Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0547
Vulnerability from certfr_avis - Published: 2026-05-07 - Updated: 2026-05-07
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian 11 bullseye versions ant\u00e9rieures \u00e0 6.1.170-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
},
{
"description": "Debian 11 bullseye versions ant\u00e9rieures \u00e0 5.10.251-3",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31483"
},
{
"name": "CVE-2026-31409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31409"
},
{
"name": "CVE-2026-31522",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31522"
},
{
"name": "CVE-2026-31770",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31770"
},
{
"name": "CVE-2026-31658",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31658"
},
{
"name": "CVE-2025-21682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21682"
},
{
"name": "CVE-2026-31756",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31756"
},
{
"name": "CVE-2026-31467",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31467"
},
{
"name": "CVE-2026-23318",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23318"
},
{
"name": "CVE-2026-23368",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23368"
},
{
"name": "CVE-2026-31485",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31485"
},
{
"name": "CVE-2026-23475",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23475"
},
{
"name": "CVE-2026-31754",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31754"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2026-23426",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23426"
},
{
"name": "CVE-2026-31758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31758"
},
{
"name": "CVE-2025-71265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71265"
},
{
"name": "CVE-2026-23450",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23450"
},
{
"name": "CVE-2026-23281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23281"
},
{
"name": "CVE-2025-71221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71221"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-31656",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31656"
},
{
"name": "CVE-2025-39764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39764"
},
{
"name": "CVE-2026-31453",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31453"
},
{
"name": "CVE-2026-23438",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23438"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2026-23463",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23463"
},
{
"name": "CVE-2026-23227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23227"
},
{
"name": "CVE-2026-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23454"
},
{
"name": "CVE-2026-31405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31405"
},
{
"name": "CVE-2026-43054",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43054"
},
{
"name": "CVE-2026-31664",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31664"
},
{
"name": "CVE-2026-31473",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31473"
},
{
"name": "CVE-2026-31448",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31448"
},
{
"name": "CVE-2026-31550",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31550"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-31549",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31549"
},
{
"name": "CVE-2026-31752",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31752"
},
{
"name": "CVE-2025-40016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40016"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2025-38626",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38626"
},
{
"name": "CVE-2026-23303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23303"
},
{
"name": "CVE-2026-43011",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43011"
},
{
"name": "CVE-2026-31396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31396"
},
{
"name": "CVE-2026-31680",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31680"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-43046",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43046"
},
{
"name": "CVE-2026-31738",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31738"
},
{
"name": "CVE-2025-40005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40005"
},
{
"name": "CVE-2026-31751",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31751"
},
{
"name": "CVE-2026-23439",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23439"
},
{
"name": "CVE-2026-23253",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23253"
},
{
"name": "CVE-2026-43025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43025"
},
{
"name": "CVE-2026-31721",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31721"
},
{
"name": "CVE-2026-23271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23271"
},
{
"name": "CVE-2025-68265",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68265"
},
{
"name": "CVE-2026-23434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23434"
},
{
"name": "CVE-2026-43018",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43018"
},
{
"name": "CVE-2026-43014",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43014"
},
{
"name": "CVE-2026-31447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31447"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2026-43028",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43028"
},
{
"name": "CVE-2026-23422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23422"
},
{
"name": "CVE-2026-31548",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31548"
},
{
"name": "CVE-2026-23304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23304"
},
{
"name": "CVE-2026-31683",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31683"
},
{
"name": "CVE-2026-23357",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23357"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2025-38105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38105"
},
{
"name": "CVE-2026-31524",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31524"
},
{
"name": "CVE-2026-31668",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31668"
},
{
"name": "CVE-2026-31478",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31478"
},
{
"name": "CVE-2026-31546",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31546"
},
{
"name": "CVE-2025-38436",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38436"
},
{
"name": "CVE-2026-23324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23324"
},
{
"name": "CVE-2024-50298",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50298"
},
{
"name": "CVE-2026-23317",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23317"
},
{
"name": "CVE-2026-43047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43047"
},
{
"name": "CVE-2026-31389",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31389"
},
{
"name": "CVE-2026-31786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31786"
},
{
"name": "CVE-2026-31545",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31545"
},
{
"name": "CVE-2026-23456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23456"
},
{
"name": "CVE-2026-43033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
},
{
"name": "CVE-2026-43023",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43023"
},
{
"name": "CVE-2026-23287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23287"
},
{
"name": "CVE-2026-31510",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31510"
},
{
"name": "CVE-2026-23457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23457"
},
{
"name": "CVE-2026-31496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31496"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2026-31659",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31659"
},
{
"name": "CVE-2026-23401",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23401"
},
{
"name": "CVE-2026-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43057"
},
{
"name": "CVE-2026-43030",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43030"
},
{
"name": "CVE-2025-38250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38250"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-31415",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31415"
},
{
"name": "CVE-2024-47809",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47809"
},
{
"name": "CVE-2026-23204",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23204"
},
{
"name": "CVE-2026-23462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23462"
},
{
"name": "CVE-2026-31563",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31563"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2026-23372",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23372"
},
{
"name": "CVE-2026-31689",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31689"
},
{
"name": "CVE-2026-23319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23319"
},
{
"name": "CVE-2024-56719",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56719"
},
{
"name": "CVE-2026-31566",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31566"
},
{
"name": "CVE-2026-31494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31494"
},
{
"name": "CVE-2026-31565",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31565"
},
{
"name": "CVE-2026-23270",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23270"
},
{
"name": "CVE-2026-31763",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31763"
},
{
"name": "CVE-2026-23279",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23279"
},
{
"name": "CVE-2026-31670",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31670"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2026-23286",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23286"
},
{
"name": "CVE-2026-23359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23359"
},
{
"name": "CVE-2026-31533",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
},
{
"name": "CVE-2026-23298",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23298"
},
{
"name": "CVE-2026-31469",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31469"
},
{
"name": "CVE-2026-31498",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31498"
},
{
"name": "CVE-2026-31520",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31520"
},
{
"name": "CVE-2026-31418",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31418"
},
{
"name": "CVE-2026-23296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23296"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-31555",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31555"
},
{
"name": "CVE-2026-31392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31392"
},
{
"name": "CVE-2026-31515",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31515"
},
{
"name": "CVE-2026-31661",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31661"
},
{
"name": "CVE-2026-31737",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31737"
},
{
