Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0664
Vulnerability from certfr_avis - Published: 2026-05-29 - Updated: 2026-05-29
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Micro 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | N/A | SUSE Linux Micro Extras 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP applications 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Micro 6.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Micro 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro Extras 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2023-20585",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20585"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2026-23468",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23468"
},
{
"name": "CVE-2026-23461",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23461"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-31738",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31738"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43025"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2026-31524",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31524"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2026-31681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
},
{
"name": "CVE-2026-23456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23456"
},
{
"name": "CVE-2026-23457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23457"
},
{
"name": "CVE-2026-31496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31496"
},
{
"name": "CVE-2026-23408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23408"
},
{
"name": "CVE-2026-43334",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43334"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-23462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23462"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2024-50082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50082"
},
{
"name": "CVE-2026-43264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43264"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-23472",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23472"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-23216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
},
{
"name": "CVE-2026-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43437"
},
{
"name": "CVE-2026-31675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31675"
},
{
"name": "CVE-2026-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23193"
},
{
"name": "CVE-2026-43126",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43126"
},
{
"name": "CVE-2026-31403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31403"
},
{
"name": "CVE-2026-31400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31400"
},
{
"name": "CVE-2026-31512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31512"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2026-31607",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
},
{
"name": "CVE-2026-23405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23405"
},
{
"name": "CVE-2026-23403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23403"
},
{
"name": "CVE-2026-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43190"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2022-50053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50053"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2026-43110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43110"
},
{
"name": "CVE-2026-31507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31507"
},
{
"name": "CVE-2026-46333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46333"
},
{
"name": "CVE-2026-31411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31411"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-23449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23449"
},
{
"name": "CVE-2026-23442",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23442"
},
{
"name": "CVE-2026-23458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23458"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31393"
},
{
"name": "CVE-2026-23404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23404"
},
{
"name": "CVE-2026-23378",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23378"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2026-31700",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
},
{
"name": "CVE-2026-31407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31407"
},
{
"name": "CVE-2026-31602",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31602"
},
{
"name": "CVE-2026-31425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31425"
},
{
"name": "CVE-2025-71238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71238"
},
{
"name": "CVE-2026-43255",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43255"
},
{
"name": "CVE-2026-23276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23276"
},
{
"name": "CVE-2026-43088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43088"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-29T00:00:00",
"last_revision_date": "2026-05-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0664",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21818-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621818-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21816-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621816-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621720-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621720-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21775-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621775-1"
},
{
"published_at": "2026-05-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2068-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262068-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21771-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621771-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21777-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621777-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21772-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621772-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21743-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621743-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621721-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621721-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21774-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621774-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21766-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621766-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21767-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621767-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621723-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621723-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21817-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621817-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21765-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621765-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21745-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621745-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21778-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621778-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21734-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621734-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621719-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621719-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21773-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621773-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21776-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621776-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621724-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621724-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21735-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621735-1"
}
]
}
CVE-2026-23458 (GCVE-0-2026-23458)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
conntrack reference immediately after netlink_dump_start(). When the
dump spans multiple rounds, the second recvmsg() triggers the dump
callback which dereferences the now-freed conntrack via nfct_help(ct),
leading to a use-after-free on ct->ext.
The bug is that the netlink_dump_control has no .start or .done
callbacks to manage the conntrack reference across dump rounds. Other
dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
use .start/.done callbacks for this purpose.
Fix this by adding .start and .done callbacks that hold and release the
conntrack reference for the duration of the dump, and move the
nfct_help() call after the cb->args[0] early-return check in the dump
callback to avoid dereferencing ct->ext unnecessarily.
BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
Call Trace:
<TASK>
ctnetlink_exp_ct_dump_table+0x4f/0x2e0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
? aa_sk_perm+0x184/0x450
sock_recvmsg+0xde/0xf0
Allocated by task 133:
kmem_cache_alloc_noprof+0x134/0x440
__nf_conntrack_alloc+0xa8/0x2b0
ctnetlink_create_conntrack+0xa1/0x900
ctnetlink_new_conntrack+0x3cf/0x7d0
nfnetlink_rcv_msg+0x48e/0x510
netlink_rcv_skb+0xc9/0x1f0
nfnetlink_rcv+0xdb/0x220
netlink_unicast+0x3ec/0x590
netlink_sendmsg+0x397/0x690
__sys_sendmsg+0xf4/0x180
Freed by task 0:
slab_free_after_rcu_debug+0xad/0x1e0
rcu_core+0x5c3/0x9c0
Severity
7.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a… | |
| https://git.kernel.org/stable/c/9821b47f669eb8279… | |
| https://git.kernel.org/stable/c/bdf2724eefd4455a6… | |
| https://git.kernel.org/stable/c/f04cc86d59906513d… | |
| https://git.kernel.org/stable/c/f025171feef2ac656… | |
| https://git.kernel.org/stable/c/04c8907ce4e3d3e26… | |
| https://git.kernel.org/stable/c/cd541f15b60e22574… | |
| https://git.kernel.org/stable/c/5cb81eeda909dbb2d… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < d8cd0efbccc5cfb0a80da744a7da76e1333ab925
(git)
Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 9821b47f669eb82791fa0b1a6ebaf9aa219bea72 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < bdf2724eefd4455a66863abb025bab8d3aa98c57 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f04cc86d59906513d2d62183b882966fc0ae0390 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < f025171feef2ac65663d7986f1d5ff0c28d6b2a9 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < cd541f15b60e2257441398cf495d978f816d09f8 (git) Affected: e844a928431fa8f1359d1f4f2cef53d9b446bf52 , < 5cb81eeda909dbb2def209dd10636b51549a3f8a (git) |
|
| Linux | Linux |
Affected:
3.10
Unaffected: 0 , < 3.10 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "bdf2724eefd4455a66863abb025bab8d3aa98c57",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f04cc86d59906513d2d62183b882966fc0ae0390",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "cd541f15b60e2257441398cf495d978f816d09f8",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
},
{
"lessThan": "5cb81eeda909dbb2def209dd10636b51549a3f8a",
"status": "affected",
"version": "e844a928431fa8f1359d1f4f2cef53d9b446bf52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n \u003cTASK\u003e\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:22.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
},
{
"url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
},
{
"url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"
},
{
"url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"
},
{
"url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
},
{
"url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
},
{
"url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"
},
{
"url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"
}
],
"title": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23458",
"datePublished": "2026-04-03T15:15:39.041Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-11T22:07:22.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23461 (GCVE-0-2026-23461)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-23 16:04
VLAI
EPSS
Title
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
conn->users. However, l2cap_register_user() and l2cap_unregister_user()
don't use conn->lock, creating a race condition where these functions can
access conn->users and conn->hchan concurrently with l2cap_conn_del().
This can lead to use-after-free and list corruption bugs, as reported
by syzbot.
Fix this by changing l2cap_register_user() and l2cap_unregister_user()
to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
for the l2cap_conn structure.
