Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0664
Vulnerability from certfr_avis - Published: 2026-05-29 - Updated: 2026-05-29
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Micro 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | N/A | SUSE Linux Micro Extras 6.1 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP applications 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Micro 6.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Micro 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro Extras 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-23269",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23269"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-23293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23293"
},
{
"name": "CVE-2023-20585",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20585"
},
{
"name": "CVE-2026-23290",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23290"
},
{
"name": "CVE-2026-31787",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31787"
},
{
"name": "CVE-2026-23468",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23468"
},
{
"name": "CVE-2026-23461",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23461"
},
{
"name": "CVE-2026-23340",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23340"
},
{
"name": "CVE-2026-31738",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31738"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43025",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43025"
},
{
"name": "CVE-2026-23268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23268"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2026-31524",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31524"
},
{
"name": "CVE-2026-23209",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23209"
},
{
"name": "CVE-2026-31681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
},
{
"name": "CVE-2026-23456",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23456"
},
{
"name": "CVE-2026-23457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23457"
},
{
"name": "CVE-2026-31496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31496"
},
{
"name": "CVE-2026-23408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23408"
},
{
"name": "CVE-2026-43334",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43334"
},
{
"name": "CVE-2026-23391",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23391"
},
{
"name": "CVE-2026-23462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23462"
},
{
"name": "CVE-2026-23273",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23273"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2024-50082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50082"
},
{
"name": "CVE-2026-43264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43264"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-23472",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23472"
},
{
"name": "CVE-2025-71108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71108"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-23216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23216"
},
{
"name": "CVE-2026-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43437"
},
{
"name": "CVE-2026-31675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31675"
},
{
"name": "CVE-2026-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23193"
},
{
"name": "CVE-2026-43126",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43126"
},
{
"name": "CVE-2026-31403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31403"
},
{
"name": "CVE-2026-31400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31400"
},
{
"name": "CVE-2026-31512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31512"
},
{
"name": "CVE-2026-31504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31504"
},
{
"name": "CVE-2025-71118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71118"
},
{
"name": "CVE-2026-31607",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
},
{
"name": "CVE-2026-23405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23405"
},
{
"name": "CVE-2026-23403",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23403"
},
{
"name": "CVE-2026-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43190"
},
{
"name": "CVE-2026-23292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23292"
},
{
"name": "CVE-2022-50053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50053"
},
{
"name": "CVE-2026-23455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23455"
},
{
"name": "CVE-2026-43110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43110"
},
{
"name": "CVE-2026-31507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31507"
},
{
"name": "CVE-2026-46333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46333"
},
{
"name": "CVE-2026-31411",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31411"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-23449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23449"
},
{
"name": "CVE-2026-23442",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23442"
},
{
"name": "CVE-2026-23458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23458"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31393"
},
{
"name": "CVE-2026-23404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23404"
},
{
"name": "CVE-2026-23378",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23378"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2026-31700",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
},
{
"name": "CVE-2026-23312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23312"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
},
{