"name": "CVE-2026-43017",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43017"
},
{
"name": "CVE-2025-71267",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71267"
},
{
"name": "CVE-2026-43043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43043"
},
{
"name": "CVE-2025-37945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37945"
},
{
"name": "CVE-2026-23396",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23396"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-43051",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43051"
},
{
"name": "CVE-2026-31759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31759"
},
{
"name": "CVE-2026-23370",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23370"
},
{
"name": "CVE-2025-38303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38303"
},
{
"name": "CVE-2026-23414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23414"
},
{
"name": "CVE-2026-31781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31781"
},
{
"name": "CVE-2026-23315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23315"
},
{
"name": "CVE-2026-31523",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31523"
},
{
"name": "CVE-2026-31669",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
},
{
"name": "CVE-2026-31450",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31450"
},
{
"name": "CVE-2026-31671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
},
{
"name": "CVE-2026-31749",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31749"
},
{
"name": "CVE-2026-43024",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43024"
},
{
"name": "CVE-2026-23352",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23352"
},
{
"name": "CVE-2026-31720",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31720"
},
{
"name": "CVE-2026-31748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31748"
},
{
"name": "CVE-2026-23367",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23367"
},
{
"name": "CVE-2026-31628",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31628"
},
{
"name": "CVE-2026-31662",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31662"
},
{
"name": "CVE-2025-71067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71067"
},
{
"name": "CVE-2026-31768",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31768"
},
{
"name": "CVE-2026-43026",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43026"
},
{
"name": "CVE-2026-31480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31480"
},
{
"name": "CVE-2026-23446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23446"
},
{
"name": "CVE-2026-43035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43035"
},
{
"name": "CVE-2025-71269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71269"
},
{
"name": "CVE-2026-31665",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31665"
},
{
"name": "CVE-2025-40358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40358"
},
{
"name": "CVE-2026-23300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23300"
},
{
"name": "CVE-2026-31391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31391"
},
{
"name": "CVE-2026-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31672"
},
{
"name": "CVE-2026-31780",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31780"
},
{
"name": "CVE-2026-23243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23243"
},
{
"name": "CVE-2023-53510",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53510"
},
{
"name": "CVE-2026-31521",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31521"
},
{
"name": "CVE-2026-31634",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31634"
},
{
"name": "CVE-2024-47736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47736"
},
{
"name": "CVE-2026-31412",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31412"
},
{
"name": "CVE-2026-43032",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43032"
},
{
"name": "CVE-2026-23362",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23362"
},
{
"name": "CVE-2026-23379",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23379"
},
{
"name": "CVE-2026-31421",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31421"
},
{
"name": "CVE-2023-53545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53545"
},
{
"name": "CVE-2026-23381",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23381"
},
{
"name": "CVE-2026-31518",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31518"
},
{
"name": "CVE-2026-31660",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31660"
},
{
"name": "CVE-2026-23392",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23392"
},
{
"name": "CVE-2026-23245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23245"
},
{
"name": "CVE-2026-31728",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31728"
},
{
"name": "CVE-2024-49998",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49998"
},
{
"name": "CVE-2026-31403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31403"
},
{
"name": "CVE-2026-31400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31400"
},
{
"name": "CVE-2026-31512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31512"
},
{
"name": "CVE-2026-31726",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31726"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2026-31773",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31773"
},
{
"name": "CVE-2026-23364",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23364"
},
{
"name": "CVE-2026-23242",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23242"
},
{
"name": "CVE-2026-43015",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43015"
},
{
"name": "CVE-2026-31509",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31509"
},
{
"name": "CVE-2026-31679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31679"
},
{
"name": "CVE-2025-40135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40135"
},
{
"name": "CVE-2026-31779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31779"
},
{
"name": "CVE-2026-23428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23428"
},
{
"name": "CVE-2026-23274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23274"
},
{
"name": "CVE-2025-38192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38192"
},
{
"name": "CVE-2026-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43020"
},
{
"name": "CVE-2026-31417",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31417"
},
{
"name": "CVE-2026-43041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43041"
},
{
"name": "CVE-2026-31761",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31761"
},
{
"name": "CVE-2026-31466",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31466"
},
{
"name": "CVE-2026-31414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31414"
},
{
"name": "CVE-2026-31778",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31778"
},
{
"name": "CVE-2025-38704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38704"
},
{
"name": "CVE-2026-31426",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31426"
},
{
"name": "CVE-2025-21676",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21676"
},
{
"name": "CVE-2026-43040",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43040"
},
{
"name": "CVE-2026-31552",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31552"
},
{
"name": "CVE-2026-23284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23284"
},
{
"name": "CVE-2026-23397",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23397"
},
{
"name": "CVE-2026-23452",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23452"
},
{
"name": "CVE-2026-23474",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23474"
},
{
"name": "CVE-2026-31434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31434"
},
{
"name": "CVE-2026-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23343"
},
{
"name": "CVE-2026-23336",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23336"
},
{
"name": "CVE-2026-31497",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31497"
},
{
"name": "CVE-2026-31682",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31682"
},
{
"name": "CVE-2026-31570",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31570"
},
{
"name": "CVE-2026-23289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23289"
},
{
"name": "CVE-2026-31755",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31755"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2026-23141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23141"
},
{
"name": "CVE-2026-23277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23277"
},
{
"name": "CVE-2026-31399",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31399"
},
{
"name": "CVE-2026-31441",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31441"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2026-23335",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23335"
},
{
"name": "CVE-2026-31551",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31551"
},
{
"name": "CVE-2026-31495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31495"
},
{
"name": "CVE-2026-31507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31507"
},
{
"name": "CVE-2026-31762",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31762"
},
{
"name": "CVE-2026-31788",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31788"
},
{
"name": "CVE-2026-31411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31411"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-23420",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23420"
},
{
"name": "CVE-2026-23388",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23388"
},
{
"name": "CVE-2025-39748",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39748"
},
{
"name": "CVE-2026-23449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23449"
},
{
"name": "CVE-2025-39863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39863"
},
{
"name": "CVE-2025-71266",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71266"
},
{
"name": "CVE-2026-31492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31492"
},
{
"name": "CVE-2026-43037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43037"
},
{
"name": "CVE-2026-31476",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31476"
},
{
"name": "CVE-2026-23458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23458"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31674",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31674"
},
{
"name": "CVE-2026-31393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31393"
},
{
"name": "CVE-2026-43027",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43027"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2026-23339",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23339"
},
{
"name": "CVE-2026-31433",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31433"
},
{
"name": "CVE-2026-31776",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31776"
},
{
"name": "CVE-2026-23321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23321"
},
{