Severity
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
efc30877bd4bc85fefe98d80af60fafc86e5775e , < 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
(git)
Affected: f87271d21dd4ee83857ca11b94e7b4952749bbae , < c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf (git) Affected: ab4eedb790cae44313759b50fe47da285e2519d5 , < da3000cbe4851458a22be38bb18c0689c39fdd5f (git) Affected: ab4eedb790cae44313759b50fe47da285e2519d5 , < 71030f3b3015a412133a805ff47970cdcf30c2b8 (git) Affected: ab4eedb790cae44313759b50fe47da285e2519d5 , < 752a6c9596dd25efd6978a73ff21f3b592668f4a (git) Affected: 18ab6b6078fa8191ca30a3065d57bf35d5635761 (git) Affected: 6.6.84 , < 6.6.130 (semver) Affected: 6.12.20 , < 6.12.78 (semver) Affected: 6.13.8 , < 6.14 (semver) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11a87dd5df428a4b79a84d2790cac7f3c73f1f0d",
"status": "affected",
"version": "efc30877bd4bc85fefe98d80af60fafc86e5775e",
"versionType": "git"
},
{
"lessThan": "c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf",
"status": "affected",
"version": "f87271d21dd4ee83857ca11b94e7b4952749bbae",
"versionType": "git"
},
{
"lessThan": "da3000cbe4851458a22be38bb18c0689c39fdd5f",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"lessThan": "71030f3b3015a412133a805ff47970cdcf30c2b8",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"lessThan": "752a6c9596dd25efd6978a73ff21f3b592668f4a",
"status": "affected",
"version": "ab4eedb790cae44313759b50fe47da285e2519d5",
"versionType": "git"
},
{
"status": "affected",
"version": "18ab6b6078fa8191ca30a3065d57bf35d5635761",
"versionType": "git"
},
{
"lessThan": "6.6.130",
"status": "affected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThan": "6.12.78",
"status": "affected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn-\u003elock to protect access to\nconn-\u003eusers. However, l2cap_register_user() and l2cap_unregister_user()\ndon\u0027t use conn-\u003elock, creating a race condition where these functions can\naccess conn-\u003eusers and conn-\u003ehchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn-\u003elock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:04:53.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d"
},
{
"url": "https://git.kernel.org/stable/c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf"
},
{
"url": "https://git.kernel.org/stable/c/da3000cbe4851458a22be38bb18c0689c39fdd5f"
},
{
"url": "https://git.kernel.org/stable/c/71030f3b3015a412133a805ff47970cdcf30c2b8"
},
{
"url": "https://git.kernel.org/stable/c/752a6c9596dd25efd6978a73ff21f3b592668f4a"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23461",
"datePublished": "2026-04-03T15:15:41.051Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-23T16:04:53.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23462 (GCVE-0-2026-23462)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
Bluetooth: HIDP: Fix possible UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: HIDP: Fix possible UAF
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 97.809947] Call Trace:
[ 97.809954] <TASK>
[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[ 97.810404] __fput (fs/file_table.c:470)
[ 97.810430] task_work_run (kernel/task_work.c:235)
[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[ 97.810527] do_exit (kernel/exit.c:972)
[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 97.810721] do_group_exit (kernel/exit.c:1093)
[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810826] ? vfs_read (fs/read_write.c:555)
[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810960] arch_do_signal_or_restart (arch/
---truncated---
Severity
8.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/d955ccbf91ab74d76… | |
| https://git.kernel.org/stable/c/18b1263ece6431bd7… | |
| https://git.kernel.org/stable/c/21a47a119f33df9bb… | |
| https://git.kernel.org/stable/c/45ebe5b900200ac3e… | |
| https://git.kernel.org/stable/c/7c805b7d1e580eece… | |
| https://git.kernel.org/stable/c/f8b6ed2f06d3baa44… | |
| https://git.kernel.org/stable/c/4d37fa7582aa960ba… | |
| https://git.kernel.org/stable/c/dbf666e4fc9bdd975… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < d955ccbf91ab74d76fe9e4eab2846a7d8a173075
(git)
Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 18b1263ece6431bd78fa6b61faaef5281203741c (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 21a47a119f33df9bb157326846390d7e8e1b45ba (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 45ebe5b900200ac3e01f3470506a44a447825721 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 7c805b7d1e580eececcc92470292e3dbc42bc3f5 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < f8b6ed2f06d3baa44f347a0fa2af52433f386463 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < 4d37fa7582aa960ba23e10a7a2596a29f37ad281 (git) Affected: b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 , < dbf666e4fc9bdd975a61bf682b3f75cb0145eedd (git) |
|
| Linux | Linux |
Affected:
3.10
Unaffected: 0 , < 3.10 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d955ccbf91ab74d76fe9e4eab2846a7d8a173075",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "18b1263ece6431bd78fa6b61faaef5281203741c",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "21a47a119f33df9bb157326846390d7e8e1b45ba",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "45ebe5b900200ac3e01f3470506a44a447825721",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "7c805b7d1e580eececcc92470292e3dbc42bc3f5",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "f8b6ed2f06d3baa44f347a0fa2af52433f386463",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "4d37fa7582aa960ba23e10a7a2596a29f37ad281",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
