OOB heap access in cgw_csum_crc8_rel()
cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
int from = calc_idx(crc8->from_idx, cf->len);
int to = calc_idx(crc8->to_idx, cf->len);
int res = calc_idx(crc8->result_idx, cf->len);
if (from < 0 || to < 0 || res < 0)
return;
However, the loop and the result write then use the raw s8 fields directly
instead of the computed variables:
for (i = crc8->from_idx; ...) /* BUG: raw negative index */
cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
start of the canfd_frame on the heap.
The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
correctly throughout; fix cgw_csum_crc8_rel() to match.
Confirmed with KASAN on linux-7.0-rc2:
BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
456a8a646b2563438c16a9b27decf9aa717f1ebb , < e7c99348b0612b2bc02d5ce6ff9873261cc7605f
(git)
Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < 999ca48d55a8a46da21519db7e834e5867200379 (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < a025283d7f7404c739225e457fb99db2368bb544 (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < 54ecdf76a55e75c1f5085e440f8ab671a3283ef5 (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < 84f8b76d24273175a22713e83e90874e1880d801 (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < 66b689efd08227da2c5ca49b58b30a95d23c695a (git) Affected: 456a8a646b2563438c16a9b27decf9aa717f1ebb , < b9c310d72783cc2f30d103eed83920a5a29c671a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/gw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7c99348b0612b2bc02d5ce6ff9873261cc7605f",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "999ca48d55a8a46da21519db7e834e5867200379",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "a025283d7f7404c739225e457fb99db2368bb544",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "54ecdf76a55e75c1f5085e440f8ab671a3283ef5",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "84f8b76d24273175a22713e83e90874e1880d801",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "66b689efd08227da2c5ca49b58b30a95d23c695a",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
},
{
"lessThan": "b9c310d72783cc2f30d103eed83920a5a29c671a",
"status": "affected",
"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/gw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n int from = calc_idx(crc8-\u003efrom_idx, cf-\u003elen);\n int to = calc_idx(crc8-\u003eto_idx, cf-\u003elen);\n int res = calc_idx(crc8-\u003eresult_idx, cf-\u003elen);\n\n if (from \u003c 0 || to \u003c 0 || res \u003c 0)\n return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n for (i = crc8-\u003efrom_idx; ...) /* BUG: raw negative index */\n cf-\u003edata[crc8-\u003eresult_idx] = ...; /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf-\u003edata[-64], and the write goes to cf-\u003edata[-64].\nThis write might end up to 56 (7.0-rc) or 40 (\u003c= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:09.044Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f"
},
{
"url": "https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379"
},
{
"url": "https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544"
},
{
"url": "https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5"
},
{
"url": "https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a"
},
{
"url": "https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801"
},
{
"url": "https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a"
},
{
"url": "https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a"
}
],
"title": "can: gw: fix OOB heap access in cgw_csum_crc8_rel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31570",
"datePublished": "2026-04-24T14:35:49.435Z",
"dateReserved": "2026-03-09T15:48:24.117Z",
"dateUpdated": "2026-04-27T14:04:09.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23362 (GCVE-0-2026-23362)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
can: bcm: fix locking for bcm_op runtime updates
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: fix locking for bcm_op runtime updates
Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")
added a locking for some variables that can be modified at runtime when
updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().
Usually the RX_SETUP only handles and filters incoming traffic with one
exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is
sent when a specific RTR frame is received. Therefore the rx bcm_op uses
bcm_can_tx() which uses the bcm_tx_lock that was only initialized in
bcm_tx_setup(). Add the missing spin_lock_init() when allocating the
bcm_op in bcm_rx_setup() to handle the RTR case properly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7595de7bc56e0e52b74e56c90f7e247bf626d628 , < 0904037e713f787d1376e1d349c3bdf6c3105881
(git)
Affected: fbd8fdc2b218e979cfe422b139b8f74c12419d1f , < c85b96eaf766d8f066b1139a17a51efa2f6627ef (git) Affected: 2a437b86ac5a9893c902f30ef66815bf13587bf6 , < 800f26f11ae37b17f58e0001f28a47dd75c26557 (git) Affected: 76c84c3728178b2d38d5604e399dfe8b0752645e , < 70e951afad4c025261fe3c952d2b07237e320a01 (git) Affected: cc55dd28c20a6611e30596019b3b2f636819a4c0 , < 8bcf2d847adb82b2c617456f6da17ac5e6c75285 (git) Affected: c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 , < 8215ba7bc99e84e66fd6938874ec4330a9d96518 (git) Affected: c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 , < f0c349b2c21b220af5ba19f29b885e222958d796 (git) Affected: c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 , < c35636e91e392e1540949bbc67932167cb48bc3a (git) Affected: 8f1c022541bf5a923c8d6fa483112c15250f30a4 (git) Affected: c4e8a172501e677ebd8ea9d9161d97dc4df56fbd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/bcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0904037e713f787d1376e1d349c3bdf6c3105881",
"status": "affected",
"version": "7595de7bc56e0e52b74e56c90f7e247bf626d628",
"versionType": "git"
},
{
"lessThan": "c85b96eaf766d8f066b1139a17a51efa2f6627ef",
"status": "affected",
"version": "fbd8fdc2b218e979cfe422b139b8f74c12419d1f",
"versionType": "git"
},
{
"lessThan": "800f26f11ae37b17f58e0001f28a47dd75c26557",
"status": "affected",
"version": "2a437b86ac5a9893c902f30ef66815bf13587bf6",
"versionType": "git"
},
{
"lessThan": "70e951afad4c025261fe3c952d2b07237e320a01",
"status": "affected",
"version": "76c84c3728178b2d38d5604e399dfe8b0752645e",
"versionType": "git"
},
{
"lessThan": "8bcf2d847adb82b2c617456f6da17ac5e6c75285",
"status": "affected",
"version": "cc55dd28c20a6611e30596019b3b2f636819a4c0",
"versionType": "git"
},
{
"lessThan": "8215ba7bc99e84e66fd6938874ec4330a9d96518",
"status": "affected",
"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7",
"versionType": "git"
},
{
"lessThan": "f0c349b2c21b220af5ba19f29b885e222958d796",
"status": "affected",
"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7",
"versionType": "git"
},
{
"lessThan": "c35636e91e392e1540949bbc67932167cb48bc3a",
"status": "affected",
"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7",
"versionType": "git"
},
{
"status": "affected",
"version": "8f1c022541bf5a923c8d6fa483112c15250f30a4",
"versionType": "git"
},
{
"status": "affected",
"version": "c4e8a172501e677ebd8ea9d9161d97dc4df56fbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/bcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.12.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.294",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: fix locking for bcm_op runtime updates\n\nCommit c2aba69d0c36 (\"can: bcm: add locking for bcm_op runtime updates\")\nadded a locking for some variables that can be modified at runtime when\nupdating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().\n\nUsually the RX_SETUP only handles and filters incoming traffic with one\nexception: When the RX_RTR_FRAME flag is set a predefined CAN frame is\nsent when a specific RTR frame is received. Therefore the rx bcm_op uses\nbcm_can_tx() which uses the bcm_tx_lock that was only initialized in\nbcm_tx_setup(). Add the missing spin_lock_init() when allocating the\nbcm_op in bcm_rx_setup() to handle the RTR case properly."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:12.167Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0904037e713f787d1376e1d349c3bdf6c3105881"
},
{
"url": "https://git.kernel.org/stable/c/c85b96eaf766d8f066b1139a17a51efa2f6627ef"
},
{
"url": "https://git.kernel.org/stable/c/800f26f11ae37b17f58e0001f28a47dd75c26557"
},
{
"url": "https://git.kernel.org/stable/c/70e951afad4c025261fe3c952d2b07237e320a01"
},
{
"url": "https://git.kernel.org/stable/c/8bcf2d847adb82b2c617456f6da17ac5e6c75285"
},
{
"url": "https://git.kernel.org/stable/c/8215ba7bc99e84e66fd6938874ec4330a9d96518"
},
{
"url": "https://git.kernel.org/stable/c/f0c349b2c21b220af5ba19f29b885e222958d796"
},
{
"url": "https://git.kernel.org/stable/c/c35636e91e392e1540949bbc67932167cb48bc3a"
}
],
"title": "can: bcm: fix locking for bcm_op runtime updates",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23362",
"datePublished": "2026-03-25T10:27:45.476Z",
"dateReserved": "2026-01-13T15:37:46.002Z",
"dateUpdated": "2026-04-18T08:58:12.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31695 (GCVE-0-2026-31695)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:53 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
the virt_wifi net devices. However, unregistering a virt_wifi device in
netdev_run_todo() can happen together with the device referenced by
SET_NETDEV_DEV().
It can result in use-after-free during the ethtool operations performed
on a virt_wifi device that is currently being unregistered. Such a net
device can have the `dev.parent` field pointing to the freed memory,
but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.
Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:
==================================================================
BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0
Read of size 2 at addr ffff88810cfc46f8 by task pm/606
Call Trace:
<TASK>
dump_stack_lvl+0x4d/0x70
print_report+0x170/0x4f3
? __pfx__raw_spin_lock_irqsave+0x10/0x10
kasan_report+0xda/0x110
? __pm_runtime_resume+0xe2/0xf0
? __pm_runtime_resume+0xe2/0xf0
__pm_runtime_resume+0xe2/0xf0
ethnl_ops_begin+0x49/0x270
ethnl_set_features+0x23c/0xab0
? __pfx_ethnl_set_features+0x10/0x10
? kvm_sched_clock_read+0x11/0x20
? local_clock_noinstr+0xf/0xf0
? local_clock+0x10/0x30
? kasan_save_track+0x25/0x60
? __kasan_kmalloc+0x7f/0x90
? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0
genl_family_rcv_msg_doit+0x1e7/0x2c0
? __pfx_genl_family_rcv_msg_doit+0x10/0x10
? __pfx_cred_has_capability.isra.0+0x10/0x10
? stack_trace_save+0x8e/0xc0
genl_rcv_msg+0x411/0x660
? __pfx_genl_rcv_msg+0x10/0x10
? __pfx_ethnl_set_features+0x10/0x10
netlink_rcv_skb+0x121/0x380
? __pfx_genl_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? __pfx_down_read+0x10/0x10
genl_rcv+0x23/0x30
netlink_unicast+0x60f/0x830
? __pfx_netlink_unicast+0x10/0x10
? __pfx___alloc_skb+0x10/0x10
netlink_sendmsg+0x6ea/0xbc0
? __pfx_netlink_sendmsg+0x10/0x10
? __futex_queue+0x10b/0x1f0
____sys_sendmsg+0x7a2/0x950
? copy_msghdr_from_user+0x26b/0x430
? __pfx_____sys_sendmsg+0x10/0x10
? __pfx_copy_msghdr_from_user+0x10/0x10
___sys_sendmsg+0xf8/0x180
? __pfx____sys_sendmsg+0x10/0x10
? __pfx_futex_wait+0x10/0x10
? fdget+0x2e4/0x4a0
__sys_sendmsg+0x11f/0x1c0
? __pfx___sys_sendmsg+0x10/0x10
do_syscall_64+0xe2/0x570
? exc_page_fault+0x66/0xb0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
This fix may be combined with another one in the ethtool subsystem:
https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < e90f3e74e1ebc26c461a74be490d322716bcdcb4
(git)
Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < dcb5915696bd7b32b6404a897c24ee47cb23e772 (git) Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < d1e3aa80e6e04410ba89eaaba4441a0d749d181d (git) Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < c5fa98842783ed227365d1303785de6a67020c8d (git) Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < 5bbadf60b121065ffb267ec92018607b9c1c7524 (git) Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < 5adc01506da94dfaab76f3d1b8410a8ca7bfc59d (git) Affected: d43c65b05b848e0b2db1a6c78b02c189da3a95b5 , < 789b06f9f39cdc7e895bdab2c034e39c41c8f8d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/virt_wifi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e90f3e74e1ebc26c461a74be490d322716bcdcb4",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "dcb5915696bd7b32b6404a897c24ee47cb23e772",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "d1e3aa80e6e04410ba89eaaba4441a0d749d181d",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "c5fa98842783ed227365d1303785de6a67020c8d",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "5bbadf60b121065ffb267ec92018607b9c1c7524",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "5adc01506da94dfaab76f3d1b8410a8ca7bfc59d",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
},
{
"lessThan": "789b06f9f39cdc7e895bdab2c034e39c41c8f8d6",
"status": "affected",
"version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/virt_wifi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, \u0026priv-\u003elowerdev-\u003edev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev-\u003edev.parent)`.\n\nLet\u0027s remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4d/0x70\n print_report+0x170/0x4f3\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n kasan_report+0xda/0x110\n ? __pm_runtime_resume+0xe2/0xf0\n ? __pm_runtime_resume+0xe2/0xf0\n __pm_runtime_resume+0xe2/0xf0\n ethnl_ops_begin+0x49/0x270\n ethnl_set_features+0x23c/0xab0\n ? __pfx_ethnl_set_features+0x10/0x10\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xf/0xf0\n ? local_clock+0x10/0x30\n ? kasan_save_track+0x25/0x60\n ? __kasan_kmalloc+0x7f/0x90\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n genl_family_rcv_msg_doit+0x1e7/0x2c0\n ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n ? __pfx_cred_has_capability.isra.0+0x10/0x10\n ? stack_trace_save+0x8e/0xc0\n genl_rcv_msg+0x411/0x660\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_ethnl_set_features+0x10/0x10\n netlink_rcv_skb+0x121/0x380\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_down_read+0x10/0x10\n genl_rcv+0x23/0x30\n netlink_unicast+0x60f/0x830\n ? __pfx_netlink_unicast+0x10/0x10\n ? __pfx___alloc_skb+0x10/0x10\n netlink_sendmsg+0x6ea/0xbc0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? __futex_queue+0x10b/0x1f0\n ____sys_sendmsg+0x7a2/0x950\n ? copy_msghdr_from_user+0x26b/0x430\n ? __pfx_____sys_sendmsg+0x10/0x10\n ? __pfx_copy_msghdr_from_user+0x10/0x10\n ___sys_sendmsg+0xf8/0x180\n ? __pfx____sys_sendmsg+0x10/0x10\n ? __pfx_futex_wait+0x10/0x10\n ? fdget+0x2e4/0x4a0\n __sys_sendmsg+0x11f/0x1c0\n ? __pfx___sys_sendmsg+0x10/0x10\n do_syscall_64+0xe2/0x570\n ? exc_page_fault+0x66/0xb0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:20.976Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e90f3e74e1ebc26c461a74be490d322716bcdcb4"
},
{
"url": "https://git.kernel.org/stable/c/dcb5915696bd7b32b6404a897c24ee47cb23e772"
},
{
"url": "https://git.kernel.org/stable/c/d1e3aa80e6e04410ba89eaaba4441a0d749d181d"
},
{
"url": "https://git.kernel.org/stable/c/c5fa98842783ed227365d1303785de6a67020c8d"
},
{
"url": "https://git.kernel.org/stable/c/5bbadf60b121065ffb267ec92018607b9c1c7524"
},
{
"url": "https://git.kernel.org/stable/c/5adc01506da94dfaab76f3d1b8410a8ca7bfc59d"
},
{
"url": "https://git.kernel.org/stable/c/789b06f9f39cdc7e895bdab2c034e39c41c8f8d6"
}
],
"title": "wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31695",
"datePublished": "2026-05-01T13:53:36.857Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-03T05:45:20.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31728 (GCVE-0-2026-31728)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
EPSS
Title
usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
A race condition between gether_disconnect() and eth_stop() leads to a
NULL pointer dereference. Specifically, if eth_stop() is triggered
concurrently while gether_disconnect() is tearing down the endpoints,
eth_stop() attempts to access the cleared endpoint descriptor, causing
the following NPE:
Unable to handle kernel NULL pointer dereference
Call trace:
__dwc3_gadget_ep_enable+0x60/0x788
dwc3_gadget_ep_enable+0x70/0xe4
usb_ep_enable+0x60/0x15c
eth_stop+0xb8/0x108
Because eth_stop() crashes while holding the dev->lock, the thread
running gether_disconnect() fails to acquire the same lock and spins
forever, resulting in a hardlockup:
Core - Debugging Information for Hardlockup core(7)
Call trace:
queued_spin_lock_slowpath+0x94/0x488
_raw_spin_lock+0x64/0x6c
gether_disconnect+0x19c/0x1e8
ncm_set_alt+0x68/0x1a0
composite_setup+0x6a0/0xc50
The root cause is that the clearing of dev->port_usb in
gether_disconnect() is delayed until the end of the function.
Move the clearing of dev->port_usb to the very beginning of
gether_disconnect() while holding dev->lock. This cuts off the link
immediately, ensuring eth_stop() will see dev->port_usb as NULL and
safely bail out.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2b3d942c4878084a37991a65e66512c02b8fa2ad , < f02980594deef751e42133714aee25228f1494c6
(git)
Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < e1e7a66584bf0aff3becb73c19fa31527889fc9e (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < a259ba0bce3b192c04334499690372a250f7d0b1 (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < bbb09bb89ffa571475f66daca9482b974cd29d6a (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < 6ad77458637b78ec655e3da5f112c862e6690a9d (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < 8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8 (git) Affected: 2b3d942c4878084a37991a65e66512c02b8fa2ad , < e1eabb072c75681f78312c484ccfffb7430f206e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_ether.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f02980594deef751e42133714aee25228f1494c6",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "e1e7a66584bf0aff3becb73c19fa31527889fc9e",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "a259ba0bce3b192c04334499690372a250f7d0b1",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "bbb09bb89ffa571475f66daca9482b974cd29d6a",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "6ad77458637b78ec655e3da5f112c862e6690a9d",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
},
{
"lessThan": "e1eabb072c75681f78312c484ccfffb7430f206e",
"status": "affected",
"version": "2b3d942c4878084a37991a65e66512c02b8fa2ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/u_ether.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix race between gether_disconnect and eth_stop\n\nA race condition between gether_disconnect() and eth_stop() leads to a\nNULL pointer dereference. Specifically, if eth_stop() is triggered\nconcurrently while gether_disconnect() is tearing down the endpoints,\neth_stop() attempts to access the cleared endpoint descriptor, causing\nthe following NPE:\n\n Unable to handle kernel NULL pointer dereference\n Call trace:\n __dwc3_gadget_ep_enable+0x60/0x788\n dwc3_gadget_ep_enable+0x70/0xe4\n usb_ep_enable+0x60/0x15c\n eth_stop+0xb8/0x108\n\nBecause eth_stop() crashes while holding the dev-\u003elock, the thread\nrunning gether_disconnect() fails to acquire the same lock and spins\nforever, resulting in a hardlockup:\n\n Core - Debugging Information for Hardlockup core(7)\n Call trace:\n queued_spin_lock_slowpath+0x94/0x488\n _raw_spin_lock+0x64/0x6c\n gether_disconnect+0x19c/0x1e8\n ncm_set_alt+0x68/0x1a0\n composite_setup+0x6a0/0xc50\n\nThe root cause is that the clearing of dev-\u003eport_usb in\ngether_disconnect() is delayed until the end of the function.\n\nMove the clearing of dev-\u003eport_usb to the very beginning of\ngether_disconnect() while holding dev-\u003elock. This cuts off the link\nimmediately, ensuring eth_stop() will see dev-\u003eport_usb as NULL and\nsafely bail out."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:28.231Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f02980594deef751e42133714aee25228f1494c6"
},
{
"url": "https://git.kernel.org/stable/c/e1e7a66584bf0aff3becb73c19fa31527889fc9e"
},
{
"url": "https://git.kernel.org/stable/c/a259ba0bce3b192c04334499690372a250f7d0b1"
},
{
"url": "https://git.kernel.org/stable/c/f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca"
},
{
"url": "https://git.kernel.org/stable/c/bbb09bb89ffa571475f66daca9482b974cd29d6a"
},
{
"url": "https://git.kernel.org/stable/c/6ad77458637b78ec655e3da5f112c862e6690a9d"
},
{
"url": "https://git.kernel.org/stable/c/8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8"
},
{
"url": "https://git.kernel.org/stable/c/e1eabb072c75681f78312c484ccfffb7430f206e"
}
],
"title": "usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31728",
"datePublished": "2026-05-01T14:14:28.231Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-05-01T14:14:28.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31492 (GCVE-0-2026-31492)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
RDMA/irdma: Initialize free_qp completion before using it
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Initialize free_qp completion before using it
In irdma_create_qp, if ib_copy_to_udata fails, it will call
irdma_destroy_qp to clean up which will attempt to wait on
the free_qp completion, which is not initialized yet. Fix this
by initializing the completion before the ib_copy_to_udata call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b48c24c2d710cf34810c555dcef883a3d35a9c08 , < ac1da7bd224d406b6f1b84414f0f652ab43b6bd8
(git)
Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < af310407f79d5816fc0ab3638e1588b6193316dd (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < cd1534c8f4984432382c240f6784408497f5bb0a (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 3cb88c12461b71c7d9c604aa2e6a9a477ecfa147 (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < f72996834f7bdefc2b95e3eec30447ee195df44e (git) Affected: b48c24c2d710cf34810c555dcef883a3d35a9c08 , < 11a95521fb93c91e2d4ef9d53dc80ef0a755549b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac1da7bd224d406b6f1b84414f0f652ab43b6bd8",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "af310407f79d5816fc0ab3638e1588b6193316dd",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "cd1534c8f4984432382c240f6784408497f5bb0a",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "3cb88c12461b71c7d9c604aa2e6a9a477ecfa147",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "f72996834f7bdefc2b95e3eec30447ee195df44e",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
},
{
"lessThan": "11a95521fb93c91e2d4ef9d53dc80ef0a755549b",
"status": "affected",
"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Initialize free_qp completion before using it\n\nIn irdma_create_qp, if ib_copy_to_udata fails, it will call\nirdma_destroy_qp to clean up which will attempt to wait on\nthe free_qp completion, which is not initialized yet. Fix this\nby initializing the completion before the ib_copy_to_udata call."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:15.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac1da7bd224d406b6f1b84414f0f652ab43b6bd8"
},
{
"url": "https://git.kernel.org/stable/c/af310407f79d5816fc0ab3638e1588b6193316dd"
},
{
"url": "https://git.kernel.org/stable/c/cd1534c8f4984432382c240f6784408497f5bb0a"
},
{
"url": "https://git.kernel.org/stable/c/3cb88c12461b71c7d9c604aa2e6a9a477ecfa147"
},
{
"url": "https://git.kernel.org/stable/c/f72996834f7bdefc2b95e3eec30447ee195df44e"
},
{
"url": "https://git.kernel.org/stable/c/11a95521fb93c91e2d4ef9d53dc80ef0a755549b"
}
],
"title": "RDMA/irdma: Initialize free_qp completion before using it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31492",
"datePublished": "2026-04-22T13:54:15.581Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-04-22T13:54:15.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31679 (GCVE-0-2026-31679)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
openvswitch: validate MPLS set/set_masked payload length
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: validate MPLS set/set_masked payload length
validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for
SET/SET_MASKED actions. In action handling, OVS expects fixed-size
MPLS key data (struct ovs_key_mpls).