"name": "CVE-2026-23460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23460"
},
{
"name": "CVE-2026-31678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31678"
},
{
"name": "CVE-2025-71161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71161"
},
{
"name": "CVE-2026-31540",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31540"
},
{
"name": "CVE-2026-23395",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23395"
},
{
"name": "CVE-2026-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31651"
},
{
"name": "CVE-2023-53228",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53228"
},
{
"name": "CVE-2026-23100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23100"
},
{
"name": "CVE-2026-31503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31503"
},
{
"name": "CVE-2026-31657",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31657"
},
{
"name": "CVE-2026-31747",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31747"
},
{
"name": "CVE-2026-31455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31455"
},
{
"name": "CVE-2026-23306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23306"
},
{
"name": "CVE-2026-23378",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23378"
},
{
"name": "CVE-2026-31519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31519"
},
{
"name": "CVE-2026-23291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23291"
},
{
"name": "CVE-2025-68239",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68239"
},
{
"name": "CVE-2026-23382",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23382"
},
{
"name": "CVE-2026-31446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31446"
},
{
"name": "CVE-2026-23113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23113"
},
{
"name": "CVE-2026-23157",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23157"
},
{
"name": "CVE-2026-31464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31464"
},
{
"name": "CVE-2026-31695",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31695"
},
{
"name": "CVE-2025-37980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37980"
},
{
"name": "CVE-2026-23231",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23231"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-31508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31508"
},
{
"name": "CVE-2026-23365",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23365"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
},
{
"name": "CVE-2026-23356",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23356"
},
{
"name": "CVE-2026-23307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23307"
},
{
"name": "CVE-2025-38162",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38162"
},
{
"name": "CVE-2026-31477",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31477"
},
{
"name": "CVE-2026-43038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43038"
},
{
"name": "CVE-2026-43013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43013"
},
{
"name": "CVE-2026-31454",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31454"
},
{
"name": "CVE-2025-38659",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38659"
},
{
"name": "CVE-2026-31452",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31452"
},
{
"name": "CVE-2026-23398",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23398"
},
{
"name": "CVE-2026-31425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31425"
},
{
"name": "CVE-2026-23351",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23351"
},
{
"name": "CVE-2026-43050",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43050"
},
{
"name": "CVE-2026-23154",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23154"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-07T00:00:00",
"last_revision_date": "2026-05-07T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0547",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS msg00004",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00004.html"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS msg00005",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
}
]
}
CVE-2026-23401 (GCVE-0-2026-23401)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-06-30 12:06
VLAI
EPSS
Title
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Severity
8.1 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
23 references
Impacted products
47 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 20656cd1f243d3a154aac5dd1b823110b6906fe1
(git)
Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < ed5909992f344a7d3f4024261e9f751d9618a27d (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < fd28c5618699180cd69619801e9ae6a5266c0a22 (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 459158151a158a6703b49f3c9de0e536d8bd553f (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 695320de6eadb75aaed8be1787c4ce4c189e4c7b (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < bce7fe59d43531623f3e43779127bfb33804925d (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < aad885e774966e97b675dfe928da164214a71605 (git) |
|
| Linux | Linux |
Affected:
5.13
Unaffected: 0 , < 5.13 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 8) |
cpe:/o:redhat:enterprise_linux:8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS AUS (v.8.6) |
cpe:/o:redhat:rhel_aus:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.8.6) |
cpe:/o:redhat:rhel_e4s:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS TUS (v.8.6) |
cpe:/o:redhat:rhel_tus:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.8.8) |
cpe:/o:redhat:rhel_e4s:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS TUS (v.8.8) |
cpe:/o:redhat:rhel_tus:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.9.0) |
cpe:/o:redhat:rhel_e4s:9.0::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.9.2) |
cpe:/o:redhat:rhel_e4s:9.2::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v.9.4) |
cpe:/o:redhat:rhel_eus:9.4::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v.9.6) |
cpe:/o:redhat:rhel_eus:9.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 9) |
cpe:/o:redhat:enterprise_linux:9::baseos |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CRB (v. 8) |
cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::crb |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux NFV (v. 8) |
cpe:/a:redhat:enterprise_linux:8::nfv |
|
| Red Hat | Red Hat Enterprise Linux NFV E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV (v. 9) |
cpe:/a:redhat:enterprise_linux:9::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux Real Time (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux RT (v. 8) |
cpe:/a:redhat:enterprise_linux:8::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time (v. 9) |
cpe:/a:redhat:enterprise_linux:9::realtime |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Kernel-based Virtual Machine (KVM) component. A local attacker with privileges on the host system could exploit a vulnerability in how KVM handles shadow page table entries (SPTEs) during memory-mapped I/O (MMIO) operations. By manipulating guest page table entries (gPTEs) from host userspace, an attacker could cause KVM to install an MMIO SPTE without properly removing an existing shadow-present SPTE. This improper handling could lead to a kernel warning, resulting in a denial of service or potentially allowing for privilege escalation or information disclosure."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:45.035Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-23401"
},
{
"name": "RHBZ#2453803",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453803"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23401.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15883"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13936"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20593"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13932"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14339"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14230"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19521"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13578"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14137"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19875"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:15883: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:13936: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:20593: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:13932: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:14339: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13577: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14230: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:19521: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:13578: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14137: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:19875: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20656cd1f243d3a154aac5dd1b823110b6906fe1",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "ed5909992f344a7d3f4024261e9f751d9618a27d",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "fd28c5618699180cd69619801e9ae6a5266c0a22",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "459158151a158a6703b49f3c9de0e536d8bd553f",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "695320de6eadb75aaed8be1787c4ce4c189e4c7b",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "bce7fe59d43531623f3e43779127bfb33804925d",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "aad885e774966e97b675dfe928da164214a71605",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it\u0027s shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n \u003cTASK\u003e\n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:11.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20656cd1f243d3a154aac5dd1b823110b6906fe1"
},
{
"url": "https://git.kernel.org/stable/c/ed5909992f344a7d3f4024261e9f751d9618a27d"
},
{
"url": "https://git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22"
},
{
"url": "https://git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553f"
},
{
"url": "https://git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7b"
},
{
"url": "https://git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925d"
},
{
"url": "https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605"
}
],
"title": "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23401",
"datePublished": "2026-04-01T08:36:32.367Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-06-30T12:06:45.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23414 (GCVE-0-2026-23414)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-05-23 16:04
VLAI
EPSS
Title
tls: Purge async_hold in tls_decrypt_async_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Purge async_hold in tls_decrypt_async_wait()
The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.
A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.
This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.