"name": "CVE-2026-31407",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31407"
},
{
"name": "CVE-2026-31602",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31602"
},
{
"name": "CVE-2026-31425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31425"
},
{
"name": "CVE-2025-71238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71238"
},
{
"name": "CVE-2026-43255",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43255"
},
{
"name": "CVE-2026-23276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23276"
},
{
"name": "CVE-2026-43088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43088"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-29T00:00:00",
"last_revision_date": "2026-05-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0664",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21818-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621818-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21816-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621816-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621720-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621720-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21775-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621775-1"
},
{
"published_at": "2026-05-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2068-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262068-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21771-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621771-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21777-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621777-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21772-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621772-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21743-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621743-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621721-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621721-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21774-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621774-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21766-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621766-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21767-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621767-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621723-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621723-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21817-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621817-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21765-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621765-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21745-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621745-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21778-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621778-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21734-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621734-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621719-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621719-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21773-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621773-1"
},
{
"published_at": "2026-05-18",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21776-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621776-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE suse-su-202621724-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621724-1"
},
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:21735-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621735-1"
}
]
}
CVE-2026-31685 (GCVE-0-2026-31685)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-06-01 16:13
VLAI
EPSS
VEX
Title
netfilter: ip6t_eui64: reject invalid MAC header for all packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_eui64: reject invalid MAC header for all packets
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Severity
9.4 (Critical)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/4d75bc2cd093bf580… | |
| https://git.kernel.org/stable/c/7d6a57411caf54df0… | |
| https://git.kernel.org/stable/c/d5603591373441fec… | |
| https://git.kernel.org/stable/c/288138418bef956f8… | |
| https://git.kernel.org/stable/c/9eda5478746ef7dc0… | |
| https://git.kernel.org/stable/c/807d6ee15804df6f0… | |
| https://git.kernel.org/stable/c/309ae3e9a51a69699… | |
| https://git.kernel.org/stable/c/fdce0b3590f724540… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4d75bc2cd093bf5803edf512c099bfb220fd6459
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d6a57411caf54df025860c9b1a82cd42d57a562 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d5603591373441fecf9951833d6d873e09320f08 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 288138418bef956f8b295751a4536c60f0e89f4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 807d6ee15804df6f01a35c910f09612e858739a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 309ae3e9a51a69699ca94eac5fac5688fa562d55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fdce0b3590f724540795b874b4c8850c90e6b0a8 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.83 , ≤ 6.12.* (semver) Unaffected: 6.18.24 , ≤ 6.18.* (semver) Unaffected: 6.19.14 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d75bc2cd093bf5803edf512c099bfb220fd6459",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d6a57411caf54df025860c9b1a82cd42d57a562",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5603591373441fecf9951833d6d873e09320f08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "288138418bef956f8b295751a4536c60f0e89f4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9eda5478746ef7dc0e4e537b5a5e4b0ca1027091",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "807d6ee15804df6f01a35c910f09612e858739a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "309ae3e9a51a69699ca94eac5fac5688fa562d55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdce0b3590f724540795b874b4c8850c90e6b0a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:13:27.308Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d75bc2cd093bf5803edf512c099bfb220fd6459"