Use the already normalized key_len (masked case included) and reject
non-matching MPLS action key sizes.
Reject invalid MPLS action payload lengths early.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 68f32ef0683c8d1c05cd2e4f16818fa63ff59c6f
(git)
Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 4cae986225f8b8679ad86b924918e7d75a96aa61 (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 8ed7b9930cbc3bc71f868fa79a68700ac88d586a (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < c1f97152df8dfb17e855ddf0fc409b7bd13e9700 (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 98de18d327ef8cbbb704980e359e4872d8c28997 (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < bd50c7484c3bb34097571c1334174fb8b7408036 (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 2ca33b88a79ca42f017ae0f7011280325655438e (git) Affected: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 , < 546b68ac893595877ffbd7751e5c55fd1c43ede6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68f32ef0683c8d1c05cd2e4f16818fa63ff59c6f",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "4cae986225f8b8679ad86b924918e7d75a96aa61",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "8ed7b9930cbc3bc71f868fa79a68700ac88d586a",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "c1f97152df8dfb17e855ddf0fc409b7bd13e9700",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "98de18d327ef8cbbb704980e359e4872d8c28997",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "bd50c7484c3bb34097571c1334174fb8b7408036",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "2ca33b88a79ca42f017ae0f7011280325655438e",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
},
{
"lessThan": "546b68ac893595877ffbd7751e5c55fd1c43ede6",
"status": "affected",
"version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: validate MPLS set/set_masked payload length\n\nvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for\nSET/SET_MASKED actions. In action handling, OVS expects fixed-size\nMPLS key data (struct ovs_key_mpls).\n\nUse the already normalized key_len (masked case included) and reject\nnon-matching MPLS action key sizes.\n\nReject invalid MPLS action payload lengths early."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:59.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68f32ef0683c8d1c05cd2e4f16818fa63ff59c6f"
},
{
"url": "https://git.kernel.org/stable/c/4cae986225f8b8679ad86b924918e7d75a96aa61"
},
{
"url": "https://git.kernel.org/stable/c/8ed7b9930cbc3bc71f868fa79a68700ac88d586a"
},
{
"url": "https://git.kernel.org/stable/c/c1f97152df8dfb17e855ddf0fc409b7bd13e9700"
},
{
"url": "https://git.kernel.org/stable/c/98de18d327ef8cbbb704980e359e4872d8c28997"
},
{
"url": "https://git.kernel.org/stable/c/bd50c7484c3bb34097571c1334174fb8b7408036"
},
{
"url": "https://git.kernel.org/stable/c/2ca33b88a79ca42f017ae0f7011280325655438e"
},
{
"url": "https://git.kernel.org/stable/c/546b68ac893595877ffbd7751e5c55fd1c43ede6"
}
],
"title": "openvswitch: validate MPLS set/set_masked payload length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31679",
"datePublished": "2026-04-25T08:46:55.584Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:59.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31496 (GCVE-0-2026-31496)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
EPSS
Title
netfilter: nf_conntrack_expect: skip expectations in other netns via proc
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_expect: skip expectations in other netns via proc
Skip expectations that do not reside in this netns.
Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's
conntrack entries via proc").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9b03f38d0487f3908696242286d934c9b38f9d2a , < 2028405ea6987b4448784e439413202cfe19f43f
(git)
Affected: 9b03f38d0487f3908696242286d934c9b38f9d2a , < 168145c87444619e3e649322bbe7719ecd00d411 (git) Affected: 9b03f38d0487f3908696242286d934c9b38f9d2a , < dcfcd95b3ae7683e8ae55c92284b3430ce614bc7 (git) Affected: 9b03f38d0487f3908696242286d934c9b38f9d2a , < 9ca8c7452493d915f9bbf2f39331e6c583d07a23 (git) Affected: 9b03f38d0487f3908696242286d934c9b38f9d2a , < 3265ad619987cb551edaf797ed056d80ac450225 (git) Affected: 9b03f38d0487f3908696242286d934c9b38f9d2a , < 3db5647984de03d9cae0dcddb509b058351f0ee4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2028405ea6987b4448784e439413202cfe19f43f",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "168145c87444619e3e649322bbe7719ecd00d411",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "dcfcd95b3ae7683e8ae55c92284b3430ce614bc7",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "9ca8c7452493d915f9bbf2f39331e6c583d07a23",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "3265ad619987cb551edaf797ed056d80ac450225",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
},
{
"lessThan": "3db5647984de03d9cae0dcddb509b058351f0ee4",
"status": "affected",
"version": "9b03f38d0487f3908696242286d934c9b38f9d2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_expect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: skip expectations in other netns via proc\n\nSkip expectations that do not reside in this netns.\n\nSimilar to e77e6ff502ea (\"netfilter: conntrack: do not dump other netns\u0027s\nconntrack entries via proc\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:54:18.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2028405ea6987b4448784e439413202cfe19f43f"
},
{
"url": "https://git.kernel.org/stable/c/168145c87444619e3e649322bbe7719ecd00d411"
},
{
"url": "https://git.kernel.org/stable/c/dcfcd95b3ae7683e8ae55c92284b3430ce614bc7"
},
{
"url": "https://git.kernel.org/stable/c/9ca8c7452493d915f9bbf2f39331e6c583d07a23"
},
{
"url": "https://git.kernel.org/stable/c/3265ad619987cb551edaf797ed056d80ac450225"
},
{
"url": "https://git.kernel.org/stable/c/3db5647984de03d9cae0dcddb509b058351f0ee4"
}
],
"title": "netfilter: nf_conntrack_expect: skip expectations in other netns via proc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31496",
"datePublished": "2026-04-22T13:54:18.287Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-04-22T13:54:18.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23298 (GCVE-0-2026-23298)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
can: ucan: Fix infinite loop from zero-length messages
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: ucan: Fix infinite loop from zero-length messages
If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.
This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f2d3eae88d26c29d96e42983b755940d9169cd9 , < ca07d3c6eef14d34e6fdeefe55058db045be29dc
(git)
Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < e7bb6e0606b5f233531aaaad9542d69fbb792115 (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < ab6f075492d37368b4c7b0df7f7fdc2b666887fc (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < 13b646eec3ba1131180803f5aaf1fee23540ad8f (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < bd85f21a6219aeae4389d700c54f1799f4b814e0 (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588 (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < c7bc62be6c1a60bb21301692009590b1ffda91d9 (git) Affected: 9f2d3eae88d26c29d96e42983b755940d9169cd9 , < 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ucan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca07d3c6eef14d34e6fdeefe55058db045be29dc",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "e7bb6e0606b5f233531aaaad9542d69fbb792115",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "ab6f075492d37368b4c7b0df7f7fdc2b666887fc",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "13b646eec3ba1131180803f5aaf1fee23540ad8f",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "bd85f21a6219aeae4389d700c54f1799f4b814e0",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "c7bc62be6c1a60bb21301692009590b1ffda91d9",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
},
{
"lessThan": "1e446fd0582ad8be9f6dafb115fc2e7245f9bea7",
"status": "affected",
"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/ucan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:46.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca07d3c6eef14d34e6fdeefe55058db045be29dc"
},
{
"url": "https://git.kernel.org/stable/c/e7bb6e0606b5f233531aaaad9542d69fbb792115"
},
{
"url": "https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc"
},
{
"url": "https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f"
},
{
"url": "https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0"
},
{
"url": "https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588"
},
{
"url": "https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9"
},
{
"url": "https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7"
}
],
"title": "can: ucan: Fix infinite loop from zero-length messages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23298",
"datePublished": "2026-03-25T10:26:54.830Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:46.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23293 (GCVE-0-2026-23293)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < 649e2bb74da54c96cf20729001e283626a2fefa0
(git)
Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < b5190fcd75a1f1785c766a8d1e44d3938e168f45 (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < 5f93e6b4d12bd3a4517a6d447ea675f448f21434 (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < f0373e9317bc904e7bdb123d3106fe4f3cea2fb7 (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < fbbd2118982c55fb9b0a753ae0cf7194e77149fb (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < abcd48ecdeb2e12eccb8339a35534c757782afcd (git) Affected: e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 , < 168ff39e4758897d2eee4756977d036d52884c7e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "649e2bb74da54c96cf20729001e283626a2fefa0",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "b5190fcd75a1f1785c766a8d1e44d3938e168f45",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "5f93e6b4d12bd3a4517a6d447ea675f448f21434",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "f0373e9317bc904e7bdb123d3106fe4f3cea2fb7",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "fbbd2118982c55fb9b0a753ae0cf7194e77149fb",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "abcd48ecdeb2e12eccb8339a35534c757782afcd",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
},
{
"lessThan": "168ff39e4758897d2eee4756977d036d52884c7e",
"status": "affected",
"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n \u003cTASK\u003e\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:43.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/649e2bb74da54c96cf20729001e283626a2fefa0"
},
{
"url": "https://git.kernel.org/stable/c/dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc"
},
{
"url": "https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45"
},
{
"url": "https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434"
},
{
"url": "https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7"
},
{
"url": "https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb"
},
{
"url": "https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd"
},
{
"url": "https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e"
}
],
"title": "net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23293",
"datePublished": "2026-03-25T10:26:51.160Z",
"dateReserved": "2026-01-13T15:37:45.993Z",
"dateUpdated": "2026-04-18T08:57:43.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43054 (GCVE-0-2026-43054)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
EPSS
Title
scsi: target: tcm_loop: Drain commands in target_reset handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Drain commands in target_reset handler
tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS
without draining any in-flight commands. The SCSI EH documentation
(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver
has made lower layers "forget about timed out scmds" and is ready for new
commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,
mpi3mr) enforces this by draining or completing outstanding commands before
returning SUCCESS.
Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight
scsi_cmnd structures for recovery commands (e.g. TUR) while the target core
still has async completion work queued for the old se_cmd. The memset in
queuecommand zeroes se_lun and lun_ref_active, causing
transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN
reference prevents transport_clear_lun_ref() from completing, hanging
configfs LUN unlink forever in D-state:
INFO: task rm:264 blocked for more than 122 seconds.
rm D 0 264 258 0x00004000
Call Trace:
__schedule+0x3d0/0x8e0
schedule+0x36/0xf0
transport_clear_lun_ref+0x78/0x90 [target_core_mod]
core_tpg_remove_lun+0x28/0xb0 [target_core_mod]
target_fabric_port_unlink+0x50/0x60 [target_core_mod]
configfs_unlink+0x156/0x1f0 [configfs]
vfs_unlink+0x109/0x290
do_unlinkat+0x1d5/0x2d0
Fix this by making tcm_loop_target_reset() actually drain commands:
1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that
the target core knows about (those not yet CMD_T_COMPLETE).
2. Use blk_mq_tagset_busy_iter() to iterate all started requests and
flush_work() on each se_cmd — this drains any deferred completion work
for commands that already had CMD_T_COMPLETE set before the TMR (which
the TMR skips via __target_check_io_state()). This is the same pattern
used by mpi3mr, scsi_debug, and libsas to drain outstanding commands
during reset.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 757c43c692294cdfad31390accc0e90429b2ef8a
(git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 103f79e4949513247d763c6e7f3cbbf62017afdf (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 15f5241d5a52364a7e7867b49128b0442dbcad9d (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 7cbd69aaa507b1245240a28022bf5da0f07c68d9 (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < a836054ea81014117ec6b73529a21626a9e1f829 (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 05ac3754467363558a0a54ae4bb7c89b2c9574cf (git) Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "757c43c692294cdfad31390accc0e90429b2ef8a",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "103f79e4949513247d763c6e7f3cbbf62017afdf",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "15f5241d5a52364a7e7867b49128b0442dbcad9d",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "7cbd69aaa507b1245240a28022bf5da0f07c68d9",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "a836054ea81014117ec6b73529a21626a9e1f829",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "05ac3754467363558a0a54ae4bb7c89b2c9574cf",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
},
{
"lessThan": "1333eee56cdf3f0cf67c6ab4114c2c9e0a952026",
"status": "affected",
"version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Drain commands in target_reset handler\n\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\nwithout draining any in-flight commands. The SCSI EH documentation\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\nhas made lower layers \"forget about timed out scmds\" and is ready for new\ncommands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\nmpi3mr) enforces this by draining or completing outstanding commands before\nreturning SUCCESS.\n\nBecause tcm_loop_target_reset() doesn\u0027t drain, the SCSI EH reuses in-flight\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\nstill has async completion work queued for the old se_cmd. The memset in\nqueuecommand zeroes se_lun and lun_ref_active, causing\ntransport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN\nreference prevents transport_clear_lun_ref() from completing, hanging\nconfigfs LUN unlink forever in D-state:\n\n INFO: task rm:264 blocked for more than 122 seconds.\n rm D 0 264 258 0x00004000\n Call Trace:\n __schedule+0x3d0/0x8e0\n schedule+0x36/0xf0\n transport_clear_lun_ref+0x78/0x90 [target_core_mod]\n core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\n target_fabric_port_unlink+0x50/0x60 [target_core_mod]\n configfs_unlink+0x156/0x1f0 [configfs]\n vfs_unlink+0x109/0x290\n do_unlinkat+0x1d5/0x2d0\n\nFix this by making tcm_loop_target_reset() actually drain commands:\n\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\n the target core knows about (those not yet CMD_T_COMPLETE).\n\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\n flush_work() on each se_cmd \u2014 this drains any deferred completion work\n for commands that already had CMD_T_COMPLETE set before the TMR (which\n the TMR skips via __target_check_io_state()). This is the same pattern\n used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\n during reset."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:15:47.396Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a"
},
{
"url": "https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf"
},
{
"url": "https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d"
},
{
"url": "https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9"
},
{
"url": "https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829"
},
{
"url": "https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf"
},
{
"url": "https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026"
}
],
"title": "scsi: target: tcm_loop: Drain commands in target_reset handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43054",
"datePublished": "2026-05-01T14:15:47.396Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-01T14:15:47.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43057 (GCVE-0-2026-43057)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
NETIF_F_IPV6_CSUM only advertises support for checksum offload of
packets without IPv6 extension headers. Packets with extension
headers must fall back onto software checksumming. Since TSO
depends on checksum offload, those must revert to GSO.
The below commit introduces that fallback. It always checks
network header length. For tunneled packets, the inner header length
must be checked instead. Extend the check accordingly.
A special case is tunneled packets without inner IP protocol. Such as
RFC 6951 SCTP in UDP. Those are not standard IPv6 followed by
transport header either, so also must revert to the software GSO path.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a0478d7e888028f85fa7785ea838ce0ca09398e2 , < 2094a7cf91b71367b649f991aacc7b579f793d0b
(git)
Affected: 2156d9e9f2e483c8c3906c0ea57ea312c1424235 , < ed71cf465c75f5688b07a35d373cd1d6b589c8ea (git) Affected: 041e2f945f82fdbd6fff577b79c33469430297aa , < 33670f780e0120c3dacda188c512bbffe0b6044c (git) Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < a98b78116a27e2a57b696b569b2cb431c95cf9b6 (git) Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < 732fdeb2987c94b439d51f5cb9addddc2fc48c42 (git) Affected: 864e3396976ef41de6cc7bc366276bf4e084fff2 , < c4336a07eb6b2526dc2b62928b5104b41a7f81f5 (git) Affected: 794ddbb7b63b6828c75967b9bcd43b086716e7a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2094a7cf91b71367b649f991aacc7b579f793d0b",
"status": "affected",
"version": "a0478d7e888028f85fa7785ea838ce0ca09398e2",
"versionType": "git"
},
{
"lessThan": "ed71cf465c75f5688b07a35d373cd1d6b589c8ea",
"status": "affected",
"version": "2156d9e9f2e483c8c3906c0ea57ea312c1424235",
"versionType": "git"
},
{
"lessThan": "33670f780e0120c3dacda188c512bbffe0b6044c",
"status": "affected",
"version": "041e2f945f82fdbd6fff577b79c33469430297aa",
"versionType": "git"
},
{
"lessThan": "a98b78116a27e2a57b696b569b2cb431c95cf9b6",
"status": "affected",
"version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
"versionType": "git"
},
{
"lessThan": "732fdeb2987c94b439d51f5cb9addddc2fc48c42",
"status": "affected",
"version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
"versionType": "git"
},
{
"lessThan": "c4336a07eb6b2526dc2b62928b5104b41a7f81f5",
"status": "affected",
"version": "864e3396976ef41de6cc7bc366276bf4e084fff2",
"versionType": "git"
},
{
"status": "affected",
"version": "794ddbb7b63b6828c75967b9bcd43b086716e7a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\n\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\npackets without IPv6 extension headers. Packets with extension\nheaders must fall back onto software checksumming. Since TSO\ndepends on checksum offload, those must revert to GSO.\n\nThe below commit introduces that fallback. It always checks\nnetwork header length. For tunneled packets, the inner header length\nmust be checked instead. Extend the check accordingly.\n\nA special case is tunneled packets without inner IP protocol. Such as\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\ntransport header either, so also must revert to the software GSO path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:27.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2094a7cf91b71367b649f991aacc7b579f793d0b"
},
{
"url": "https://git.kernel.org/stable/c/ed71cf465c75f5688b07a35d373cd1d6b589c8ea"
},
{
"url": "https://git.kernel.org/stable/c/33670f780e0120c3dacda188c512bbffe0b6044c"
},
{
"url": "https://git.kernel.org/stable/c/a98b78116a27e2a57b696b569b2cb431c95cf9b6"
},
{
"url": "https://git.kernel.org/stable/c/732fdeb2987c94b439d51f5cb9addddc2fc48c42"
},
{
"url": "https://git.kernel.org/stable/c/c4336a07eb6b2526dc2b62928b5104b41a7f81f5"
}
],
"title": "net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43057",
"datePublished": "2026-05-01T14:15:49.551Z",
"dateReserved": "2026-05-01T14:12:55.981Z",
"dateUpdated": "2026-05-03T05:46:27.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31670 (GCVE-0-2026-31670)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-25 05:48
VLAI?
EPSS
Title
net: rfkill: prevent unlimited numbers of rfkill events from being created
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: prevent unlimited numbers of rfkill events from being created
Userspace can create an unlimited number of rfkill events if the system
is so configured, while not consuming them from the rfkill file
descriptor, causing a potential out of memory situation. Prevent this
from bounding the number of pending rfkill events at a "large" number
(i.e. 1000) to prevent abuses like this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c64fb01627e24725d1f9d535e4426475a4415753 , < 4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4
(git)
Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < e3842779547c83150569071d9980517cc9029fc0 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 673d2a3eef6e0ee9736501a150c9e4024a4e60a6 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 82843afc19012a29ba863961ef494165aa1a88f4 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < a8c26800e0220e1550af012f5a20e50f5c78864d (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 80ce4cb026f0a4c4532b6cad827b44debda6256a (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < ea245d78dec594372e27d8c79616baf49e98a4a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rfkill/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "e3842779547c83150569071d9980517cc9029fc0",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "673d2a3eef6e0ee9736501a150c9e4024a4e60a6",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "82843afc19012a29ba863961ef494165aa1a88f4",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "a8c26800e0220e1550af012f5a20e50f5c78864d",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "80ce4cb026f0a4c4532b6cad827b44debda6256a",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "ea245d78dec594372e27d8c79616baf49e98a4a1",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rfkill/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: prevent unlimited numbers of rfkill events from being created\n\nUserspace can create an unlimited number of rfkill events if the system\nis so configured, while not consuming them from the rfkill file\ndescriptor, causing a potential out of memory situation. Prevent this\nfrom bounding the number of pending rfkill events at a \"large\" number\n(i.e. 1000) to prevent abuses like this."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:48:28.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4"
},
{
"url": "https://git.kernel.org/stable/c/b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca"
},
{
"url": "https://git.kernel.org/stable/c/e3842779547c83150569071d9980517cc9029fc0"
},
{
"url": "https://git.kernel.org/stable/c/673d2a3eef6e0ee9736501a150c9e4024a4e60a6"
},
{
"url": "https://git.kernel.org/stable/c/82843afc19012a29ba863961ef494165aa1a88f4"
},
{
"url": "https://git.kernel.org/stable/c/a8c26800e0220e1550af012f5a20e50f5c78864d"
},
{
"url": "https://git.kernel.org/stable/c/80ce4cb026f0a4c4532b6cad827b44debda6256a"
},
{
"url": "https://git.kernel.org/stable/c/ea245d78dec594372e27d8c79616baf49e98a4a1"
}
],
"title": "net: rfkill: prevent unlimited numbers of rfkill events from being created",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31670",
"datePublished": "2026-04-24T14:45:17.958Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-25T05:48:28.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31464 (GCVE-0-2026-31464)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.