[pabeni@redhat.com: added leak comment]
Severity
7.5 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9f83fd0c179e0f458e824e417f9d5ad53443f685 , < ac435be7c7613eb13a5a8ceb5182e10b50c9ce87
(git)
Affected: c61d4368197d65c4809d9271f3b85325a600586a , < 2dcf324855c34e7f934ce978aa19b645a8f3ee71 (git) Affected: 39dec4ea3daf77f684308576baf483b55ca7f160 , < 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 9f557c7eae127b44d2e863917dc986a4b6cb1269 (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < fd8037e1f18ca5336934d0e0e7e1a4fe097e749d (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 84a8335d8300576f1b377ae24abca1d9f197807f (git) Affected: 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) Affected: 6.1.158 , < 6.1.168 (semver) Affected: 6.6.114 , < 6.6.131 (semver) Affected: 6.12.55 , < 6.12.80 (semver) Affected: 6.17.5 , < 6.18 (semver) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac435be7c7613eb13a5a8ceb5182e10b50c9ce87",
"status": "affected",
"version": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"versionType": "git"
},
{
"lessThan": "2dcf324855c34e7f934ce978aa19b645a8f3ee71",
"status": "affected",
"version": "c61d4368197d65c4809d9271f3b85325a600586a",
"versionType": "git"
},
{
"lessThan": "6dc11e0bd0a5466bcc76d275c09e5537bd0597dd",
"status": "affected",
"version": "39dec4ea3daf77f684308576baf483b55ca7f160",
"versionType": "git"
},
{
"lessThan": "9f557c7eae127b44d2e863917dc986a4b6cb1269",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "fd8037e1f18ca5336934d0e0e7e1a4fe097e749d",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "84a8335d8300576f1b377ae24abca1d9f197807f",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"versionType": "git"
},
{
"lessThan": "6.1.168",
"status": "affected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThan": "6.6.131",
"status": "affected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThan": "6.12.80",
"status": "affected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThan": "6.18",
"status": "affected",
"version": "6.17.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(\u0026ctx-\u003easync_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg\u0027s drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:43.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87"
},
{
"url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71"
},
{
"url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd"
},
{
"url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269"
},
{
"url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d"
},
{
"url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f"
}
],
"title": "tls: Purge async_hold in tls_decrypt_async_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23414",
"datePublished": "2026-04-02T11:40:55.746Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-05-23T16:04:43.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23420 (GCVE-0-2026-23420)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-05-11 22:06
VLAI
EPSS
Title
wifi: wlcore: Fix a locking bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: Fix a locking bug
Make sure that wl->mutex is locked before it is unlocked. This has been
detected by the Clang thread-safety analyzer.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 4ae8faf31b24c78653f4433298ee52813a56967a
(git)
Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < fc404390a386404cf9822d4091ccae1f61efcbcd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 7ab511003c5ae3bf5364d7699a2e3ab1db513680 (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < aca4c9e4901b01b8b985993dc7df80bd1d1338bd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 5feeea59ed142e15c3284d0b1a364c6786bf3487 (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < fcef983ad88832f3aa83491a174c345de57afbbd (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 1a1c28a08d74716f3f8e3a21c86b30d0ff13521a (git) Affected: 45aa7f071b06c8481afed4c7b93e07c9584741e8 , < 72c6df8f284b3a49812ce2ac136727ace70acc7c (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ae8faf31b24c78653f4433298ee52813a56967a",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "fc404390a386404cf9822d4091ccae1f61efcbcd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "7ab511003c5ae3bf5364d7699a2e3ab1db513680",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "aca4c9e4901b01b8b985993dc7df80bd1d1338bd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "5feeea59ed142e15c3284d0b1a364c6786bf3487",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "fcef983ad88832f3aa83491a174c345de57afbbd",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "1a1c28a08d74716f3f8e3a21c86b30d0ff13521a",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
},
{
"lessThan": "72c6df8f284b3a49812ce2ac136727ace70acc7c",
"status": "affected",
"version": "45aa7f071b06c8481afed4c7b93e07c9584741e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Fix a locking bug\n\nMake sure that wl-\u003emutex is locked before it is unlocked. This has been\ndetected by the Clang thread-safety analyzer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:33.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ae8faf31b24c78653f4433298ee52813a56967a"
},
{
"url": "https://git.kernel.org/stable/c/fc404390a386404cf9822d4091ccae1f61efcbcd"
},
{
"url": "https://git.kernel.org/stable/c/7ab511003c5ae3bf5364d7699a2e3ab1db513680"
},
{
"url": "https://git.kernel.org/stable/c/aca4c9e4901b01b8b985993dc7df80bd1d1338bd"
},
{
"url": "https://git.kernel.org/stable/c/5feeea59ed142e15c3284d0b1a364c6786bf3487"
},
{
"url": "https://git.kernel.org/stable/c/fcef983ad88832f3aa83491a174c345de57afbbd"
},
{
"url": "https://git.kernel.org/stable/c/1a1c28a08d74716f3f8e3a21c86b30d0ff13521a"
},
{
"url": "https://git.kernel.org/stable/c/72c6df8f284b3a49812ce2ac136727ace70acc7c"
}
],
"title": "wifi: wlcore: Fix a locking bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23420",
"datePublished": "2026-04-03T13:24:29.681Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-05-11T22:06:33.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23422 (GCVE-0-2026-23422)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-05-23 16:04
VLAI
EPSS
Title
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ
handler") introduces a range check for if_id to avoid an out-of-bounds
access. If an out-of-bounds if_id is detected, the interrupt status is
not cleared. This may result in an interrupt storm.
Clear the interrupt status after detecting an out-of-bounds if_id to avoid
the problem.
Found by an experimental AI code review agent at Google.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
77611cab5bdfff7a070ae574bbfba20a1de99d1b , < 7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d
(git)
Affected: 34b56c16efd61325d80bf1d780d0e176be662f59 , < b5bababe7703a7322bc59b803ab1587887a2a5e4 (git) Affected: f89e33c9c37f0001b730e23b3b05ab7b1ecface2 , < c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e (git) Affected: 2447edc367800ba914acf7ddd5d250416b45fb31 , < fa4412cdc5178a48799bafcb8af28fd2fbf3d703 (git) Affected: 1b381a638e1851d8cfdfe08ed9cdbec5295b18c9 , < 00f42ace446f1e4bf84988f2281131f52cd32796 (git) Affected: 31a7a0bbeb006bac2d9c81a2874825025214b6d8 , < 28fd8ac1d49389cb230d712116f54e27ebec11b8 (git) Affected: 31a7a0bbeb006bac2d9c81a2874825025214b6d8 , < 74badb9c20b1a9c02a95c735c6d3cd6121679c93 (git) Affected: 5.15.200 , < 5.15.203 (semver) Affected: 6.1.163 , < 6.1.167 (semver) Affected: 6.6.124 , < 6.6.130 (semver) Affected: 6.12.70 , < 6.12.77 (semver) Affected: 6.18.10 , < 6.18.17 (semver) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d",
"status": "affected",
"version": "77611cab5bdfff7a070ae574bbfba20a1de99d1b",
"versionType": "git"
},
{
"lessThan": "b5bababe7703a7322bc59b803ab1587887a2a5e4",
"status": "affected",
"version": "34b56c16efd61325d80bf1d780d0e176be662f59",
"versionType": "git"
},
{
"lessThan": "c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e",
"status": "affected",
"version": "f89e33c9c37f0001b730e23b3b05ab7b1ecface2",
"versionType": "git"
},
{
"lessThan": "fa4412cdc5178a48799bafcb8af28fd2fbf3d703",
"status": "affected",
"version": "2447edc367800ba914acf7ddd5d250416b45fb31",
"versionType": "git"
},
{
"lessThan": "00f42ace446f1e4bf84988f2281131f52cd32796",
"status": "affected",
"version": "1b381a638e1851d8cfdfe08ed9cdbec5295b18c9",
"versionType": "git"
},
{
"lessThan": "28fd8ac1d49389cb230d712116f54e27ebec11b8",
"status": "affected",
"version": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"versionType": "git"
},
{
"lessThan": "74badb9c20b1a9c02a95c735c6d3cd6121679c93",
"status": "affected",
"version": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThan": "6.1.167",
"status": "affected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThan": "6.6.130",
"status": "affected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThan": "6.12.77",
"status": "affected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThan": "6.18.17",
"status": "affected",
"version": "6.18.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler\n\nCommit 31a7a0bbeb00 (\"dpaa2-switch: add bounds check for if_id in IRQ\nhandler\") introduces a range check for if_id to avoid an out-of-bounds\naccess. If an out-of-bounds if_id is detected, the interrupt status is\nnot cleared. This may result in an interrupt storm.\n\nClear the interrupt status after detecting an out-of-bounds if_id to avoid\nthe problem.\n\nFound by an experimental AI code review agent at Google."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:45.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7def51cb9fb8b8d5342443372b8cf28d8fbd7f3d"
},
{
"url": "https://git.kernel.org/stable/c/b5bababe7703a7322bc59b803ab1587887a2a5e4"
},
{
"url": "https://git.kernel.org/stable/c/c7becfe3e604d138bd53b8ac3111b2b3e8ec6b0e"
},
{
"url": "https://git.kernel.org/stable/c/fa4412cdc5178a48799bafcb8af28fd2fbf3d703"
},
{
"url": "https://git.kernel.org/stable/c/00f42ace446f1e4bf84988f2281131f52cd32796"
},
{
"url": "https://git.kernel.org/stable/c/28fd8ac1d49389cb230d712116f54e27ebec11b8"
},
{
"url": "https://git.kernel.org/stable/c/74badb9c20b1a9c02a95c735c6d3cd6121679c93"
}
],
"title": "dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23422",
"datePublished": "2026-04-03T13:24:31.281Z",
"dateReserved": "2026-01-13T15:37:46.015Z",
"dateUpdated": "2026-05-23T16:04:45.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23426 (GCVE-0-2026-23426)
Vulnerability from cvelistv5 – Published: 2026-04-03 13:24 – Updated: 2026-05-11 22:06
VLAI
EPSS
Title
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
The logicvc_drm_config_parse() function calls of_get_child_by_name() to
find the "layers" node but fails to release the reference, leading to a
device node reference leak.