},
{
"url": "https://git.kernel.org/stable/c/7d6a57411caf54df025860c9b1a82cd42d57a562"
},
{
"url": "https://git.kernel.org/stable/c/d5603591373441fecf9951833d6d873e09320f08"
},
{
"url": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a"
},
{
"url": "https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091"
},
{
"url": "https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6"
},
{
"url": "https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55"
},
{
"url": "https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8"
}
],
"title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31685",
"datePublished": "2026-04-25T08:47:02.857Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-06-01T16:13:27.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31700 (GCVE-0-2026-31700)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-06-19 11:57
VLAI
EPSS
VEX
Title
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.
The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.
Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
Severity
7.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/0f4c9754956b86de1… | |
| https://git.kernel.org/stable/c/714aa973da8163925… | |
| https://git.kernel.org/stable/c/1490f82353bdabc09… | |
| https://git.kernel.org/stable/c/74e2db36fe50e3ad9… | |
| https://git.kernel.org/stable/c/3a1bf9116ea31470b… | |
| https://git.kernel.org/stable/c/28324a3b62d9ce7f9… | |
| https://git.kernel.org/stable/c/48a6ef291a17639e1… | |
| https://git.kernel.org/stable/c/2c054e17d9d41f102… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1d036d25e5609ba73fee6a88db01c306b140d512 , < 0f4c9754956b86de158a4af5278c5cf5bda9439e
(git)
Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 714aa973da8163925eda7efd49361ccbee21ee46 (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 1490f82353bdabc09265a74e645b07f05cf4188e (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121 (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 3a1bf9116ea31470b89692585c3910dfe830dcdd (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27 (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 2c054e17d9d41f1020376806c7f750834ced4dc5 (git) |
|
| Linux | Linux |
Affected:
4.6
Unaffected: 0 , < 4.6 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.84 , ≤ 6.12.* (semver) Unaffected: 6.18.25 , ≤ 6.18.* (semver) Unaffected: 7.0.2 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f4c9754956b86de158a4af5278c5cf5bda9439e",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "714aa973da8163925eda7efd49361ccbee21ee46",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "1490f82353bdabc09265a74e645b07f05cf4188e",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "3a1bf9116ea31470b89692585c3910dfe830dcdd",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "28324a3b62d9ce7f9bdd65a8ce63f382041d1b27",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "2c054e17d9d41f1020376806c7f750834ced4dc5",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap\u0027d TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap\u0027d ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:51.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f4c9754956b86de158a4af5278c5cf5bda9439e"
},
{
"url": "https://git.kernel.org/stable/c/714aa973da8163925eda7efd49361ccbee21ee46"
},
{
"url": "https://git.kernel.org/stable/c/1490f82353bdabc09265a74e645b07f05cf4188e"
},
{
"url": "https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"
},
{
"url": "https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd"
},
{
"url": "https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27"
},
{
"url": "https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b"
},
{
"url": "https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5"
}
],
"title": "net/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31700",
"datePublished": "2026-05-01T13:56:00.205Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-06-19T11:57:51.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31738 (GCVE-0-2026-31738)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-23 16:05
VLAI
EPSS
VEX
Title
vxlan: validate ND option lengths in vxlan_na_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
vxlan: validate ND option lengths in vxlan_na_create
vxlan_na_create() walks ND options according to option-provided
lengths. A malformed option can make the parser advance beyond the
computed option span or use a too-short source LLADDR option payload.
Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/901c1dd3bab2955d7… | |
| https://git.kernel.org/stable/c/e476745917a1e288e… | |
| https://git.kernel.org/stable/c/2029712fb2c87e9a8… | |
| https://git.kernel.org/stable/c/602596c69a70e50d9… | |
| https://git.kernel.org/stable/c/de20d2e3b9179d132… | |
| https://git.kernel.org/stable/c/eddfce70a6f3107d1… | |
| https://git.kernel.org/stable/c/b69c4236255bd8de1… | |
| https://git.kernel.org/stable/c/afa9a05e6c4971bd5… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 901c1dd3bab2955d7e664f914c374c8c3ac2b958
(git)
Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < e476745917a1e288eb15e7ff49d286a86a4861d3 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 2029712fb2c87e9a8c75094906f2ee29bf08c500 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < 602596c69a70e50d9ab8c6ae0290a01f88229dd7 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < de20d2e3b9179d132f5f5b44e490d7c916c6321b (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < eddfce70a6f3107d1679b0c2fcbeb96b593bd679 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < b69c4236255bd8de16cd876e58c6f0867d1d78b1 (git) Affected: 4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa , < afa9a05e6c4971bd5586f1b304e14d61fb3d9385 (git) Affected: d8be18c52dbc94989f6d74637b731af39cd3d902 (git) Affected: 3927dace523706cc00f808520eaf2125dd7c07b5 (git) Affected: 3.12.18 , < 3.13 (semver) Affected: 3.13.10 , < 3.14 (semver) |
|
| Linux | Linux |
Affected:
3.14
Unaffected: 0 , < 3.14 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "901c1dd3bab2955d7e664f914c374c8c3ac2b958",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "e476745917a1e288eb15e7ff49d286a86a4861d3",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "2029712fb2c87e9a8c75094906f2ee29bf08c500",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "602596c69a70e50d9ab8c6ae0290a01f88229dd7",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "de20d2e3b9179d132f5f5b44e490d7c916c6321b",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "eddfce70a6f3107d1679b0c2fcbeb96b593bd679",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "b69c4236255bd8de16cd876e58c6f0867d1d78b1",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"lessThan": "afa9a05e6c4971bd5586f1b304e14d61fb3d9385",
"status": "affected",
"version": "4b29dba9c085a4fb79058fb1c45a2f6257ca3dfa",
"versionType": "git"
},
{
"status": "affected",
"version": "d8be18c52dbc94989f6d74637b731af39cd3d902",
"versionType": "git"
},
{
"status": "affected",
"version": "3927dace523706cc00f808520eaf2125dd7c07b5",
"versionType": "git"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.18",
"versionType": "semver"
},
{
"lessThan": "3.14",
"status": "affected",
"version": "3.13.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vxlan/vxlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: validate ND option lengths in vxlan_na_create\n\nvxlan_na_create() walks ND options according to option-provided\nlengths. A malformed option can make the parser advance beyond the\ncomputed option span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:05:52.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/901c1dd3bab2955d7e664f914c374c8c3ac2b958"
},
{
"url": "https://git.kernel.org/stable/c/e476745917a1e288eb15e7ff49d286a86a4861d3"
},
{
"url": "https://git.kernel.org/stable/c/2029712fb2c87e9a8c75094906f2ee29bf08c500"
},
{
"url": "https://git.kernel.org/stable/c/602596c69a70e50d9ab8c6ae0290a01f88229dd7"
},
{
"url": "https://git.kernel.org/stable/c/de20d2e3b9179d132f5f5b44e490d7c916c6321b"
},
{
"url": "https://git.kernel.org/stable/c/eddfce70a6f3107d1679b0c2fcbeb96b593bd679"
},
{
"url": "https://git.kernel.org/stable/c/b69c4236255bd8de16cd876e58c6f0867d1d78b1"
},
{
"url": "https://git.kernel.org/stable/c/afa9a05e6c4971bd5586f1b304e14d61fb3d9385"
}
],
"title": "vxlan: validate ND option lengths in vxlan_na_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31738",
"datePublished": "2026-05-01T14:14:34.900Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-23T16:05:52.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI
EPSS
VEX
Title
xen/privcmd: fix double free via VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
Severity
No CVSS data available.
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/dbf862ce9f009128a… | |
| https://git.kernel.org/stable/c/2b985d3a024b9e8c2… | |
| https://git.kernel.org/stable/c/1576ff3869cbd3620… | |
| https://git.kernel.org/stable/c/402d84ad9e89bd4cb… | |
| https://git.kernel.org/stable/c/2894a351fe2ea8684… | |
| https://git.kernel.org/stable/c/446ee446d9ae66f36… | |
| https://git.kernel.org/stable/c/71bf829800758a6e3… | |
| https://git.kernel.org/stable/c/24daca4fc07f3ff8c… | |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| http://xenbits.xen.org/xsa/advisory-487.html |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d71f513985c22f1050295d1a7e4327cf9fb060da , < dbf862ce9f009128ab86b234d91413a3e450beb4
(git)
Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2b985d3a024b9e8c24e21671b34e855569763808 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 1576ff3869cbd3620717195f971c85b7d7fd62b5 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 402d84ad9e89bd4cbfd07ca8598532b7021daf95 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2894a351fe2ea8684919d36df3188b9a35e3926f (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 71bf829800758a6e3889096e4754ef47ba7fc850 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 24daca4fc07f3ff8cd0e3f629cd982187f48436a (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.254 , ≤ 5.10.* (semver) Unaffected: 5.15.204 , ≤ 5.15.* (semver) Unaffected: 6.1.170 , ≤ 6.1.* (semver) Unaffected: 6.6.137 , ≤ 6.6.* (semver) Unaffected: 6.12.85 , ≤ 6.12.* (semver) Unaffected: 6.18.26 , ≤ 6.18.* (semver) Unaffected: 7.0.3 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:41.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:41.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43025 (GCVE-0-2026-43025)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-07-14 12:49
VLAI
EPSS
VEX
Title
netfilter: ctnetlink: ignore explicit helper on new expectations
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ignore explicit helper on new expectations
Use the existing master conntrack helper, anything else is not really
supported and it just makes validation more complicated, so just ignore
what helper userspace suggests for this expectation.