Fix by clamping num_written to max_targets before storing it.
Severity ?
8.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d842348f8a00d5b1d7358f207eb34ffcf5b16df3
(git)
Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < a007246cb6c9ebdc93dafbf63cc2d43d98f402cc (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 4ed727e35b0ab17d3eeeb1e8023768396e2be161 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d1466bf991b2343cf2ba8336e440c8faf3cbb780 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 786f10b1966e485046839f992e89f2c18cbd1983 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < bae4df0a643fa7f84663473aa3082a9c2ed139db (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d842348f8a00d5b1d7358f207eb34ffcf5b16df3",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "a007246cb6c9ebdc93dafbf63cc2d43d98f402cc",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "4ed727e35b0ab17d3eeeb1e8023768396e2be161",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "d1466bf991b2343cf2ba8336e440c8faf3cbb780",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "786f10b1966e485046839f992e89f2c18cbd1983",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "bae4df0a643fa7f84663473aa3082a9c2ed139db",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost-\u003enum_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation. The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:20.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3"
},
{
"url": "https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc"
},
{
"url": "https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89"
},
{
"url": "https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161"
},
{
"url": "https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780"
},
{
"url": "https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983"
},
{
"url": "https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db"
},
{
"url": "https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f"
}
],
"title": "scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31464",
"datePublished": "2026-04-22T13:53:54.970Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-04-27T14:03:20.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39748 (GCVE-0-2025-39748)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
bpf: Forget ranges when refining tnum after JSET
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Forget ranges when refining tnum after JSET
Syzbot reported a kernel warning due to a range invariant violation on
the following BPF program.
0: call bpf_get_netns_cookie
1: if r0 == 0 goto <exit>
2: if r0 & Oxffffffff goto <exit>
The issue is on the path where we fall through both jumps.
That path is unreachable at runtime: after insn 1, we know r0 != 0, but
with the sign extension on the jset, we would only fallthrough insn 2
if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to
figure this out, so the verifier walks all branches. The verifier then
refines the register bounds using the second condition and we end
up with inconsistent bounds on this unreachable path:
1: if r0 == 0 goto <exit>
r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)
2: if r0 & 0xffffffff goto <exit>
r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)
r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)
Improving the range refinement for JSET to cover all cases is tricky. We
also don't expect many users to rely on JSET given LLVM doesn't generate
those instructions. So instead of improving the range refinement for
JSETs, Eduard suggested we forget the ranges whenever we're narrowing
tnums after a JSET. This patch implements that approach.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
960ea056561a08e2b837b2f02d22c53226414a84 , < 22191359f8454b0be082c3b126f86bcbea0f1318
(git)
Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < c29dd8336236a4deb75596b52d2dd16ccc4a380d (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < 591c788d16046edb0220800bf1819554af5853ce (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < 0643aa2468192a4d81326e8e76543854870b1ee2 (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < f01e06930444cab289a8783017af9b64255bd103 (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < 2fd0c26bacd90ef26522bd3169000a4715bf151f (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < 80a6b11862a7cfdf691e8f9faee89cfea219f098 (git) Affected: 960ea056561a08e2b837b2f02d22c53226414a84 , < 6279846b9b2532e1b04559ef8bd0dec049f29383 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22191359f8454b0be082c3b126f86bcbea0f1318",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "c29dd8336236a4deb75596b52d2dd16ccc4a380d",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "591c788d16046edb0220800bf1819554af5853ce",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "0643aa2468192a4d81326e8e76543854870b1ee2",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "f01e06930444cab289a8783017af9b64255bd103",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "2fd0c26bacd90ef26522bd3169000a4715bf151f",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "80a6b11862a7cfdf691e8f9faee89cfea219f098",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
},
{
"lessThan": "6279846b9b2532e1b04559ef8bd0dec049f29383",
"status": "affected",
"version": "960ea056561a08e2b837b2f02d22c53226414a84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Forget ranges when refining tnum after JSET\n\nSyzbot reported a kernel warning due to a range invariant violation on\nthe following BPF program.\n\n 0: call bpf_get_netns_cookie\n 1: if r0 == 0 goto \u003cexit\u003e\n 2: if r0 \u0026 Oxffffffff goto \u003cexit\u003e\n\nThe issue is on the path where we fall through both jumps.\n\nThat path is unreachable at runtime: after insn 1, we know r0 != 0, but\nwith the sign extension on the jset, we would only fallthrough insn 2\nif r0 == 0. Unfortunately, is_branch_taken() isn\u0027t currently able to\nfigure this out, so the verifier walks all branches. The verifier then\nrefines the register bounds using the second condition and we end\nup with inconsistent bounds on this unreachable path:\n\n 1: if r0 == 0 goto \u003cexit\u003e\n r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)\n 2: if r0 \u0026 0xffffffff goto \u003cexit\u003e\n r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)\n r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)\n\nImproving the range refinement for JSET to cover all cases is tricky. We\nalso don\u0027t expect many users to rely on JSET given LLVM doesn\u0027t generate\nthose instructions. So instead of improving the range refinement for\nJSETs, Eduard suggested we forget the ranges whenever we\u0027re narrowing\ntnums after a JSET. This patch implements that approach."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:00.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22191359f8454b0be082c3b126f86bcbea0f1318"
},
{
"url": "https://git.kernel.org/stable/c/c29dd8336236a4deb75596b52d2dd16ccc4a380d"
},
{
"url": "https://git.kernel.org/stable/c/591c788d16046edb0220800bf1819554af5853ce"
},
{
"url": "https://git.kernel.org/stable/c/0643aa2468192a4d81326e8e76543854870b1ee2"
},
{
"url": "https://git.kernel.org/stable/c/f01e06930444cab289a8783017af9b64255bd103"
},
{
"url": "https://git.kernel.org/stable/c/2fd0c26bacd90ef26522bd3169000a4715bf151f"
},
{
"url": "https://git.kernel.org/stable/c/80a6b11862a7cfdf691e8f9faee89cfea219f098"
},
{
"url": "https://git.kernel.org/stable/c/6279846b9b2532e1b04559ef8bd0dec049f29383"
}
],
"title": "bpf: Forget ranges when refining tnum after JSET",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39748",
"datePublished": "2025-09-11T16:52:20.534Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2026-04-18T08:57:00.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23315 (GCVE-0-2026-23315)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04
VLAI?
EPSS
Title
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
Check frame length before accessing the mgmt fields in
mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob
access.
[fix check to also cover mgmt->u.action.u.addba_req.capab,
correct Fixes tag]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
577dbc6c656da6997dddc6cf842b7954588f2d4e , < 84419556359bc96d3fe1623d47a64c86542566cc
(git)
Affected: 577dbc6c656da6997dddc6cf842b7954588f2d4e , < 7ae7b093b7dba9548a3bc4766b9364b97db4732d (git) Affected: 577dbc6c656da6997dddc6cf842b7954588f2d4e , < 7b692dff8df0ba5feb8df00f27d906d6eb1fe627 (git) Affected: 577dbc6c656da6997dddc6cf842b7954588f2d4e , < 9612d91f617231e03c49cb9b0c02f975a3b4f51f (git) Affected: 577dbc6c656da6997dddc6cf842b7954588f2d4e , < 0fb3b94a9431a3800717e5c3b6fa2e1045a15029 (git) Affected: 577dbc6c656da6997dddc6cf842b7954588f2d4e , < 4e10a730d1b511ff49723371ed6d694dd1b2c785 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84419556359bc96d3fe1623d47a64c86542566cc",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
},
{
"lessThan": "7ae7b093b7dba9548a3bc4766b9364b97db4732d",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
},
{
"lessThan": "7b692dff8df0ba5feb8df00f27d906d6eb1fe627",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
},
{
"lessThan": "9612d91f617231e03c49cb9b0c02f975a3b4f51f",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
},
{
"lessThan": "0fb3b94a9431a3800717e5c3b6fa2e1045a15029",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
},
{
"lessThan": "4e10a730d1b511ff49723371ed6d694dd1b2c785",
"status": "affected",
"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt-\u003eu.action.u.addba_req.capab,\ncorrect Fixes tag]"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:04:14.195Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc"
},
{
"url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d"
},
{
"url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627"
},
{
"url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f"
},
{
"url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029"
},
{
"url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785"
}
],
"title": "wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23315",
"datePublished": "2026-03-25T10:27:10.115Z",
"dateReserved": "2026-01-13T15:37:45.994Z",
"dateUpdated": "2026-04-13T06:04:14.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39863 (GCVE-0-2025-39863)
Vulnerability from cvelistv5 – Published: 2025-09-19 15:26 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
61730d4dfffc2cc9d3a49fad87633008105c18ba , < ae58f70bde0433f27ef4b388ab50634736607bf6
(git)
Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < f1150153c4e5940fe49ab51136343c5b4fe49d63 (git) Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 3e789f8475f6c857c88de5c5bf4b24b11a477dd7 (git) Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 2f6fbc8e04ca1d1d5c560be694199f847229c625 (git) Affected: 61730d4dfffc2cc9d3a49fad87633008105c18ba , < 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:23:53.735650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:33:11.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae58f70bde0433f27ef4b388ab50634736607bf6",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "f1150153c4e5940fe49ab51136343c5b4fe49d63",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "3e789f8475f6c857c88de5c5bf4b24b11a477dd7",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "2f6fbc8e04ca1d1d5c560be694199f847229c625",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
},
{
"lessThan": "9cb83d4be0b9b697eae93d321e0da999f9cdfcfc",
"status": "affected",
"version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(\u0026bt_local-\u003ework) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... |\n kfree(cfg-\u003ebtcoex); // FREE |\n | schedule_work(\u0026bt_local-\u003ework); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local-\u003etimer_on = false;\n if (cfg-\u003ebtcoex-\u003etimer_on) |\n ... |\n cancel_work_sync(); |\n ... | schedule_work(); // Reschedule\n |\n kfree(cfg-\u003ebtcoex); // FREE | brcmf_btcoex_handler() // Worker\n /* | btci = container_of(....); // USE\n The kfree() above could | ...\n also occur at any point | btci-\u003e // USE\n during the worker\u0027s execution|\n */ |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:39.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae58f70bde0433f27ef4b388ab50634736607bf6"
},
{
"url": "https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"
},
{
"url": "https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"
},
{
"url": "https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"
},
{
"url": "https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"
}
],
"title": "wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39863",
"datePublished": "2025-09-19T15:26:33.069Z",
"dateReserved": "2025-04-16T07:20:57.143Z",
"dateUpdated": "2026-03-25T10:19:39.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23154 (GCVE-0-2026-23154)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
net: fix segmentation of forwarding fraglist GRO
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix segmentation of forwarding fraglist GRO
This patch enhances GSO segment handling by properly checking
the SKB_GSO_DODGY flag for frag_list GSO packets, addressing
low throughput issues observed when a station accesses IPv4
servers via hotspots with an IPv6-only upstream interface.
