Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0745
Vulnerability from certfr_avis - Published: 2026-06-12 - Updated: 2026-06-12
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | openSUSE Leap | openSUSE Leap 15.5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro for Rancher 5.4 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP applications 16.0 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro for Rancher 5.3 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | SUSE Linux Micro Extras | SUSE Linux Micro Extras 6.2 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 | ||
| SUSE | SUSE Linux Micro | SUSE Linux Micro 6.2 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 LTSS | ||
| SUSE | SUSE Linux Enterprise High Availability Extension | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro Extras 6.2",
"product": {
"name": "SUSE Linux Micro Extras",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6 LTSS",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31483"
},
{
"name": "CVE-2026-43414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43414"
},
{
"name": "CVE-2026-31493",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31493"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2026-45852",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45852"
},
{
"name": "CVE-2026-31758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31758"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-45910",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45910"
},
{
"name": "CVE-2026-31405",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31405"
},
{
"name": "CVE-2026-43054",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43054"
},
{
"name": "CVE-2023-20585",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20585"
},
{
"name": "CVE-2026-31473",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31473"
},
{
"name": "CVE-2026-31613",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31613"
},
{
"name": "CVE-2026-46114",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46114"
},
{
"name": "CVE-2026-23380",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23380"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43362",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43362"
},
{
"name": "CVE-2026-23271",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23271"
},
{
"name": "CVE-2026-31614",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31614"
},
{
"name": "CVE-2026-46113",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46113"
},
{
"name": "CVE-2026-3150",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3150"
},
{
"name": "CVE-2026-31568",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31568"
},
{
"name": "CVE-2026-31516",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31516"
},
{
"name": "CVE-2026-23317",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23317"
},
{
"name": "CVE-2026-43012",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43012"
},
{
"name": "CVE-2026-43503",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43503"
},
{
"name": "CVE-2026-43009",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43009"
},
{
"name": "CVE-2026-43499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43499"
},
{
"name": "CVE-2026-23359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23359"
},
{
"name": "CVE-2026-46043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46043"
},
{
"name": "CVE-2026-43252",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43252"
},
{
"name": "CVE-2026-23437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23437"
},
{
"name": "CVE-2026-46243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46243"
},
{
"name": "CVE-2026-43360",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43360"
},
{
"name": "CVE-2026-43328",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43328"
},
{
"name": "CVE-2026-31480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31480"
},
{
"name": "CVE-2026-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43437"
},
{
"name": "CVE-2026-46300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46300"
},
{
"name": "CVE-2026-43361",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43361"
},
{
"name": "CVE-2026-23444",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23444"
},
{
"name": "CVE-2026-31406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31406"
},
{
"name": "CVE-2026-46110",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46110"
},
{
"name": "CVE-2026-43501",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43501"
},
{
"name": "CVE-2026-23243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23243"
},
{
"name": "CVE-2026-31521",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31521"
},
{
"name": "CVE-2026-43126",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43126"
},
{
"name": "CVE-2026-31607",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
},
{
"name": "CVE-2026-45970",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45970"
},
{
"name": "CVE-2026-23274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23274"
},
{
"name": "CVE-2025-54518",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54518"
},
{
"name": "CVE-2026-43206",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43206"
},
{
"name": "CVE-2026-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43190"
},
{
"name": "CVE-2026-45843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45843"
},
{
"name": "CVE-2026-46004",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46004"
},
{
"name": "CVE-2026-31736",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31736"
},
{
"name": "CVE-2026-43341",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43341"
},
{
"name": "CVE-2026-46333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46333"
},
{
"name": "CVE-2026-43037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43037"
},
{
"name": "CVE-2026-46021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46021"
},
{
"name": "CVE-2026-43112",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43112"
},
{
"name": "CVE-2026-31575",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31575"
},
{
"name": "CVE-2026-43338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43338"
},
{
"name": "CVE-2026-43234",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43234"
},
{
"name": "CVE-2026-43359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43359"
},
{
"name": "CVE-2026-31729",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31729"
},
{
"name": "CVE-2026-31464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31464"
},
{
"name": "CVE-2026-43333",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43333"
},
{
"name": "CVE-2026-43325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43325"
},
{
"name": "CVE-2026-43013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43013"
},
{
"name": "CVE-2026-31629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31629"
}
],
"initial_release_date": "2026-06-12T00:00:00",
"last_revision_date": "2026-06-12T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0745",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22037-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622037-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22040-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622040-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22038-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622038-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22035-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622035-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22039-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622039-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22042-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622042-1"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2332-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262332-1"