This was uncovered when validating CTA_EXPECT_CLASS via different helper
provided by userspace than the existing master conntrack helper:
BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0
Read of size 4 at addr ffff8880043fe408 by task poc/102
Call Trace:
nf_ct_expect_related_report+0x2479/0x27c0
ctnetlink_create_expect+0x22b/0x3b0
ctnetlink_new_expect+0x4bd/0x5c0
nfnetlink_rcv_msg+0x67a/0x950
netlink_rcv_skb+0x120/0x350
Allowing to read kernel memory bytes off the expectation boundary.
CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace
via netlink dump.
Severity
7.3 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e135f8e8212cbed12… | |
| https://git.kernel.org/stable/c/2ea0f35f235f70c13… | |
| https://git.kernel.org/stable/c/0f6c33697ccfac649… | |
| https://git.kernel.org/stable/c/187b6ec5229ea93cb… | |
| https://git.kernel.org/stable/c/21a04c31db4057dee… | |
| https://git.kernel.org/stable/c/917b61fa2042f11e2… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bd0779370588386e4a67ba5d0b176cfded8e6a53 , < e135f8e8212cbed12a03ab8dec77fa1247139897
(git)
Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 2ea0f35f235f70c133ad61fe05ba013753b978c6 (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 187b6ec5229ea93cb04c4f6d3b52efc80f513d0d (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 21a04c31db4057deec85fcd6cc63d720b38819c3 (git) Affected: bd0779370588386e4a67ba5d0b176cfded8e6a53 , < 917b61fa2042f11e2af4c428e43f08199586633a (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.6 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.6 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.6 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.6",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.6",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.6",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.6",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.6",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:49:00.048Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e135f8e8212cbed12a03ab8dec77fa1247139897",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "2ea0f35f235f70c133ad61fe05ba013753b978c6",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "187b6ec5229ea93cb04c4f6d3b52efc80f513d0d",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "21a04c31db4057deec85fcd6cc63d720b38819c3",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
},
{
"lessThan": "917b61fa2042f11e2af4c428e43f08199586633a",
"status": "affected",
"version": "bd0779370588386e4a67ba5d0b176cfded8e6a53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:15.671Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897"
},
{
"url": "https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6"
},
{
"url": "https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd"
},
{
"url": "https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d"
},
{
"url": "https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3"
},
{
"url": "https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a"
}
],
"title": "netfilter: ctnetlink: ignore explicit helper on new expectations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43025",
"datePublished": "2026-05-01T14:15:27.103Z",
"dateReserved": "2026-05-01T14:12:55.976Z",
"dateUpdated": "2026-07-14T12:49:00.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43088 (GCVE-0-2026-43088)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-19 11:58
VLAI
EPSS
VEX
Title
net: af_key: zero aligned sockaddr tail in PF_KEY exports
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: af_key: zero aligned sockaddr tail in PF_KEY exports
PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.
Not every PF_KEY message is affected. The state and policy dump builders
already zero the whole message buffer before filling the sockaddr
payloads. Keep the fix to the export paths that still append aligned
sockaddr payloads with plain `skb_put()`:
- `SADB_ACQUIRE`
- `SADB_X_NAT_T_NEW_MAPPING`
- `SADB_X_MIGRATE`
Fix those paths by clearing only the aligned sockaddr tail after
`pfkey_sockaddr_fill()`.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3c19cb8a84ef709d57943bd6664cf31cb91ba6ec
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 11cbf294bac623bd57296f231199193087f57b4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < edd446ee7cd3d02cac246168063d5b3e9ea68460 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2e74f974359b5382ecbe8536abbb5b837eb6c724 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 426c355742f02cf743b347d9d7dbdc1bfbfa31ef (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 6.19.14 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c19cb8a84ef709d57943bd6664cf31cb91ba6ec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11cbf294bac623bd57296f231199193087f57b4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edd446ee7cd3d02cac246168063d5b3e9ea68460",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e74f974359b5382ecbe8536abbb5b837eb6c724",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "426c355742f02cf743b347d9d7dbdc1bfbfa31ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/key/af_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_key: zero aligned sockaddr tail in PF_KEY exports\n\nPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr\npayload space, so IPv6 addresses occupy 32 bytes on the wire. However,\n`pfkey_sockaddr_fill()` initializes only the first 28 bytes of\n`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.