Fix this by using the __free(device_node) cleanup attribute to automatic
release the reference when the variable goes out of scope.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < b88f49910be147b7974098b9172b0d3873142d6a
(git)
Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 0bd326dffd9e103335d77d9c31275c0d5a7979eb (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 871630255ecd2d9b64ad1d75a7dfc0567d7d9989 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < f8a6eba20edb938166b26e133cc61306e1bc6de9 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < 78e91e49d28e05ccaa6b445bafb5e367d57c9583 (git) Affected: efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 , < fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/logicvc/logicvc_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b88f49910be147b7974098b9172b0d3873142d6a",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "0bd326dffd9e103335d77d9c31275c0d5a7979eb",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "871630255ecd2d9b64ad1d75a7dfc0567d7d9989",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "f8a6eba20edb938166b26e133cc61306e1bc6de9",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "78e91e49d28e05ccaa6b445bafb5e367d57c9583",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
},
{
"lessThan": "fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207",
"status": "affected",
"version": "efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/logicvc/logicvc_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()\n\nThe logicvc_drm_config_parse() function calls of_get_child_by_name() to\nfind the \"layers\" node but fails to release the reference, leading to a\ndevice node reference leak.\n\nFix this by using the __free(device_node) cleanup attribute to automatic\nrelease the reference when the variable goes out of scope."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:40.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b88f49910be147b7974098b9172b0d3873142d6a"
},
{
"url": "https://git.kernel.org/stable/c/0bd326dffd9e103335d77d9c31275c0d5a7979eb"
},
{
"url": "https://git.kernel.org/stable/c/871630255ecd2d9b64ad1d75a7dfc0567d7d9989"
},
{
"url": "https://git.kernel.org/stable/c/f8a6eba20edb938166b26e133cc61306e1bc6de9"
},
{
"url": "https://git.kernel.org/stable/c/78e91e49d28e05ccaa6b445bafb5e367d57c9583"
},
{
"url": "https://git.kernel.org/stable/c/fef0e649f8b42bdffe4a916dd46e1b1e9ad2f207"
}
],
"title": "drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23426",
"datePublished": "2026-04-03T13:24:34.276Z",
"dateReserved": "2026-01-13T15:37:46.015Z",
"dateUpdated": "2026-05-11T22:06:40.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23428 (GCVE-0-2026-23428)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-23 16:04
VLAI
EPSS
Title
ksmbd: fix use-after-free of share_conf in compound request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free of share_conf in compound request
smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
TREE_CONNECTED on the initial lookup path, but the compound reuse path
bypasses this check entirely.
If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
subsequent commands dereference the freed share_conf through
work->tcon->share_conf.
KASAN report:
[ 4.144653] ==================================================================
[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
[ 4.145772]
[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
[ 4.145888] Call Trace:
[ 4.145892] <TASK>
[ 4.145894] dump_stack_lvl+0x64/0x80
[ 4.145910] print_report+0xce/0x660
[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 4.145928] ? smb2_write+0xc74/0xe70
[ 4.145931] kasan_report+0xce/0x100
[ 4.145934] ? smb2_write+0xc74/0xe70
[ 4.145937] smb2_write+0xc74/0xe70
[ 4.145939] ? __pfx_smb2_write+0x10/0x10
[ 4.145942] ? _raw_spin_unlock+0xe/0x30
[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
[ 4.145951] handle_ksmbd_work+0x40f/0x1080
[ 4.145953] process_one_work+0x5fa/0xef0
[ 4.145962] ? assign_work+0x122/0x3e0
[ 4.145964] worker_thread+0x54b/0xf70
[ 4.145967] ? __pfx_worker_thread+0x10/0x10
[ 4.145970] kthread+0x346/0x470
[ 4.145976] ? recalc_sigpending+0x19b/0x230
[ 4.145980] ? __pfx_kthread+0x10/0x10
[ 4.145984] ret_from_fork+0x4fb/0x6c0
[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
[ 4.145995] ? __switch_to+0x36c/0xbe0
[ 4.145999] ? __pfx_kthread+0x10/0x10
[ 4.146003] ret_from_fork_asm+0x1a/0x30
[ 4.146013] </TASK>
[ 4.146014]
[ 4.149858] Allocated by task 44:
[ 4.149953] kasan_save_stack+0x33/0x60
[ 4.150061] kasan_save_track+0x14/0x30
[ 4.150169] __kasan_kmalloc+0x8f/0xa0
[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
[ 4.150529] smb2_tree_connect+0x2e6/0x1000
[ 4.150645] handle_ksmbd_work+0x40f/0x1080
[ 4.150761] process_one_work+0x5fa/0xef0
[ 4.150873] worker_thread+0x54b/0xf70
[ 4.150978] kthread+0x346/0x470
[ 4.151071] ret_from_fork+0x4fb/0x6c0
[ 4.151176] ret_from_fork_asm+0x1a/0x30
[ 4.151286]
[ 4.151332] Freed by task 44:
[ 4.151418] kasan_save_stack+0x33/0x60
[ 4.151526] kasan_save_track+0x14/0x30
[ 4.151634] kasan_save_free_info+0x3b/0x60
[ 4.151751] __kasan_slab_free+0x43/0x70
[ 4.151861] kfree+0x1ca/0x430
[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
[ 4.152211] handle_ksmbd_work+0x40f/0x1080
[ 4.152326] process_one_work+0x5fa/0xef0
[ 4.152438] worker_thread+0x54b/0xf70
[ 4.152545] kthread+0x346/0x470
[ 4.152638] ret_from_fork+0x4fb/0x6c0
[ 4.152743] ret_from_fork_asm+0x1a/0x30
[ 4.152853]
[ 4.152900] The buggy address belongs to the object at ffff88810430c180
[ 4.152900] which belongs to the cache kmalloc-96 of size 96
[ 4.153226] The buggy address is located 20 bytes inside of
[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
[ 4.153549]
[ 4.153596] The buggy address belongs to the physical page:
[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
[ 4.154000] flags: 0x
---truncated---
Severity
9.8 (Critical)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
eb947403518ea3d93f6d89264bb1f5416bb0c7d0 , < d08417981155883068b7260d9500ca306a03edac
(git)
Affected: 854156d12caa9d36de1cf5f084591c7686cc8a9d , < eae0dc86f71e6f3294c0cd7ffc05039258d243af (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < 806f13752652216db0c309392b4db3e64eeed4f2 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < c742b46a153d3ff95ff0825ab1950c87b9e14470 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < 7f7468fd2a7554cea91b7d430335a3dbf01dcc09 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < a5929c2020ce54e1dcbd1078c0f30b8aaf73c105 (git) Affected: 5005bcb4219156f1bf7587b185080ec1da08518e , < c33615f995aee80657b9fdfbc4ee7f49c2bd733d (git) Affected: d1066c1b3663401cd23c0d6e60cdae750ce00c0f (git) Affected: 5.15.121 , < 5.15.203 (semver) Affected: 6.1.36 , < 6.1.167 (semver) Affected: 6.3.10 , < 6.4 (semver) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d08417981155883068b7260d9500ca306a03edac",