},
{
"lessThan": "dbf666e4fc9bdd975a61bf682b3f75cb0145eedd",
"status": "affected",
"version": "b4f34d8d9d26b2428fa7cf7c8f97690a297978e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user-\u003eremove callback is called:\n\n[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 97.809947] Call Trace:\n[ 97.809954] \u003cTASK\u003e\n[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)\n[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[ 97.810404] __fput (fs/file_table.c:470)\n[ 97.810430] task_work_run (kernel/task_work.c:235)\n[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)\n[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[ 97.810527] do_exit (kernel/exit.c:972)\n[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)\n[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 97.810721] do_group_exit (kernel/exit.c:1093)\n[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))\n[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810826] ? vfs_read (fs/read_write.c:555)\n[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)\n[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)\n[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810960] arch_do_signal_or_restart (arch/\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:27.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d955ccbf91ab74d76fe9e4eab2846a7d8a173075"
},
{
"url": "https://git.kernel.org/stable/c/18b1263ece6431bd78fa6b61faaef5281203741c"
},
{
"url": "https://git.kernel.org/stable/c/21a47a119f33df9bb157326846390d7e8e1b45ba"
},
{
"url": "https://git.kernel.org/stable/c/45ebe5b900200ac3e01f3470506a44a447825721"
},
{
"url": "https://git.kernel.org/stable/c/7c805b7d1e580eececcc92470292e3dbc42bc3f5"
},
{
"url": "https://git.kernel.org/stable/c/f8b6ed2f06d3baa44f347a0fa2af52433f386463"
},
{
"url": "https://git.kernel.org/stable/c/4d37fa7582aa960ba23e10a7a2596a29f37ad281"
},
{
"url": "https://git.kernel.org/stable/c/dbf666e4fc9bdd975a61bf682b3f75cb0145eedd"
}
],
"title": "Bluetooth: HIDP: Fix possible UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23462",
"datePublished": "2026-04-03T15:15:41.718Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-11T22:07:27.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23468 (GCVE-0-2026-23468)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-17 15:21
VLAI
EPSS
Title
drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
Userspace can pass an arbitrary number of BO list entries via the
bo_number field. Although the previous multiplication overflow check
prevents out-of-bounds allocation, a large number of entries could still
cause excessive memory allocation (up to potentially gigabytes) and
unnecessarily long list processing times.
Introduce a hard limit of 128k entries per BO list, which is more than
sufficient for any realistic use case (e.g., a single list containing all
buffers in a large scene). This prevents memory exhaustion attacks and
ensures predictable performance.
Return -EINVAL if the requested entry count exceeds the limit
(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e620378aab78d415bd8a15a2f91c145906520288
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 2723e6851309531ce61aed74e93a0cd268cc862a (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 5ce4a38e6c2488949e373d5066303f9c128db614 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 6270b1a5dab94665d7adce3dc78bc9066ed28bdd (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e620378aab78d415bd8a15a2f91c145906520288",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "2723e6851309531ce61aed74e93a0cd268cc862a",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "5ce4a38e6c2488949e373d5066303f9c128db614",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "6270b1a5dab94665d7adce3dc78bc9066ed28bdd",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:21.413Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e620378aab78d415bd8a15a2f91c145906520288"
},
{
"url": "https://git.kernel.org/stable/c/2723e6851309531ce61aed74e93a0cd268cc862a"
},
{
"url": "https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614"
},
{
"url": "https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9"
},
{
"url": "https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd"
}
],
"title": "drm/amdgpu: Limit BO list entry count to prevent resource exhaustion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23468",
"datePublished": "2026-04-03T15:15:47.207Z",
"dateReserved": "2026-01-13T15:37:46.021Z",
"dateUpdated": "2026-05-17T15:21:21.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23472 (GCVE-0-2026-23472)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
uart_write_room() and uart_write() behave inconsistently when
xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
never properly initialized):
- uart_write_room() returns kfifo_avail() which can be > 0
- uart_write() checks xmit_buf and returns 0 if NULL
This inconsistency causes an infinite loop in drivers that rely on
tty_write_room() to determine if they can write:
while (tty_write_room(tty) > 0) {
written = tty->ops->write(...);
// written is always 0, loop never exits
}
For example, caif_serial's handle_tx() enters an infinite loop when
used with PORT_UNKNOWN serial ports, causing system hangs.