\n\nNot every PF_KEY message is affected. The state and policy dump builders\nalready zero the whole message buffer before filling the sockaddr\npayloads. Keep the fix to the export paths that still append aligned\nsockaddr payloads with plain `skb_put()`:\n\n - `SADB_ACQUIRE`\n - `SADB_X_NAT_T_NEW_MAPPING`\n - `SADB_X_MIGRATE`\n\nFix those paths by clearing only the aligned sockaddr tail after\n`pfkey_sockaddr_fill()`."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:13.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c19cb8a84ef709d57943bd6664cf31cb91ba6ec"
},
{
"url": "https://git.kernel.org/stable/c/11cbf294bac623bd57296f231199193087f57b4a"
},
{
"url": "https://git.kernel.org/stable/c/edd446ee7cd3d02cac246168063d5b3e9ea68460"
},
{
"url": "https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724"
},
{
"url": "https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef"
}
],
"title": "net: af_key: zero aligned sockaddr tail in PF_KEY exports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43088",
"datePublished": "2026-05-06T07:40:21.962Z",
"dateReserved": "2026-05-01T14:12:55.983Z",
"dateUpdated": "2026-06-19T11:58:13.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43110 (GCVE-0-2026-43110)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-01 16:14
VLAI
EPSS
VEX
Title
wifi: brcmfmac: validate bsscfg indices in IF events
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
Severity
8.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/b329fbcf075949a03… | |
| https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5e… | |
| https://git.kernel.org/stable/c/9c81bcc2c695e0082… | |
| https://git.kernel.org/stable/c/3ec7437e9d1137410… | |
| https://git.kernel.org/stable/c/9fca68c2512a362ca… | |
| https://git.kernel.org/stable/c/1ae1e1caa428844e4… | |
| https://git.kernel.org/stable/c/b427c2b05222db36d… | |
| https://git.kernel.org/stable/c/304950a467d83678b… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2880b86859967af710c72f7d34fb421a86a71e22 , < b329fbcf075949a038045d8e9b86ae3d5bbd8a54
(git)
Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9c81bcc2c695e0082012a2a3d36a0eefaa51579c (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 3ec7437e9d11374105c2c4e47ae671537729d7e6 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9fca68c2512a362cad258e4df12a307bb2ee4b8e (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 1ae1e1caa428844e481231f6dbe9b4f475f1d52d (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < b427c2b05222db36d32ee141609de6128e9091bb (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 304950a467d83678bd0b0f46331882e2ac23b12d (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.83 , ≤ 6.12.* (semver) Unaffected: 6.18.24 , ≤ 6.18.* (semver) Unaffected: 6.19.14 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b329fbcf075949a038045d8e9b86ae3d5bbd8a54",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9c81bcc2c695e0082012a2a3d36a0eefaa51579c",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "3ec7437e9d11374105c2c4e47ae671537729d7e6",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9fca68c2512a362cad258e4df12a307bb2ee4b8e",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "1ae1e1caa428844e481231f6dbe9b4f475f1d52d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "b427c2b05222db36d32ee141609de6128e9091bb",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "304950a467d83678bd0b0f46331882e2ac23b12d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr-\u003eiflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr-\u003eiflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:14:59.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b329fbcf075949a038045d8e9b86ae3d5bbd8a54"
},
{
"url": "https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734"
},
{
"url": "https://git.kernel.org/stable/c/9c81bcc2c695e0082012a2a3d36a0eefaa51579c"
},
{
"url": "https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6"
},
{
"url": "https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e"
},
{
"url": "https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d"
},
{
"url": "https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb"
},
{
"url": "https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d"
}
],
"title": "wifi: brcmfmac: validate bsscfg indices in IF events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43110",
"datePublished": "2026-05-06T07:40:37.250Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-01T16:14:59.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43126 (GCVE-0-2026-43126)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18
VLAI
EPSS
VEX
Title
ALSA: mixer: oss: Add card disconnect checkpoints
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: mixer: oss: Add card disconnect checkpoints
ALSA OSS mixer layer calls the kcontrol ops rather individually, and
pending calls might be not always caught at disconnecting the device.