},
{
"published_at": "2026-06-09",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2317-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262317-1"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22043-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622043-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22036-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622036-1"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22031-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622031-1"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22048-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622048-1"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22032-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622032-1"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22034-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622034-1"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:22033-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622033-1"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2331-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262331-1"
},
{
"published_at": "2026-06-09",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:2310-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262310-1"
}
]
}
CVE-2026-31402 (GCVE-0-2026-31402)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-06-30 12:07
VLAI
EPSS
Title
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Severity
9.8 (Critical)
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
30 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/f9fcb4441f6c02bb2… | |
| https://git.kernel.org/stable/c/2665887a69437a8a4… | |
| https://git.kernel.org/stable/c/c9452c0797c95cf23… | |
| https://git.kernel.org/stable/c/8afb437ea1f70cacb… | |
| https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6e… | |
| https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad… | |
| https://git.kernel.org/stable/c/ae8498337dfdfda71… | |
| https://git.kernel.org/stable/c/5133b61aaf437e5f2… | |
| https://access.redhat.com/security/cve/CVE-2026-31402 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2454844 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:14823 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:14925 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:14869 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:15883 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13566 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19569 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13936 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13734 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:10108 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:11313 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13565 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19568 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13577 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:14165 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13664 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13681 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:13578 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:14137 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:14301 | vendor-advisoryx_refsource_REDHAT |
Impacted products
52 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9fcb4441f6c02bb20c2eb340101e27dfe23607c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2665887a69437a8a4f552f69509eecfb73d4aa19 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9452c0797c95cf2378170df96cf4f4b3bca7eff (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f0e2a54a31a7f9ad2915db99156114872317388 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8498337dfdfda71bdd0b807c9a23a126011d76 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5133b61aaf437e5f25b1b396b14242a6bb0508e2 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
|
| Red Hat | Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION) |
cpe:/o:redhat:rhel_els:6 |
|
| Red Hat | Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION) |
cpe:/o:redhat:rhel_els:6 |
|
| Red Hat | Red Hat Enterprise Linux Server (v. 7 ELS) |
cpe:/o:redhat:rhel_els:7 |
|
| Red Hat | Red Hat Enterprise Linux for Real Time (v. 7 ELS) |
cpe:/a:redhat:rhel_extras_rt_els:7 |
|
| Red Hat | Red Hat Enterprise Linux Server Optional (v. 7 ELS) |
cpe:/o:redhat:rhel_els:7 |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 8) |
cpe:/o:redhat:enterprise_linux:8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS AUS (v.8.4) |
cpe:/o:redhat:rhel_aus:8.4::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4) |
cpe:/o:redhat:rhel_eus_long_life:8.4::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS AUS (v.8.6) |
cpe:/o:redhat:rhel_aus:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.8.6) |
cpe:/o:redhat:rhel_e4s:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS TUS (v.8.6) |
cpe:/o:redhat:rhel_tus:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.8.8) |
cpe:/o:redhat:rhel_e4s:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS TUS (v.8.8) |
cpe:/o:redhat:rhel_tus:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.9.0) |
cpe:/o:redhat:rhel_e4s:9.0::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.9.2) |
cpe:/o:redhat:rhel_e4s:9.2::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v.9.4) |
cpe:/o:redhat:rhel_eus:9.4::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS (v.9.6) |
cpe:/o:redhat:rhel_eus:9.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 9) |
cpe:/o:redhat:enterprise_linux:9::baseos |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CRB (v. 8) |
cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::crb |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux NFV (v. 8) |
cpe:/a:redhat:enterprise_linux:8::nfv |
|
| Red Hat | Red Hat Enterprise Linux NFV E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time for NFV (v. 9) |
cpe:/a:redhat:enterprise_linux:9::nfv |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux Real Time (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux RT (v. 8) |
cpe:/a:redhat:enterprise_linux:8::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::realtime |
|
| Red Hat | Red Hat Enterprise Linux Real Time (v. 9) |
cpe:/a:redhat:enterprise_linux:9::realtime |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_extras_rt_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_aus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.2::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus:9.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux NFV E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux RT (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::realtime"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Real Time (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s NFSv4.0 server (nfsd). A remote, unauthenticated attacker can exploit this heap overflow vulnerability in the NFSv4.0 LOCK replay cache. By using two cooperating NFSv4.0 clients, where one sets a lock with a large owner string and another requests a conflicting lock, the attacker can trigger a slab-out-of-bounds write. This corruption of adjacent heap memory could lead to arbitrary code execution or a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:51.037Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-31402"
},
{