Fix by making uart_write_room() also check xmit_buf and return 0 if
it's NULL, consistent with uart_write().
Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efe85a557186b7fe915572ae93a8f3f78bfd9a22
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 455ce986fa356ff43a43c0d363ba95fa152f21d5 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efe85a557186b7fe915572ae93a8f3f78bfd9a22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "455ce986fa356ff43a43c0d363ba95fa152f21d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN\n\nuart_write_room() and uart_write() behave inconsistently when\nxmit_buf is NULL (which happens for PORT_UNKNOWN ports that were\nnever properly initialized):\n\n- uart_write_room() returns kfifo_avail() which can be \u003e 0\n- uart_write() checks xmit_buf and returns 0 if NULL\n\nThis inconsistency causes an infinite loop in drivers that rely on\ntty_write_room() to determine if they can write:\n\n while (tty_write_room(tty) \u003e 0) {\n written = tty-\u003eops-\u003ewrite(...);\n // written is always 0, loop never exits\n }\n\nFor example, caif_serial\u0027s handle_tx() enters an infinite loop when\nused with PORT_UNKNOWN serial ports, causing system hangs.\n\nFix by making uart_write_room() also check xmit_buf and return 0 if\nit\u0027s NULL, consistent with uart_write().\n\nReproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:41.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efe85a557186b7fe915572ae93a8f3f78bfd9a22"
},
{
"url": "https://git.kernel.org/stable/c/bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c"
},
{
"url": "https://git.kernel.org/stable/c/455ce986fa356ff43a43c0d363ba95fa152f21d5"
}
],
"title": "serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23472",
"datePublished": "2026-04-03T15:15:51.209Z",
"dateReserved": "2026-01-13T15:37:46.022Z",
"dateUpdated": "2026-05-11T22:07:41.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31393 (GCVE-0-2026-31393)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:
- L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
4 bytes past the header (needs cmd_len >= 8).
- L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
(needs cmd_len >= 5).
A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.
Guard each data access with the required payload length check. If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.
Severity
8.1 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/187e6fe939295be36… | |
| https://git.kernel.org/stable/c/5229e7d15771eac2b… | |
| https://git.kernel.org/stable/c/3b646516cba2ebc4b… | |
| https://git.kernel.org/stable/c/807bd1258453c4c83… | |
| https://git.kernel.org/stable/c/9aeacde4da0f02d42… | |
| https://git.kernel.org/stable/c/e7ff754e339e3d5ce… | |
| https://git.kernel.org/stable/c/db2872d054e467810… | |
| https://git.kernel.org/stable/c/dd815e6e3918dc75a… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4e8402a3f884427f9233ba436459c158d1f2e114 , < 187e6fe939295be36063a1d91f8bebee04399a8c
(git)
Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 5229e7d15771eac2b5886bfb1f976aea0c1eec14 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 3b646516cba2ebc4b51a72954903326e7c1e443f (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 807bd1258453c4c83f6ae9dbc1e7b44860ff40d0 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < 9aeacde4da0f02d42fd968fd32f245828b230171 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < e7ff754e339e3d5ce29aa9f95352d0186df8fbd9 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < db2872d054e467810078e2b9f440a5b326a601b2 (git) Affected: 4e8402a3f884427f9233ba436459c158d1f2e114 , < dd815e6e3918dc75a49aaabac36e4f024d675101 (git) |
|
| Linux | Linux |
Affected:
2.6.24
Unaffected: 0 , < 2.6.24 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "187e6fe939295be36063a1d91f8bebee04399a8c",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "5229e7d15771eac2b5886bfb1f976aea0c1eec14",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "3b646516cba2ebc4b51a72954903326e7c1e443f",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "807bd1258453c4c83f6ae9dbc1e7b44860ff40d0",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "9aeacde4da0f02d42fd968fd32f245828b230171",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "e7ff754e339e3d5ce29aa9f95352d0186df8fbd9",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "db2872d054e467810078e2b9f440a5b326a601b2",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
},
{
"lessThan": "dd815e6e3918dc75a49aaabac36e4f024d675101",
"status": "affected",