For avoiding the potential UAF scenarios, add sanity checks of the
card disconnection at each entry point of OSS mixer accesses. The
rwsem is taken just before that check, hence the rest context should
be covered by that properly.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae583f113d15fa97e5234133c20d09f8e6214e47
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e6645e625480cdf1079a4265f758d13b70721029 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8c097cf736993454acf3f711a3b376d6c7ad8965 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 084d5d44418148662365eced3e126ad1a81ee3e2 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/oss/mixer_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae583f113d15fa97e5234133c20d09f8e6214e47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6645e625480cdf1079a4265f758d13b70721029",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8c097cf736993454acf3f711a3b376d6c7ad8965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "084d5d44418148662365eced3e126ad1a81ee3e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/oss/mixer_oss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mixer: oss: Add card disconnect checkpoints\n\nALSA OSS mixer layer calls the kcontrol ops rather individually, and\npending calls might be not always caught at disconnecting the device.\n\nFor avoiding the potential UAF scenarios, add sanity checks of the\ncard disconnection at each entry point of OSS mixer accesses. The\nrwsem is taken just before that check, hence the rest context should\nbe covered by that properly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:18:15.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47"
},
{
"url": "https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029"
},
{
"url": "https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965"
},
{
"url": "https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2"
}
],
"title": "ALSA: mixer: oss: Add card disconnect checkpoints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43126",
"datePublished": "2026-05-06T11:27:15.765Z",
"dateReserved": "2026-05-01T14:12:55.988Z",
"dateUpdated": "2026-05-11T22:18:15.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43190 (GCVE-0-2026-43190)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:19
VLAI
EPSS
VEX
Title
netfilter: xt_tcpmss: check remaining length before reading optlen
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_tcpmss: check remaining length before reading optlen
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Severity
8.2 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/f895191dc32c53eaf… | |
| https://git.kernel.org/stable/c/cd5beda7e0e32865e… | |
| https://git.kernel.org/stable/c/eaedc0bc18be46fe7… | |
| https://git.kernel.org/stable/c/07a9b32eaae792ff7… | |
| https://git.kernel.org/stable/c/8b300f726640c48c3… | |
| https://git.kernel.org/stable/c/5e13d0a37666955b6… | |
| https://git.kernel.org/stable/c/f6c412dcfd76b0516… | |
| https://git.kernel.org/stable/c/735ee8582da3d239e… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f895191dc32c53eaf443b6443fe40945b2f92287
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cd5beda7e0e32865e214f28034bb92c1cecff885 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eaedc0bc18be46fe7f58170e967959a932c4f824 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8b300f726640c48c3edfe9c453334dd801f4b74e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e13d0a37666955b6cfddc0f73cb40ed645b8a05 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6c412dcfd76b0516d51aa847d8f4c7b70381b09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 735ee8582da3d239eb0c7a53adca61b79fb228b3 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f895191dc32c53eaf443b6443fe40945b2f92287",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd5beda7e0e32865e214f28034bb92c1cecff885",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eaedc0bc18be46fe7f58170e967959a932c4f824",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07a9b32eaae792ff7d0fcac14d8920c937c0a9c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8b300f726640c48c3edfe9c453334dd801f4b74e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e13d0a37666955b6cfddc0f73cb40ed645b8a05",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c412dcfd76b0516d51aa847d8f4c7b70381b09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "735ee8582da3d239eb0c7a53adca61b79fb228b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_tcpmss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n to index op[i+1]. In the case where i + 1 == optlen, this causes an\n out-of-bounds read, accessing memory past the optlen boundary\n (either reading beyond the stack buffer _opt or the\n following payload)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:35.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287"
},
{
"url": "https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885"
},
{
"url": "https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824"
},
{
"url": "https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3"
},
{
"url": "https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e"
},
{
"url": "https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05"
},
{
"url": "https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09"
},
{
"url": "https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3"
}
],
"title": "netfilter: xt_tcpmss: check remaining length before reading optlen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43190",
"datePublished": "2026-05-06T11:27:59.798Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:35.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43255 (GCVE-0-2026-43255)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:21
VLAI
EPSS
VEX
Title
wifi: libertas: fix WARNING in usb_tx_block
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: fix WARNING in usb_tx_block
The function usb_tx_block() submits cardp->tx_urb without ensuring that
any previous transmission on this URB has completed. If a second call
occurs while the URB is still active (e.g. during rapid firmware loading),
usb_submit_urb() detects the active state and triggers a warning:
'URB submitted while active'.