Specifically, it fixes a bug in GSO segmentation when forwarding
GRO packets containing a frag_list. The function skb_segment_list
cannot correctly process GRO skbs that have been converted by XLAT,
since XLAT only translates the header of the head skb. Consequently,
skbs in the frag_list may remain untranslated, resulting in protocol
inconsistencies and reduced throughput.
To address this, the patch explicitly sets the SKB_GSO_DODGY flag
for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers
(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO
packets as potentially modified after protocol translation. As a
result, GSO segmentation will avoid using skb_segment_list and
instead falls back to skb_segment for packets with the SKB_GSO_DODGY
flag. This ensures that only safe and fully translated frag_list
packets are processed by skb_segment_list, resolving protocol
inconsistencies and improving throughput when forwarding GRO packets
converted by XLAT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9fd1ff5d2ac7181844735806b0a703c942365291 , < 9122d7280b2303e835cdfec156bd932ac1f586ed
(git)
Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 2cbef9ea5a0ac51863ede35c45f26931a85d3888 (git) Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 3e62db1e3140449608975e29e0979cc5f3b1cc07 (git) Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 3d48d59235c494d34e32052f768393111c0806ef (git) Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 426ca15c7f6cb6562a081341ca88893a50c59fa2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c",
"net/ipv4/tcp_offload.c",
"net/ipv4/udp_offload.c",
"net/ipv6/tcpv6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9122d7280b2303e835cdfec156bd932ac1f586ed",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "2cbef9ea5a0ac51863ede35c45f26931a85d3888",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "3e62db1e3140449608975e29e0979cc5f3b1cc07",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "3d48d59235c494d34e32052f768393111c0806ef",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "426ca15c7f6cb6562a081341ca88893a50c59fa2",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c",
"net/ipv4/tcp_offload.c",
"net/ipv4/udp_offload.c",
"net/ipv6/tcpv6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix segmentation of forwarding fraglist GRO\n\nThis patch enhances GSO segment handling by properly checking\nthe SKB_GSO_DODGY flag for frag_list GSO packets, addressing\nlow throughput issues observed when a station accesses IPv4\nservers via hotspots with an IPv6-only upstream interface.\n\nSpecifically, it fixes a bug in GSO segmentation when forwarding\nGRO packets containing a frag_list. The function skb_segment_list\ncannot correctly process GRO skbs that have been converted by XLAT,\nsince XLAT only translates the header of the head skb. Consequently,\nskbs in the frag_list may remain untranslated, resulting in protocol\ninconsistencies and reduced throughput.\n\nTo address this, the patch explicitly sets the SKB_GSO_DODGY flag\nfor GSO packets in XLAT\u0027s IPv4/IPv6 protocol translation helpers\n(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO\npackets as potentially modified after protocol translation. As a\nresult, GSO segmentation will avoid using skb_segment_list and\ninstead falls back to skb_segment for packets with the SKB_GSO_DODGY\nflag. This ensures that only safe and fully translated frag_list\npackets are processed by skb_segment_list, resolving protocol\ninconsistencies and improving throughput when forwarding GRO packets\nconverted by XLAT."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:26.462Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9122d7280b2303e835cdfec156bd932ac1f586ed"
},
{
"url": "https://git.kernel.org/stable/c/2cbef9ea5a0ac51863ede35c45f26931a85d3888"
},
{
"url": "https://git.kernel.org/stable/c/3e62db1e3140449608975e29e0979cc5f3b1cc07"
},
{
"url": "https://git.kernel.org/stable/c/3d48d59235c494d34e32052f768393111c0806ef"
},
{
"url": "https://git.kernel.org/stable/c/426ca15c7f6cb6562a081341ca88893a50c59fa2"
}
],
"title": "net: fix segmentation of forwarding fraglist GRO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23154",
"datePublished": "2026-02-14T16:01:21.758Z",
"dateReserved": "2026-01-13T15:37:45.977Z",
"dateUpdated": "2026-03-25T10:20:26.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39764 (GCVE-0-2025-39764)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
netfilter: ctnetlink: remove refcounting in expectation dumpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: remove refcounting in expectation dumpers
Same pattern as previous patch: do not keep the expectation object
alive via refcount, only store a cookie value and then use that
as the skip hint for dump resumption.
AFAICS this has the same issue as the one resolved in the conntrack
dumper, when we do
if (!refcount_inc_not_zero(&exp->use))
to increment the refcount, there is a chance that exp == last, which
causes a double-increment of the refcount and subsequent memory leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < b05500444b8eb97644efdd180839a04a706be97c
(git)
Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < bada48ad5b0590e318d0f79636ff62a2ef9f4955 (git) Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < 64b7684042246e3238464c66894e30ba30c7e851 (git) Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < 9e5021a906532ca16e2aac69c0607711e1c70b1f (git) Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < 078d33c95bf534d37aa04269d1ae6158e20082d5 (git) Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < a4d634ded4d3d400f115d84f654f316f249531c9 (git) Affected: cf6994c2b9812a9f02b99e89df411ffc5db9c779 , < 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b05500444b8eb97644efdd180839a04a706be97c",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "bada48ad5b0590e318d0f79636ff62a2ef9f4955",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "64b7684042246e3238464c66894e30ba30c7e851",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "9e5021a906532ca16e2aac69c0607711e1c70b1f",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "078d33c95bf534d37aa04269d1ae6158e20082d5",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "a4d634ded4d3d400f115d84f654f316f249531c9",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
},
{
"lessThan": "1492e3dcb2be3aa46d1963da96aa9593e4e4db5a",
"status": "affected",
"version": "cf6994c2b9812a9f02b99e89df411ffc5db9c779",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: remove refcounting in expectation dumpers\n\nSame pattern as previous patch: do not keep the expectation object\nalive via refcount, only store a cookie value and then use that\nas the skip hint for dump resumption.\n\nAFAICS this has the same issue as the one resolved in the conntrack\ndumper, when we do\n if (!refcount_inc_not_zero(\u0026exp-\u003euse))\n\nto increment the refcount, there is a chance that exp == last, which\ncauses a double-increment of the refcount and subsequent memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:02.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b05500444b8eb97644efdd180839a04a706be97c"
},
{
"url": "https://git.kernel.org/stable/c/bada48ad5b0590e318d0f79636ff62a2ef9f4955"
},
{
"url": "https://git.kernel.org/stable/c/64b7684042246e3238464c66894e30ba30c7e851"
},
{
"url": "https://git.kernel.org/stable/c/9e5021a906532ca16e2aac69c0607711e1c70b1f"
},
{
"url": "https://git.kernel.org/stable/c/078d33c95bf534d37aa04269d1ae6158e20082d5"
},
{
"url": "https://git.kernel.org/stable/c/a4d634ded4d3d400f115d84f654f316f249531c9"
},
{
"url": "https://git.kernel.org/stable/c/1492e3dcb2be3aa46d1963da96aa9593e4e4db5a"
}
],
"title": "netfilter: ctnetlink: remove refcounting in expectation dumpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39764",
"datePublished": "2025-09-11T16:52:32.060Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2026-04-18T08:57:02.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23253 (GCVE-0-2026-23253)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.
Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.
The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.
Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34731df288a5ffe4b0c396caf8cd24c6a710a222 , < 527cfa8a3486b3555c5c15e2f62be484a11398dc
(git)
Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < fb378cf89be434ed1f10ab79cc4788fba8ae868d (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < f1e520ca2e83ece6731af6167c9e5e16931ecba0 (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < af050ab44fa1b1897a940d7d756e512232f5e5df (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < d71781bad59b1c9d60d7068004581f9bf19c0c9d (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < cfd94642025e6f71c8f754bdec0800ee95e4f3dd (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < 32eb8e4adc207ef31bc6e5ae56bab940b0176066 (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < bfbc0b5b32a8f28ce284add619bf226716a59bc0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dmxdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "527cfa8a3486b3555c5c15e2f62be484a11398dc",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "fb378cf89be434ed1f10ab79cc4788fba8ae868d",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "f1e520ca2e83ece6731af6167c9e5e16931ecba0",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "af050ab44fa1b1897a940d7d756e512232f5e5df",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "d71781bad59b1c9d60d7068004581f9bf19c0c9d",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "cfd94642025e6f71c8f754bdec0800ee95e4f3dd",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "32eb8e4adc207ef31bc6e5ae56bab940b0176066",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "bfbc0b5b32a8f28ce284add619bf226716a59bc0",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dmxdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\n\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\n\nSince dmxdev-\u003edvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\n\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init(). The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\n\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:26.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/527cfa8a3486b3555c5c15e2f62be484a11398dc"
},
{
"url": "https://git.kernel.org/stable/c/fb378cf89be434ed1f10ab79cc4788fba8ae868d"
},
{
"url": "https://git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0"
},
{
"url": "https://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df"
},
{
"url": "https://git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9d"
},
{
"url": "https://git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3dd"
},
{
"url": "https://git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066"
},
{
"url": "https://git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0"
}
],
"title": "media: dvb-core: fix wrong reinitialization of ringbuffer on reopen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23253",
"datePublished": "2026-03-18T17:01:44.126Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-04-18T08:57:26.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23321 (GCVE-0-2026-23321)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04
VLAI?