"version": "4e8402a3f884427f9233ba436459c158d1f2e114",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp-\u003edata without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-\u003edata), which reads\n 4 bytes past the header (needs cmd_len \u003e= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp-\u003edata[0], 1 byte past the header\n (needs cmd_len \u003e= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:49.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/187e6fe939295be36063a1d91f8bebee04399a8c"
},
{
"url": "https://git.kernel.org/stable/c/5229e7d15771eac2b5886bfb1f976aea0c1eec14"
},
{
"url": "https://git.kernel.org/stable/c/3b646516cba2ebc4b51a72954903326e7c1e443f"
},
{
"url": "https://git.kernel.org/stable/c/807bd1258453c4c83f6ae9dbc1e7b44860ff40d0"
},
{
"url": "https://git.kernel.org/stable/c/9aeacde4da0f02d42fd968fd32f245828b230171"
},
{
"url": "https://git.kernel.org/stable/c/e7ff754e339e3d5ce29aa9f95352d0186df8fbd9"
},
{
"url": "https://git.kernel.org/stable/c/db2872d054e467810078e2b9f440a5b326a601b2"
},
{
"url": "https://git.kernel.org/stable/c/dd815e6e3918dc75a49aaabac36e4f024d675101"
}
],
"title": "Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31393",
"datePublished": "2026-04-03T15:15:58.142Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-05-11T22:07:49.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31400 (GCVE-0-2026-31400)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
sunrpc: fix cache_request leak in cache_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix cache_request leak in cache_release
When a reader's file descriptor is closed while in the middle of reading
a cache_request (rp->offset != 0), cache_release() decrements the
request's readers count but never checks whether it should free the
request.
In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the
cache_request is removed from the queue and freed along with its buffer
and cache_head reference. cache_release() lacks this cleanup.
The only other path that frees requests with readers == 0 is
cache_dequeue(), but it runs only when CACHE_PENDING transitions from
set to clear. If that transition already happened while readers was
still non-zero, cache_dequeue() will have skipped the request, and no
subsequent call will clean it up.
Add the same cleanup logic from cache_read() to cache_release(): after
decrementing readers, check if it reached 0 with CACHE_PENDING clear,
and if so, dequeue and free the cache_request.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/1dfedb293943e4913… | |
| https://git.kernel.org/stable/c/f18c1f2a88ca91357… | |
| https://git.kernel.org/stable/c/7bcd5e318876ac638… | |
| https://git.kernel.org/stable/c/41f6ba6c98a618043… | |
| https://git.kernel.org/stable/c/301670dcd098c1fe5… | |
| https://git.kernel.org/stable/c/be5c35960e5ead708… | |
| https://git.kernel.org/stable/c/373457de14281c1fc… | |
| https://git.kernel.org/stable/c/17ad31b3a43b72aec… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1dfedb293943e491379c9302b428e6f920a73d12
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f18c1f2a88ca91357916997cdb0f7adaf14fc497 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bcd5e318876ac638c8ceade7a648e76ac8c48e1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 41f6ba6c98a618043d2cd71030bf9a752dfab8b2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 301670dcd098c1fe5c2fe90fb3c7a8f4814d2351 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < be5c35960e5ead70862736161836e2d1bc7352dc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 373457de14281c1fc7cace6fc4c8a267fc176673 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17ad31b3a43b72aec3a3d83605891e1397d0d065 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dfedb293943e491379c9302b428e6f920a73d12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f18c1f2a88ca91357916997cdb0f7adaf14fc497",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bcd5e318876ac638c8ceade7a648e76ac8c48e1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "41f6ba6c98a618043d2cd71030bf9a752dfab8b2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "301670dcd098c1fe5c2fe90fb3c7a8f4814d2351",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "be5c35960e5ead70862736161836e2d1bc7352dc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "373457de14281c1fc7cace6fc4c8a267fc176673",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ad31b3a43b72aec3a3d83605891e1397d0d065",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix cache_request leak in cache_release\n\nWhen a reader\u0027s file descriptor is closed while in the middle of reading\na cache_request (rp-\u003eoffset != 0), cache_release() decrements the\nrequest\u0027s readers count but never checks whether it should free the\nrequest.