"status": "affected",
"version": "eb947403518ea3d93f6d89264bb1f5416bb0c7d0",
"versionType": "git"
},
{
"lessThan": "eae0dc86f71e6f3294c0cd7ffc05039258d243af",
"status": "affected",
"version": "854156d12caa9d36de1cf5f084591c7686cc8a9d",
"versionType": "git"
},
{
"lessThan": "806f13752652216db0c309392b4db3e64eeed4f2",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "c742b46a153d3ff95ff0825ab1950c87b9e14470",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "7f7468fd2a7554cea91b7d430335a3dbf01dcc09",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "a5929c2020ce54e1dcbd1078c0f30b8aaf73c105",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"lessThan": "c33615f995aee80657b9fdfbc4ee7f49c2bd733d",
"status": "affected",
"version": "5005bcb4219156f1bf7587b185080ec1da08518e",
"versionType": "git"
},
{
"status": "affected",
"version": "d1066c1b3663401cd23c0d6e60cdae750ce00c0f",
"versionType": "git"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThan": "6.1.167",
"status": "affected",
"version": "6.1.36",
"versionType": "semver"
},
{
"lessThan": "6.4",
"status": "affected",
"version": "6.3.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of share_conf in compound request\n\nsmb2_get_ksmbd_tcon() reuses work-\u003etcon in compound requests without\nvalidating tcon-\u003et_state. ksmbd_tree_conn_lookup() checks t_state ==\nTREE_CONNECTED on the initial lookup path, but the compound reuse path\nbypasses this check entirely.\n\nIf a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state\nto TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),\nsubsequent commands dereference the freed share_conf through\nwork-\u003etcon-\u003eshare_conf.\n\nKASAN report:\n\n[ 4.144653] ==================================================================\n[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70\n[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44\n[ 4.145772]\n[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY\n[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work\n[ 4.145888] Call Trace:\n[ 4.145892] \u003cTASK\u003e\n[ 4.145894] dump_stack_lvl+0x64/0x80\n[ 4.145910] print_report+0xce/0x660\n[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 4.145928] ? smb2_write+0xc74/0xe70\n[ 4.145931] kasan_report+0xce/0x100\n[ 4.145934] ? smb2_write+0xc74/0xe70\n[ 4.145937] smb2_write+0xc74/0xe70\n[ 4.145939] ? __pfx_smb2_write+0x10/0x10\n[ 4.145942] ? _raw_spin_unlock+0xe/0x30\n[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0\n[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480\n[ 4.145951] handle_ksmbd_work+0x40f/0x1080\n[ 4.145953] process_one_work+0x5fa/0xef0\n[ 4.145962] ? assign_work+0x122/0x3e0\n[ 4.145964] worker_thread+0x54b/0xf70\n[ 4.145967] ? __pfx_worker_thread+0x10/0x10\n[ 4.145970] kthread+0x346/0x470\n[ 4.145976] ? recalc_sigpending+0x19b/0x230\n[ 4.145980] ? __pfx_kthread+0x10/0x10\n[ 4.145984] ret_from_fork+0x4fb/0x6c0\n[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10\n[ 4.145995] ? __switch_to+0x36c/0xbe0\n[ 4.145999] ? __pfx_kthread+0x10/0x10\n[ 4.146003] ret_from_fork_asm+0x1a/0x30\n[ 4.146013] \u003c/TASK\u003e\n[ 4.146014]\n[ 4.149858] Allocated by task 44:\n[ 4.149953] kasan_save_stack+0x33/0x60\n[ 4.150061] kasan_save_track+0x14/0x30\n[ 4.150169] __kasan_kmalloc+0x8f/0xa0\n[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0\n[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600\n[ 4.150529] smb2_tree_connect+0x2e6/0x1000\n[ 4.150645] handle_ksmbd_work+0x40f/0x1080\n[ 4.150761] process_one_work+0x5fa/0xef0\n[ 4.150873] worker_thread+0x54b/0xf70\n[ 4.150978] kthread+0x346/0x470\n[ 4.151071] ret_from_fork+0x4fb/0x6c0\n[ 4.151176] ret_from_fork_asm+0x1a/0x30\n[ 4.151286]\n[ 4.151332] Freed by task 44:\n[ 4.151418] kasan_save_stack+0x33/0x60\n[ 4.151526] kasan_save_track+0x14/0x30\n[ 4.151634] kasan_save_free_info+0x3b/0x60\n[ 4.151751] __kasan_slab_free+0x43/0x70\n[ 4.151861] kfree+0x1ca/0x430\n[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190\n[ 4.152088] smb2_tree_disconnect+0x1cd/0x480\n[ 4.152211] handle_ksmbd_work+0x40f/0x1080\n[ 4.152326] process_one_work+0x5fa/0xef0\n[ 4.152438] worker_thread+0x54b/0xf70\n[ 4.152545] kthread+0x346/0x470\n[ 4.152638] ret_from_fork+0x4fb/0x6c0\n[ 4.152743] ret_from_fork_asm+0x1a/0x30\n[ 4.152853]\n[ 4.152900] The buggy address belongs to the object at ffff88810430c180\n[ 4.152900] which belongs to the cache kmalloc-96 of size 96\n[ 4.153226] The buggy address is located 20 bytes inside of\n[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)\n[ 4.153549]\n[ 4.153596] The buggy address belongs to the physical page:\n[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c\n[ 4.154000] flags: 0x\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:47.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d08417981155883068b7260d9500ca306a03edac"
},
{
"url": "https://git.kernel.org/stable/c/eae0dc86f71e6f3294c0cd7ffc05039258d243af"
},
{
"url": "https://git.kernel.org/stable/c/806f13752652216db0c309392b4db3e64eeed4f2"
},
{
"url": "https://git.kernel.org/stable/c/c742b46a153d3ff95ff0825ab1950c87b9e14470"
},
{
"url": "https://git.kernel.org/stable/c/7f7468fd2a7554cea91b7d430335a3dbf01dcc09"
},
{
"url": "https://git.kernel.org/stable/c/a5929c2020ce54e1dcbd1078c0f30b8aaf73c105"
},
{
"url": "https://git.kernel.org/stable/c/c33615f995aee80657b9fdfbc4ee7f49c2bd733d"
}
],
"title": "ksmbd: fix use-after-free of share_conf in compound request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23428",
"datePublished": "2026-04-03T15:15:14.981Z",
"dateReserved": "2026-01-13T15:37:46.016Z",
"dateUpdated": "2026-05-23T16:04:47.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23434 (GCVE-0-2026-23434)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:06
VLAI
EPSS
Title
mtd: rawnand: serialize lock/unlock against other NAND operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: serialize lock/unlock against other NAND operations
nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
without holding the NAND device lock. On controllers that implement
SET_FEATURES via multiple low-level PIO commands, these can race with
concurrent UBI/UBIFS background erase/write operations that hold the
device lock, resulting in cmd_pending conflicts on the NAND controller.