EPSS
Title
mptcp: pm: in-kernel: always mark signal+subflow endp as used
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: pm: in-kernel: always mark signal+subflow endp as used
Syzkaller managed to find a combination of actions that was generating
this warning:
msk->pm.local_addr_used == 0
WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961
WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961
Modules linked in:
CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014
RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]
RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]
RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210
Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a
RSP: 0018:ffffc90001663880 EFLAGS: 00010293
RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff
R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640
R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650
FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xc9/0xf0 net/socket.c:742
____sys_sendmsg+0x272/0x3b0 net/socket.c:2592
___sys_sendmsg+0x2de/0x320 net/socket.c:2646
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2683 [inline]
__se_sys_sendmsg net/socket.c:2681 [inline]
__x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66346f826d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d
RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8
R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770
</TASK>
The actions that caused that seem to be:
- Set the MPTCP subflows limit to 0
- Create an MPTCP endpoint with both the 'signal' and 'subflow' flags
- Create a new MPTCP connection from a different address: an ADD_ADDR
linked to the MPTCP endpoint will be sent ('signal' flag), but no
subflows is initiated ('subflow' flag)
- Remove the MPTCP endpoint
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d93cf38fad9f66397093432b8917971a92ee0146 , < c5c877e140e5f46023a74a51e577ce5edd0a4be7
(git)
Affected: 64815ba15880ce5f99df075fa4104fef170ac7e5 , < 05799c2f1ca5eb13d65764dda688d02021b65e06 (git) Affected: 85df533a787bf07bf4367ce2a02b822ff1fba1a3 , < 67f34ab318807989b57dfdb0f79e2d4e57018290 (git) Affected: 85df533a787bf07bf4367ce2a02b822ff1fba1a3 , < a64aa7db39392add5be09dffaedbf1f0ce5554df (git) Affected: 85df533a787bf07bf4367ce2a02b822ff1fba1a3 , < 198824ccfa64ffebd918bf99c939bd8170a4a4d8 (git) Affected: 85df533a787bf07bf4367ce2a02b822ff1fba1a3 , < 579a752464a64cb5f9139102f0e6b90a1f595ceb (git) Affected: 0f21cc29bc13e86512621727a4388c8a7ad2716b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5c877e140e5f46023a74a51e577ce5edd0a4be7",
"status": "affected",
"version": "d93cf38fad9f66397093432b8917971a92ee0146",
"versionType": "git"
},
{
"lessThan": "05799c2f1ca5eb13d65764dda688d02021b65e06",
"status": "affected",
"version": "64815ba15880ce5f99df075fa4104fef170ac7e5",
"versionType": "git"
},
{
"lessThan": "67f34ab318807989b57dfdb0f79e2d4e57018290",
"status": "affected",
"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3",
"versionType": "git"
},
{
"lessThan": "a64aa7db39392add5be09dffaedbf1f0ce5554df",
"status": "affected",
"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3",
"versionType": "git"
},
{
"lessThan": "198824ccfa64ffebd918bf99c939bd8170a4a4d8",
"status": "affected",
"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3",
"versionType": "git"
},
{
"lessThan": "579a752464a64cb5f9139102f0e6b90a1f595ceb",
"status": "affected",
"version": "85df533a787bf07bf4367ce2a02b822ff1fba1a3",
"versionType": "git"
},
{
"status": "affected",
"version": "0f21cc29bc13e86512621727a4388c8a7ad2716b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n msk-\u003epm.local_addr_used == 0\n WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n Modules linked in:\n CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 \u003c0f\u003e 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f66346f826d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n \u003c/TASK\u003e\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the \u0027signal\u0027 and \u0027subflow\u0027 flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n linked to the MPTCP endpoint will be sent (\u0027signal\u0027 flag), but no\n subflows is initiated (\u0027subflow\u0027 flag)\n - Remove the MPTCP endpoint\n\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T06:04:30.241Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5c877e140e5f46023a74a51e577ce5edd0a4be7"
},
{
"url": "https://git.kernel.org/stable/c/05799c2f1ca5eb13d65764dda688d02021b65e06"
},
{
"url": "https://git.kernel.org/stable/c/67f34ab318807989b57dfdb0f79e2d4e57018290"
},
{
"url": "https://git.kernel.org/stable/c/a64aa7db39392add5be09dffaedbf1f0ce5554df"
},
{
"url": "https://git.kernel.org/stable/c/198824ccfa64ffebd918bf99c939bd8170a4a4d8"
},
{
"url": "https://git.kernel.org/stable/c/579a752464a64cb5f9139102f0e6b90a1f595ceb"
}
],
"title": "mptcp: pm: in-kernel: always mark signal+subflow endp as used",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23321",
"datePublished": "2026-03-25T10:27:15.125Z",
"dateReserved": "2026-01-13T15:37:45.996Z",
"dateUpdated": "2026-04-13T06:04:30.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23397 (GCVE-0-2026-23397)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
nfnetlink_osf: validate individual option lengths in fingerprints
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfnetlink_osf: validate individual option lengths in fingerprints
nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:
Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
nf_hook_slow (net/netfilter/core.c:623)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction. While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.
Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < e9cf17b91e733fec725ebcc0b3098bc5ccd505e0
(git)
Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 3c11b5c2436a3a5b450612ab160e3a525b28cfb5 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < aa0574182c46963c3cdb8cde46ec93aca21100d8 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 224f4678812e1a7bc8341bcb666773a0aec5ea6f (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < ec8bf0571b142f29dc0b68ae2ac3952f7a464b38 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 3932620c04c2938c93c0890c225960d3d34ba355 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < dbdfaae9609629a9569362e3b8f33d0a20fd783c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e9cf17b91e733fec725ebcc0b3098bc5ccd505e0",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "3c11b5c2436a3a5b450612ab160e3a525b28cfb5",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "aa0574182c46963c3cdb8cde46ec93aca21100d8",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "224f4678812e1a7bc8341bcb666773a0aec5ea6f",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "ec8bf0571b142f29dc0b68ae2ac3952f7a464b38",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "3932620c04c2938c93c0890c225960d3d34ba355",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "dbdfaae9609629a9569362e3b8f33d0a20fd783c",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx-\u003eoptp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length \u003c 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"\u003c 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx-\u003eoptsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:32.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e9cf17b91e733fec725ebcc0b3098bc5ccd505e0"
},
{
"url": "https://git.kernel.org/stable/c/3c11b5c2436a3a5b450612ab160e3a525b28cfb5"
},
{
"url": "https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8"
},
{
"url": "https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f"
},
{
"url": "https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38"
},
{
"url": "https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355"
},
{
"url": "https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6"
},
{
"url": "https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c"
}
],
"title": "nfnetlink_osf: validate individual option lengths in fingerprints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23397",
"datePublished": "2026-03-26T10:22:49.954Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-18T08:58:32.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56719 (GCVE-0-2024-56719)
Vulnerability from cvelistv5 – Published: 2024-12-29 08:48 – Updated: 2026-03-25 10:19
VLAI?
EPSS
Title
net: stmmac: fix TSO DMA API usage causing oops
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix TSO DMA API usage causing oops
Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
members to be later in stmmac_tso_xmit().
The buf (dma cookie) and len stored in this structure are passed to
dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
the dma cookie passed to dma_unmap_single() is the same as the value
returned from dma_map_single(). However, by moving the assignment
later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
is offset by proto_hdr_len.
This causes problems such as:
dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed
and with DMA_API_DEBUG enabled:
DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]
Fix this by maintaining "des" as the original DMA cookie, and use
tso_des to pass the offset DMA cookie to stmmac_tso_allocator().
Full details of the crashes can be found at:
https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3ff23f7c3f0e13f718900803e090fd3997d6bc9 , < 6abcdc9a73274052a9e96a1926994ecf9aedad82
(git)
Affected: 07c9c26e37542486e34d767505e842f48f29c3f6 , < db3667c9bbfbbf5de98e6c9542f7e03fb5243286 (git) Affected: 66600fac7a984dea4ae095411f644770b2561ede , < 9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2 (git) Affected: 66600fac7a984dea4ae095411f644770b2561ede , < 4c49f38e20a57f8abaebdf95b369295b153d1f8e (git) Affected: ece593fc9c00741b682869d3f3dc584d37b7c9df (git) Affected: 58d23d835eb498336716cca55b5714191a309286 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:58:24.752519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:06.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6abcdc9a73274052a9e96a1926994ecf9aedad82",
"status": "affected",
"version": "a3ff23f7c3f0e13f718900803e090fd3997d6bc9",
"versionType": "git"
},
{
"lessThan": "db3667c9bbfbbf5de98e6c9542f7e03fb5243286",
"status": "affected",
"version": "07c9c26e37542486e34d767505e842f48f29c3f6",
"versionType": "git"
},
{
"lessThan": "9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2",
"status": "affected",
"version": "66600fac7a984dea4ae095411f644770b2561ede",
"versionType": "git"
},
{
"lessThan": "4c49f38e20a57f8abaebdf95b369295b153d1f8e",
"status": "affected",
"version": "66600fac7a984dea4ae095411f644770b2561ede",
"versionType": "git"
},
{
"status": "affected",
"version": "ece593fc9c00741b682869d3f3dc584d37b7c9df",
"versionType": "git"
},
{
"status": "affected",
"version": "58d23d835eb498336716cca55b5714191a309286",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "6.6.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]\u0027s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv-\u003edma_cap.addr64 \u003e 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:19:17.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6abcdc9a73274052a9e96a1926994ecf9aedad82"
},
{
"url": "https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286"
},
{
"url": "https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2"
},
{
"url": "https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e"
}
],
"title": "net: stmmac: fix TSO DMA API usage causing oops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56719",
"datePublished": "2024-12-29T08:48:51.495Z",
"dateReserved": "2024-12-27T15:00:39.858Z",
"dateUpdated": "2026-03-25T10:19:17.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23352 (GCVE-0-2026-23352)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:58
VLAI?
EPSS
Title
x86/efi: defer freeing of boot services memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/efi: defer freeing of boot services memory
efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE
and EFI_BOOT_SERVICES_DATA using memblock_free_late().
There are two issue with that: memblock_free_late() should be used for
memory allocated with memblock_alloc() while the memory reserved with
memblock_reserve() should be freed with free_reserved_area().
More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y
efi_free_boot_services() is called before deferred initialization of the
memory map is complete.
Benjamin Herrenschmidt reports that this causes a leak of ~140MB of
RAM on EC2 t3a.nano instances which only have 512MB or RAM.
If the freed memory resides in the areas that memory map for them is
still uninitialized, they won't be actually freed because
memblock_free_late() calls memblock_free_pages() and the latter skips
uninitialized pages.
Using free_reserved_area() at this point is also problematic because
__free_page() accesses the buddy of the freed page and that again might
end up in uninitialized part of the memory map.
Delaying the entire efi_free_boot_services() could be problematic
because in addition to freeing boot services memory it updates
efi.memmap without any synchronization and that's undesirable late in
boot when there is concurrency.
More robust approach is to only defer freeing of the EFI boot services
memory.