\n\nIn cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the\ncache_request is removed from the queue and freed along with its buffer\nand cache_head reference. cache_release() lacks this cleanup.\n\nThe only other path that frees requests with readers == 0 is\ncache_dequeue(), but it runs only when CACHE_PENDING transitions from\nset to clear. If that transition already happened while readers was\nstill non-zero, cache_dequeue() will have skipped the request, and no\nsubsequent call will clean it up.\n\nAdd the same cleanup logic from cache_read() to cache_release(): after\ndecrementing readers, check if it reached 0 with CACHE_PENDING clear,\nand if so, dequeue and free the cache_request."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:57.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dfedb293943e491379c9302b428e6f920a73d12"
},
{
"url": "https://git.kernel.org/stable/c/f18c1f2a88ca91357916997cdb0f7adaf14fc497"
},
{
"url": "https://git.kernel.org/stable/c/7bcd5e318876ac638c8ceade7a648e76ac8c48e1"
},
{
"url": "https://git.kernel.org/stable/c/41f6ba6c98a618043d2cd71030bf9a752dfab8b2"
},
{
"url": "https://git.kernel.org/stable/c/301670dcd098c1fe5c2fe90fb3c7a8f4814d2351"
},
{
"url": "https://git.kernel.org/stable/c/be5c35960e5ead70862736161836e2d1bc7352dc"
},
{
"url": "https://git.kernel.org/stable/c/373457de14281c1fc7cace6fc4c8a267fc176673"
},
{
"url": "https://git.kernel.org/stable/c/17ad31b3a43b72aec3a3d83605891e1397d0d065"
}
],
"title": "sunrpc: fix cache_request leak in cache_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31400",
"datePublished": "2026-04-03T15:16:03.906Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:07:57.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31402 (GCVE-0-2026-31402)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Severity
9.8 (Critical)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/f9fcb4441f6c02bb2… | |
| https://git.kernel.org/stable/c/c9452c0797c95cf23… | |
| https://git.kernel.org/stable/c/8afb437ea1f70cacb… | |
| https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6e… | |
| https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad… | |
| https://git.kernel.org/stable/c/ae8498337dfdfda71… | |
| https://git.kernel.org/stable/c/5133b61aaf437e5f2… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9fcb4441f6c02bb20c2eb340101e27dfe23607c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9452c0797c95cf2378170df96cf4f4b3bca7eff (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f0e2a54a31a7f9ad2915db99156114872317388 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8498337dfdfda71bdd0b807c9a23a126011d76 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5133b61aaf437e5f25b1b396b14242a6bb0508e2 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:00.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
},
{
"url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
},
{
"url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
},
{
"url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
},
{
"url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
},
{
"url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
},
{
"url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
}
],
"title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31402",
"datePublished": "2026-04-03T15:16:05.724Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:00.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31403 (GCVE-0-2026-31403)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
The /proc/fs/nfs/exports proc entry is created at module init
and persists for the module's lifetime. exports_proc_open()
captures the caller's current network namespace and stores
its svc_export_cache in seq->private, but takes no reference
on the namespace. If the namespace is subsequently torn down
(e.g. container destruction after the opener does setns() to a
different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
which frees the cache. Subsequent reads on the still-open fd
dereference the freed cache_detail, walking a freed hash table.
Hold a reference on the struct net for the lifetime of the open
file descriptor. This prevents nfsd_net_exit() from running --
and thus prevents nfsd_export_shutdown() from freeing the cache
-- while any exports fd is open. cache_detail already stores
its net pointer (cd->net, set by cache_create_net()), so
exports_release() can retrieve it without additional per-file
storage.