Add nand_get_device()/nand_release_device() around the lock/unlock
operations to serialize them against all other NAND controller access.
Severity
7.1 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
92270086b7e5ada7ab381c06cc3da2e95ed17088 , < 28ea836cc44cb8b89c1c174707ead0c1133c60e9
(git)
Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < fe4a73c3dd48308149d57a10c2761e1d36ced7ba (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < ce5229e78078e437704157eb542f43a6f83b429b (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < a80291e577b44593a724d6cd64c14337c78f194d (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2 (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < 5fd5c078af23cb353507aa522e09d557d7eaef04 (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < f25446e2c28939753d3b62d34dfda49952b2557d (git) Affected: 92270086b7e5ada7ab381c06cc3da2e95ed17088 , < bab2bc6e850a697a23b9e5f0e21bb8c187615e95 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/nand_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28ea836cc44cb8b89c1c174707ead0c1133c60e9",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "fe4a73c3dd48308149d57a10c2761e1d36ced7ba",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "ce5229e78078e437704157eb542f43a6f83b429b",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "a80291e577b44593a724d6cd64c14337c78f194d",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "5fd5c078af23cb353507aa522e09d557d7eaef04",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "f25446e2c28939753d3b62d34dfda49952b2557d",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
},
{
"lessThan": "bab2bc6e850a697a23b9e5f0e21bb8c187615e95",
"status": "affected",
"version": "92270086b7e5ada7ab381c06cc3da2e95ed17088",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/nand_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip-\u003eops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:50.000Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28ea836cc44cb8b89c1c174707ead0c1133c60e9"
},
{
"url": "https://git.kernel.org/stable/c/fe4a73c3dd48308149d57a10c2761e1d36ced7ba"
},
{
"url": "https://git.kernel.org/stable/c/ce5229e78078e437704157eb542f43a6f83b429b"
},
{
"url": "https://git.kernel.org/stable/c/a80291e577b44593a724d6cd64c14337c78f194d"
},
{
"url": "https://git.kernel.org/stable/c/f71ce0ae5aefe39dd5b2f996c0e08550d2153ad2"
},
{
"url": "https://git.kernel.org/stable/c/5fd5c078af23cb353507aa522e09d557d7eaef04"
},
{
"url": "https://git.kernel.org/stable/c/f25446e2c28939753d3b62d34dfda49952b2557d"
},
{
"url": "https://git.kernel.org/stable/c/bab2bc6e850a697a23b9e5f0e21bb8c187615e95"
}
],
"title": "mtd: rawnand: serialize lock/unlock against other NAND operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23434",
"datePublished": "2026-04-03T15:15:19.450Z",
"dateReserved": "2026-01-13T15:37:46.016Z",
"dateUpdated": "2026-05-11T22:06:50.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23438 (GCVE-0-2026-23438)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:06
VLAI
EPSS
Title
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
mvpp2_bm_switch_buffers() unconditionally calls
mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
shared buffer pool modes. This function programs CM3 flow control
registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
priv->cm3_base without any NULL check.
When the CM3 SRAM resource is not present in the device tree (the
third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
NULL and priv->global_tx_fc is false. Any operation that triggers
mvpp2_bm_switch_buffers(), for example an MTU change that crosses
the jumbo frame threshold, will crash:
Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
pc : readl+0x0/0x18
lr : mvpp2_cm3_read.isra.0+0x14/0x20
Call trace:
readl+0x0/0x18
mvpp2_bm_pool_update_fc+0x40/0x12c
mvpp2_bm_pool_update_priv_fc+0x94/0xd8
mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
mvpp2_change_mtu+0x140/0x380
__dev_set_mtu+0x1c/0x38
dev_set_mtu_ext+0x78/0x118
dev_set_mtu+0x48/0xa8
dev_ifsioc+0x21c/0x43c
dev_ioctl+0x2d8/0x42c
sock_ioctl+0x314/0x378
Every other flow control call site in the driver already guards
hardware access with either priv->global_tx_fc or port->tx_fc.
mvpp2_bm_switch_buffers() is the only place that omits this check.
Add the missing priv->global_tx_fc guard to both the disable and
re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
rest of the driver.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3a616b92a9d17448d96a33bf58e69f01457fd43a , < 0cfcd31f98fc608dc9406bff3fee3a9dd364d014
(git)
Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < da089f74a993f846685067b14158cb41b879ff29 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < ff0c54f088f7ab91dbbf47cf8244460f99122750 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9 (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8baced53a35fc9710f80d6ca016a2c418dc3231f (git) Affected: 3a616b92a9d17448d96a33bf58e69f01457fd43a , < 8a63baadf08453f66eb582fdb6dd234f72024723 (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cfcd31f98fc608dc9406bff3fee3a9dd364d014",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "da089f74a993f846685067b14158cb41b879ff29",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "ff0c54f088f7ab91dbbf47cf8244460f99122750",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8baced53a35fc9710f80d6ca016a2c418dc3231f",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
},
{
"lessThan": "8a63baadf08453f66eb582fdb6dd234f72024723",
"status": "affected",
"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:54.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cfcd31f98fc608dc9406bff3fee3a9dd364d014"
},
{
"url": "https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"
},
{
"url": "https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"
},
{
"url": "https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"
},
{
"url": "https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"
},
{
"url": "https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"
},
{
"url": "https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"
}
],
"title": "net: mvpp2: guard flow control update with global_tx_fc in buffer switching",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23438",
"datePublished": "2026-04-03T15:15:22.701Z",
"dateReserved": "2026-01-13T15:37:46.017Z",
"dateUpdated": "2026-05-11T22:06:54.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23439 (GCVE-0-2026-23439)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:06
VLAI
EPSS
Title
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
(success) without actually creating a socket. Callers such as
fou_create() then proceed to dereference the uninitialized socket
pointer, resulting in a NULL pointer dereference.
The captured NULL deref crash:
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
[...]
Call Trace:
<TASK>
genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
[...]