Split efi_free_boot_services() in two. First efi_unmap_boot_services()
collects ranges that should be freed into an array then
efi_free_boot_services() later frees them after deferred init is complete.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0aed459e8487eb6ebdb4efe8cefe1eafbc704b30 , < 4a2cb90c538f06c873a187aa743575d48685d7a6
(git)
Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 7131bd1fecc749bc94fb44aae217bbd8a8a85264 (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 6d8ba221e7aafaa2f284b7d22faee814c28e009d (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 227688312fece0026fc67a00ba9a0b3611ebe95d (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 6a25e25279282c5c8ade554c04c6ab9dc7902c64 (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 399da820ecfe6f4f10c143e5c453d3559a04db9c (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < f9e9cc320854a76a39e7bc92d144554f3a727fad (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < 7dcf59422a3b0d20ddda844f856b4a1e0608a326 (git) Affected: 916f676f8dc016103f983c7ec54c18ecdbb6e349 , < a4b0bf6a40f3c107c67a24fbc614510ef5719980 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/efi.h",
"arch/x86/platform/efi/efi.c",
"arch/x86/platform/efi/quirks.c",
"drivers/firmware/efi/mokvar-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a2cb90c538f06c873a187aa743575d48685d7a6",
"status": "affected",
"version": "0aed459e8487eb6ebdb4efe8cefe1eafbc704b30",
"versionType": "git"
},
{
"lessThan": "7131bd1fecc749bc94fb44aae217bbd8a8a85264",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "6d8ba221e7aafaa2f284b7d22faee814c28e009d",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "227688312fece0026fc67a00ba9a0b3611ebe95d",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "6a25e25279282c5c8ade554c04c6ab9dc7902c64",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "399da820ecfe6f4f10c143e5c453d3559a04db9c",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "f9e9cc320854a76a39e7bc92d144554f3a727fad",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "7dcf59422a3b0d20ddda844f856b4a1e0608a326",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
},
{
"lessThan": "a4b0bf6a40f3c107c67a24fbc614510ef5719980",
"status": "affected",
"version": "916f676f8dc016103f983c7ec54c18ecdbb6e349",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/efi.h",
"arch/x86/platform/efi/efi.c",
"arch/x86/platform/efi/quirks.c",
"drivers/firmware/efi/mokvar-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.6.*",
"status": "unaffected",
"version": "2.6.39.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.6.39.2",
"versionStartIncluding": "2.6.39.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efi: defer freeing of boot services memory\n\nefi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE\nand EFI_BOOT_SERVICES_DATA using memblock_free_late().\n\nThere are two issue with that: memblock_free_late() should be used for\nmemory allocated with memblock_alloc() while the memory reserved with\nmemblock_reserve() should be freed with free_reserved_area().\n\nMore acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y\nefi_free_boot_services() is called before deferred initialization of the\nmemory map is complete.\n\nBenjamin Herrenschmidt reports that this causes a leak of ~140MB of\nRAM on EC2 t3a.nano instances which only have 512MB or RAM.\n\nIf the freed memory resides in the areas that memory map for them is\nstill uninitialized, they won\u0027t be actually freed because\nmemblock_free_late() calls memblock_free_pages() and the latter skips\nuninitialized pages.\n\nUsing free_reserved_area() at this point is also problematic because\n__free_page() accesses the buddy of the freed page and that again might\nend up in uninitialized part of the memory map.\n\nDelaying the entire efi_free_boot_services() could be problematic\nbecause in addition to freeing boot services memory it updates\nefi.memmap without any synchronization and that\u0027s undesirable late in\nboot when there is concurrency.\n\nMore robust approach is to only defer freeing of the EFI boot services\nmemory.\n\nSplit efi_free_boot_services() in two. First efi_unmap_boot_services()\ncollects ranges that should be freed into an array then\nefi_free_boot_services() later frees them after deferred init is complete."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:58:06.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a2cb90c538f06c873a187aa743575d48685d7a6"
},
{
"url": "https://git.kernel.org/stable/c/7131bd1fecc749bc94fb44aae217bbd8a8a85264"
},
{
"url": "https://git.kernel.org/stable/c/6d8ba221e7aafaa2f284b7d22faee814c28e009d"
},
{
"url": "https://git.kernel.org/stable/c/227688312fece0026fc67a00ba9a0b3611ebe95d"
},
{
"url": "https://git.kernel.org/stable/c/6a25e25279282c5c8ade554c04c6ab9dc7902c64"
},
{
"url": "https://git.kernel.org/stable/c/399da820ecfe6f4f10c143e5c453d3559a04db9c"
},
{
"url": "https://git.kernel.org/stable/c/f9e9cc320854a76a39e7bc92d144554f3a727fad"
},
{
"url": "https://git.kernel.org/stable/c/7dcf59422a3b0d20ddda844f856b4a1e0608a326"
},
{
"url": "https://git.kernel.org/stable/c/a4b0bf6a40f3c107c67a24fbc614510ef5719980"
}
],
"title": "x86/efi: defer freeing of boot services memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23352",
"datePublished": "2026-03-25T10:27:37.500Z",
"dateReserved": "2026-01-13T15:37:46.000Z",
"dateUpdated": "2026-04-18T08:58:06.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23454 (GCVE-0-2026-23454)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
EPSS
Title
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
A potential race condition exists in mana_hwc_destroy_channel() where
hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
handler to dereference freed memory, leading to a use-after-free or
NULL pointer dereference in mana_hwc_handle_resp().
mana_smc_teardown_hwc() signals the hardware to stop but does not
synchronize against IRQ handlers already executing on other CPUs. The
IRQ synchronization only happens in mana_hwc_destroy_cq() via
mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
can dereference freed caller_ctx (and rxq->msg_buf) in
mana_hwc_handle_resp().
Fix this by reordering teardown to reverse-of-creation order: destroy
the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
ensures all in-flight interrupt handlers complete before the memory they
access is freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < b88edf12fc3779521ae5f6f1584153b15f7da6df
(git)
Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < e23bf444512cb85d76012080a76cd1f9e967448e (git) Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < 249e905571583a434d4ea8d6f92ccc0eef337115 (git) Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < 2b001901f689021acd7bf2dceed74a1bdcaaa1f9 (git) Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < afdb1533eb9c05432aeb793a7280fa827c502f5c (git) Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < 05d345719d85b927cba74afac4d5322de3aa4256 (git) Affected: ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f , < fa103fc8f56954a60699a29215cb713448a39e87 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/hw_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b88edf12fc3779521ae5f6f1584153b15f7da6df",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "e23bf444512cb85d76012080a76cd1f9e967448e",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "249e905571583a434d4ea8d6f92ccc0eef337115",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "2b001901f689021acd7bf2dceed74a1bdcaaa1f9",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "afdb1533eb9c05432aeb793a7280fa827c502f5c",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "05d345719d85b927cba74afac4d5322de3aa4256",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
},
{
"lessThan": "fa103fc8f56954a60699a29215cb713448a39e87",
"status": "affected",
"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/hw_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown\n\nA potential race condition exists in mana_hwc_destroy_channel() where\nhwc-\u003ecaller_ctx is freed before the HWC\u0027s Completion Queue (CQ) and\nEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupt\nhandler to dereference freed memory, leading to a use-after-free or\nNULL pointer dereference in mana_hwc_handle_resp().\n\nmana_smc_teardown_hwc() signals the hardware to stop but does not\nsynchronize against IRQ handlers already executing on other CPUs. The\nIRQ synchronization only happens in mana_hwc_destroy_cq() via\nmana_gd_destroy_eq() -\u003e mana_gd_deregister_irq(). Since this runs\nafter kfree(hwc-\u003ecaller_ctx), a concurrent mana_hwc_rx_event_handler()\ncan dereference freed caller_ctx (and rxq-\u003emsg_buf) in\nmana_hwc_handle_resp().\n\nFix this by reordering teardown to reverse-of-creation order: destroy\nthe TX/RX work queues and CQ/EQ before freeing hwc-\u003ecaller_ctx. This\nensures all in-flight interrupt handlers complete before the memory they\naccess is freed."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:02.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df"
},
{
"url": "https://git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e"
},
{
"url": "https://git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115"
},
{
"url": "https://git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9"
},
{
"url": "https://git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c"
},
{
"url": "https://git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256"
},
{
"url": "https://git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87"
}
],
"title": "net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23454",
"datePublished": "2026-04-03T15:15:36.189Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-18T08:59:02.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23289 (GCVE-0-2026-23289)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:26 – Updated: 2026-04-18 08:57
VLAI?
EPSS
Title
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
Fix a user triggerable leak on the system call failure path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ec34a922d243c3401a694450734e9effb2bafbfe , < 11ac61f4e9b7c48b0dd44661765e5ace3c441aa3
(git)
Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < 72fcfd4df46f2ee684c4776664d0cfc6c1746c9a (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < f67f1ad4029e9fa183141546de31987b254c9292 (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < d0148965dbca8cc8efa7e3d6e99940487bf661c0 (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < da8eaa73bc37d004350ba68eb18b6ade8e49db52 (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < deee46b37ebd8cc5ff810127883fca90f2412a7b (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < 972b72d7e2d8fe1400f1c7a8304c282c539b7e02 (git) Affected: ec34a922d243c3401a694450734e9effb2bafbfe , < 117942ca43e2e3c3d121faae530989931b7f67e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mthca/mthca_provider.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11ac61f4e9b7c48b0dd44661765e5ace3c441aa3",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "72fcfd4df46f2ee684c4776664d0cfc6c1746c9a",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "f67f1ad4029e9fa183141546de31987b254c9292",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "d0148965dbca8cc8efa7e3d6e99940487bf661c0",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "da8eaa73bc37d004350ba68eb18b6ade8e49db52",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "deee46b37ebd8cc5ff810127883fca90f2412a7b",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "972b72d7e2d8fe1400f1c7a8304c282c539b7e02",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
},
{
"lessThan": "117942ca43e2e3c3d121faae530989931b7f67e1",
"status": "affected",
"version": "ec34a922d243c3401a694450734e9effb2bafbfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mthca/mthca_provider.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()\n\nFix a user triggerable leak on the system call failure path."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:57:39.473Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11ac61f4e9b7c48b0dd44661765e5ace3c441aa3"
},
{
"url": "https://git.kernel.org/stable/c/72fcfd4df46f2ee684c4776664d0cfc6c1746c9a"
},
{
"url": "https://git.kernel.org/stable/c/f67f1ad4029e9fa183141546de31987b254c9292"
},
{
"url": "https://git.kernel.org/stable/c/d0148965dbca8cc8efa7e3d6e99940487bf661c0"
},
{
"url": "https://git.kernel.org/stable/c/da8eaa73bc37d004350ba68eb18b6ade8e49db52"
},
{
"url": "https://git.kernel.org/stable/c/deee46b37ebd8cc5ff810127883fca90f2412a7b"
},
{
"url": "https://git.kernel.org/stable/c/972b72d7e2d8fe1400f1c7a8304c282c539b7e02"
},
{
"url": "https://git.kernel.org/stable/c/117942ca43e2e3c3d121faae530989931b7f67e1"
}
],
"title": "IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23289",
"datePublished": "2026-03-25T10:26:48.207Z",
"dateReserved": "2026-01-13T15:37:45.992Z",
"dateUpdated": "2026-04-18T08:57:39.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…