Severity
7.8 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/76740c28050dc6db2… | |
| https://git.kernel.org/stable/c/c7f406fb341d67476… | |
| https://git.kernel.org/stable/c/d1a19217995df9c7e… | |
| https://git.kernel.org/stable/c/e3d77f935639e6ae4… | |
| https://git.kernel.org/stable/c/db4a9f99b12a7ee1c… | |
| https://git.kernel.org/stable/c/6a8d70e2ad6aad2c3… | |
| https://git.kernel.org/stable/c/e7fcf179b82d3a373… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < 76740c28050dc6db2f5550f1325b00a11bbb3255
(git)
Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < c7f406fb341d6747634b8b1fa5461656e5e56076 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < d1a19217995df9c7e4118f5a2820c5032fef2945 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < e3d77f935639e6ae4b381c80464c31df998d61f4 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < 6a8d70e2ad6aad2c345a5048edcb8168036f97d6 (git) Affected: 96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 , < e7fcf179b82d3a3730fd8615da01b087cc654d0b (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76740c28050dc6db2f5550f1325b00a11bbb3255",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "c7f406fb341d6747634b8b1fa5461656e5e56076",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "d1a19217995df9c7e4118f5a2820c5032fef2945",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e3d77f935639e6ae4b381c80464c31df998d61f4",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "6a8d70e2ad6aad2c345a5048edcb8168036f97d6",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
},
{
"lessThan": "e7fcf179b82d3a3730fd8615da01b087cc654d0b",
"status": "affected",
"version": "96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module\u0027s lifetime. exports_proc_open()\ncaptures the caller\u0027s current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:01.908Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76740c28050dc6db2f5550f1325b00a11bbb3255"
},
{
"url": "https://git.kernel.org/stable/c/c7f406fb341d6747634b8b1fa5461656e5e56076"
},
{
"url": "https://git.kernel.org/stable/c/d1a19217995df9c7e4118f5a2820c5032fef2945"
},
{
"url": "https://git.kernel.org/stable/c/e3d77f935639e6ae4b381c80464c31df998d61f4"
},
{
"url": "https://git.kernel.org/stable/c/db4a9f99b12a7ee1c19d86c83a3b752c7effa6c6"
},
{
"url": "https://git.kernel.org/stable/c/6a8d70e2ad6aad2c345a5048edcb8168036f97d6"
},
{
"url": "https://git.kernel.org/stable/c/e7fcf179b82d3a3730fd8615da01b087cc654d0b"
}
],
"title": "NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31403",
"datePublished": "2026-04-03T15:16:06.444Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:01.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31407 (GCVE-0-2026-31407)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:38 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
netfilter: conntrack: add missing netlink policy validations
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: add missing netlink policy validations
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Severity
7.1 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a258860e01b80e8f554a4ab1a6c95e6042eb8b73 , < c5e918390002edf0cff80a0e7ce1f86f16a9507c
(git)
Affected: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 , < 9174d28f3f15d8c4962f5980c0be167633880443 (git) Affected: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 , < 67c53c1978cef3c504237275e39c857e2f6af56e (git) Affected: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 , < 0fbae1e74493d5a160a70c51aeba035d8266ea7d (git) Affected: a258860e01b80e8f554a4ab1a6c95e6042eb8b73 , < f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 (git) |
|
| Linux | Linux |
Affected:
2.6.27
Unaffected: 0 , < 2.6.27 (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.83 , ≤ 6.12.* (semver) Unaffected: 6.18.24 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_sctp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5e918390002edf0cff80a0e7ce1f86f16a9507c",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "9174d28f3f15d8c4962f5980c0be167633880443",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "67c53c1978cef3c504237275e39c857e2f6af56e",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "0fbae1e74493d5a160a70c51aeba035d8266ea7d",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
},
{
"lessThan": "f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05",
"status": "affected",
"version": "a258860e01b80e8f554a4ab1a6c95e6042eb8b73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c",
"net/netfilter/nf_conntrack_proto_sctp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct-\u003eproto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp-\u003edir = 100, the access at\n ct-\u003emaster-\u003etuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:06.853Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c"
},
{
"url": "https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443"
},
{
"url": "https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e"
},
{
"url": "https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d"
},
{
"url": "https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05"
}
],
"title": "netfilter: conntrack: add missing netlink policy validations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31407",
"datePublished": "2026-04-06T07:38:19.712Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:06.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…