Fix this by enforcing serialization: call usb_kill_urb() before
submitting the new request. This ensures the URB is idle and safe to reuse.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/498525d8358d6d209… | |
| https://git.kernel.org/stable/c/2902a9b4415a6bafc… | |
| https://git.kernel.org/stable/c/948a39c95d0f8d737… | |
| https://git.kernel.org/stable/c/5bfb25495e391a1be… | |
| https://git.kernel.org/stable/c/b82073564373e68c6… | |
| https://git.kernel.org/stable/c/3308c7504e093b22e… | |
| https://git.kernel.org/stable/c/fc188b44547dea4e7… | |
| https://git.kernel.org/stable/c/d66676e6ca96bf868… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < 498525d8358d6d20918787e59736d5b6a021e9fd
(git)
Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < 2902a9b4415a6bafc9b1e5dd360f065d757a0bb7 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < 948a39c95d0f8d73722910f8cdb7b6e3e9206232 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < 5bfb25495e391a1be0db94b15715174fa06b93a1 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < b82073564373e68c6ae3a96039fae14cd002a496 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < 3308c7504e093b22e91a4468470309cee2e26b83 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < fc188b44547dea4e7350833171982a6312befde9 (git) Affected: 876c9d3aeb989cf1961f2c228d309ba5dcfb1172 , < d66676e6ca96bf8680f869a9bd6573b26c634622 (git) |
|
| Linux | Linux |
Affected:
2.6.22
Unaffected: 0 , < 2.6.22 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "498525d8358d6d20918787e59736d5b6a021e9fd",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "2902a9b4415a6bafc9b1e5dd360f065d757a0bb7",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "948a39c95d0f8d73722910f8cdb7b6e3e9206232",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "5bfb25495e391a1be0db94b15715174fa06b93a1",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "b82073564373e68c6ae3a96039fae14cd002a496",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "3308c7504e093b22e91a4468470309cee2e26b83",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "fc188b44547dea4e7350833171982a6312befde9",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
},
{
"lessThan": "d66676e6ca96bf8680f869a9bd6573b26c634622",
"status": "affected",
"version": "876c9d3aeb989cf1961f2c228d309ba5dcfb1172",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/libertas/if_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix WARNING in usb_tx_block\n\nThe function usb_tx_block() submits cardp-\u003etx_urb without ensuring that\nany previous transmission on this URB has completed. If a second call\noccurs while the URB is still active (e.g. during rapid firmware loading),\nusb_submit_urb() detects the active state and triggers a warning:\n\u0027URB submitted while active\u0027.\n\nFix this by enforcing serialization: call usb_kill_urb() before\nsubmitting the new request. This ensures the URB is idle and safe to reuse."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:00.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd"
},
{
"url": "https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7"
},
{
"url": "https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232"
},
{
"url": "https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1"
},
{
"url": "https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496"
},
{
"url": "https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83"
},
{
"url": "https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9"
},
{
"url": "https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622"
}
],
"title": "wifi: libertas: fix WARNING in usb_tx_block",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43255",
"datePublished": "2026-05-06T11:28:44.522Z",
"dateReserved": "2026-05-01T14:12:55.996Z",
"dateUpdated": "2026-05-11T22:21:00.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…