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
__sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
__x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
callers correctly take their error paths. There is only one caller of
the vulnerable function and only privileged users can trigger it.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < dfc96ae0074cc47b5478a59e5aa19233e434243f
(git)
Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 66117dbb3dbae82f86735bf727b1d59cc677afa1 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < ba7c9ddcdd077942b798979edb035207374d4096 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < a05a2149386f6dfb4245f522acdbef892acafc84 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 9f036aa0fe46c19e938f03d10e02c23f4fffae5e (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 003343985f26dfefd0c94b1fe1316a2de74428b9 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < 12aa4b73a67d95bc739995a2d6943aec2f9785c9 (git) Affected: fd384412e199b62c3ddaabd18dce86d0e164c5b9 , < b3a6df291fecf5f8a308953b65ca72b7fc9e015d (git) |
|
| Linux | Linux |
Affected:
3.18
Unaffected: 0 , < 3.18 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/udp_tunnel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfc96ae0074cc47b5478a59e5aa19233e434243f",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "66117dbb3dbae82f86735bf727b1d59cc677afa1",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "ba7c9ddcdd077942b798979edb035207374d4096",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "a05a2149386f6dfb4245f522acdbef892acafc84",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "9f036aa0fe46c19e938f03d10e02c23f4fffae5e",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "003343985f26dfefd0c94b1fe1316a2de74428b9",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "12aa4b73a67d95bc739995a2d6943aec2f9785c9",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
},
{
"lessThan": "b3a6df291fecf5f8a308953b65ca72b7fc9e015d",
"status": "affected",
"version": "fd384412e199b62c3ddaabd18dce86d0e164c5b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/udp_tunnel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n\n\nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0\n(success) without actually creating a socket. Callers such as\nfou_create() then proceed to dereference the uninitialized socket\npointer, resulting in a NULL pointer dereference.\n\nThe captured NULL deref crash:\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)\n [...]\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)\n [...]\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))\n __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)\n\nThis patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so\ncallers correctly take their error paths. There is only one caller of\nthe vulnerable function and only privileged users can trigger it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:06:55.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfc96ae0074cc47b5478a59e5aa19233e434243f"
},
{
"url": "https://git.kernel.org/stable/c/66117dbb3dbae82f86735bf727b1d59cc677afa1"
},
{
"url": "https://git.kernel.org/stable/c/ba7c9ddcdd077942b798979edb035207374d4096"
},
{
"url": "https://git.kernel.org/stable/c/a05a2149386f6dfb4245f522acdbef892acafc84"
},
{
"url": "https://git.kernel.org/stable/c/9f036aa0fe46c19e938f03d10e02c23f4fffae5e"
},
{
"url": "https://git.kernel.org/stable/c/003343985f26dfefd0c94b1fe1316a2de74428b9"
},
{
"url": "https://git.kernel.org/stable/c/12aa4b73a67d95bc739995a2d6943aec2f9785c9"
},
{
"url": "https://git.kernel.org/stable/c/b3a6df291fecf5f8a308953b65ca72b7fc9e015d"
}
],
"title": "udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23439",
"datePublished": "2026-04-03T15:15:23.734Z",
"dateReserved": "2026-01-13T15:37:46.017Z",
"dateUpdated": "2026-05-11T22:06:55.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23446 (GCVE-0-2026-23446)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
net: usb: aqc111: Do not perform PM inside suspend callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: Do not perform PM inside suspend callback
syzbot reports "task hung in rpm_resume"
This is caused by aqc111_suspend calling
the PM variant of its write_cmd routine.
The simplified call trace looks like this:
rpm_suspend()
usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
aqc111_suspend() - called for the usb device interface
aqc111_write32_cmd()
usb_autopm_get_interface()
pm_runtime_resume_and_get()
rpm_resume() - here we call rpm_resume() on our parent
rpm_resume() - Here we wait for a status change that will never happen.
At this point we block another task which holds
rtnl_lock and locks up the whole networking stack.
Fix this by replacing the write_cmd calls with their _nopm variants
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < cc06ac99fd78839b2d38850785731ef131d9ae26
(git)
Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < b87f361d41f9a7f1f6c426947ca815651c481376 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 621f2f43741b51f62d767eb4752fbcefe2526926 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 4de6a43e8ecf961feabddf0e9d6911081d2ed218 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 3267bcb744ee8a2feabaa7ab69473f086f67fd71 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < d3e32a612c6391ca9b7c183aeec22b4fd24c300c (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 98e8aed64614b0c199d5f0391fbe1a4331cb5773 (git) Affected: e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc , < 069c8f5aebe4d5224cf62acc7d4b3486091c658a (git) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc06ac99fd78839b2d38850785731ef131d9ae26",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "b87f361d41f9a7f1f6c426947ca815651c481376",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "621f2f43741b51f62d767eb4752fbcefe2526926",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "4de6a43e8ecf961feabddf0e9d6911081d2ed218",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "3267bcb744ee8a2feabaa7ab69473f086f67fd71",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "d3e32a612c6391ca9b7c183aeec22b4fd24c300c",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "98e8aed64614b0c199d5f0391fbe1a4331cb5773",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
},
{
"lessThan": "069c8f5aebe4d5224cf62acc7d4b3486091c658a",
"status": "affected",
"version": "e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/aqc111.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Do not perform PM inside suspend callback\n\nsyzbot reports \"task hung in rpm_resume\"\n\nThis is caused by aqc111_suspend calling\nthe PM variant of its write_cmd routine.\n\nThe simplified call trace looks like this:\n\nrpm_suspend()\n usb_suspend_both() - here udev-\u003edev.power.runtime_status == RPM_SUSPENDING\n aqc111_suspend() - called for the usb device interface\n aqc111_write32_cmd()\n usb_autopm_get_interface()\n pm_runtime_resume_and_get()\n rpm_resume() - here we call rpm_resume() on our parent\n rpm_resume() - Here we wait for a status change that will never happen.\n\nAt this point we block another task which holds\nrtnl_lock and locks up the whole networking stack.\n\nFix this by replacing the write_cmd calls with their _nopm variants"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:04.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc06ac99fd78839b2d38850785731ef131d9ae26"
},
{
"url": "https://git.kernel.org/stable/c/b87f361d41f9a7f1f6c426947ca815651c481376"
},
{
"url": "https://git.kernel.org/stable/c/621f2f43741b51f62d767eb4752fbcefe2526926"
},
{
"url": "https://git.kernel.org/stable/c/4de6a43e8ecf961feabddf0e9d6911081d2ed218"
},
{
"url": "https://git.kernel.org/stable/c/3267bcb744ee8a2feabaa7ab69473f086f67fd71"
},
{
"url": "https://git.kernel.org/stable/c/d3e32a612c6391ca9b7c183aeec22b4fd24c300c"
},
{
"url": "https://git.kernel.org/stable/c/98e8aed64614b0c199d5f0391fbe1a4331cb5773"
},
{
"url": "https://git.kernel.org/stable/c/069c8f5aebe4d5224cf62acc7d4b3486091c658a"
}
],
"title": "net: usb: aqc111: Do not perform PM inside suspend callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23446",
"datePublished": "2026-04-03T15:15:29.863Z",
"dateReserved": "2026-01-13T15:37:46.019Z",
"dateUpdated": "2026-05-11T22:07:04.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…