"name": "RHBZ#2454844",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454844"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31402.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14823"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14925"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14869"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15883"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13566"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13936"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13734"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10108"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11313"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13565"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13577"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14165"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13664"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13681"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13578"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14137"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14301"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:14823: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION), Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION)"
},
{
"lang": "en",
"value": "RHSA-2026:14925: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:14869: Red Hat Enterprise Linux for Real Time (v. 7 ELS)"
},
{
"lang": "en",
"value": "RHSA-2026:15883: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13566: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:13936: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:13734: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:10108: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4), Red Hat Enterprise Linux Real Time EUS (v.9.4), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:11313: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13565: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:13577: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14165: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:13664: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:13681: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:13578: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:14137: Red Hat Enterprise Linux NFV E4S (v.9.0), Red Hat Enterprise Linux Real Time E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:14301: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2665887a69437a8a4f552f69509eecfb73d4aa19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4xdr.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:38.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
},
{
"url": "https://git.kernel.org/stable/c/2665887a69437a8a4f552f69509eecfb73d4aa19"
},
{
"url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
},
{
"url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
},
{
"url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
},
{
"url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
},
{
"url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
},
{
"url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
}
],
"title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31402",
"datePublished": "2026-04-03T15:16:05.724Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-06-30T12:07:51.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31405 (GCVE-0-2026-31405)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:33 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
media: dvb-net: fix OOB access in ULE extension header tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-net: fix OOB access in ULE extension header tables
The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.
Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.
Severity
9.8 (Critical)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e51238718217c4abd… | |
| https://git.kernel.org/stable/c/b2bd2ee73b697c177… | |
| https://git.kernel.org/stable/c/29ef43ceb121d67b8… | |
| https://git.kernel.org/stable/c/1a6da3dbb9985d007… | |
| https://git.kernel.org/stable/c/145e50c2c700fa52b… | |
| https://git.kernel.org/stable/c/8bde543d2a5f935ba… | |
| https://git.kernel.org/stable/c/f2b65dcb78c8990e4… | |
| https://git.kernel.org/stable/c/24d87712727a5017a… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e51238718217c4abdb3ccc3b0c0cde265c7ec629
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b2bd2ee73b697c177157bba534e1b1064c2e66a0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29ef43ceb121d67b87f4cbb08439e4e9e732eff8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a6da3dbb9985d00743073a1cc1f96e59f5abc30 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 145e50c2c700fa52b840df7bab206043997dd18e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2b65dcb78c8990e4c68a906627433be1fe38a92 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 24d87712727a5017ad142d63940589a36cd25647 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e51238718217c4abdb3ccc3b0c0cde265c7ec629",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2bd2ee73b697c177157bba534e1b1064c2e66a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "29ef43ceb121d67b87f4cbb08439e4e9e732eff8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a6da3dbb9985d00743073a1cc1f96e59f5abc30",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "145e50c2c700fa52b840df7bab206043997dd18e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2b65dcb78c8990e4c68a906627433be1fe38a92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24d87712727a5017ad142d63940589a36cd25647",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvb_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-net: fix OOB access in ULE extension header tables\n\nThe ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables\nin handle_one_ule_extension() are declared with 255 elements (valid\nindices 0-254), but the index htype is derived from network-controlled\ndata as (ule_sndu_type \u0026 0x00FF), giving a range of 0-255. When\nhtype equals 255, an out-of-bounds read occurs on the function pointer\ntable, and the OOB value may be called as a function pointer.\n\nAdd a bounds check on htype against the array size before either table\nis accessed. Out-of-range values now cause the SNDU to be discarded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:04.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e51238718217c4abdb3ccc3b0c0cde265c7ec629"
},
{
"url": "https://git.kernel.org/stable/c/b2bd2ee73b697c177157bba534e1b1064c2e66a0"
},
{
"url": "https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8"
},
{
"url": "https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30"
},
{
"url": "https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e"
},
{
"url": "https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe"
},
{
"url": "https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92"
},
{
"url": "https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647"
}
],
"title": "media: dvb-net: fix OOB access in ULE extension header tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31405",
"datePublished": "2026-04-06T07:33:00.544Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:04.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31406 (GCVE-0-2026-31406)
Vulnerability from cvelistv5 – Published: 2026-04-06 07:38 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()
After cancel_delayed_work_sync() is called from
xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining
states via __xfrm_state_delete(), which calls
xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.
The following is a simple race scenario:
cpu0 cpu1
cleanup_net() [Round 1]
ops_undo_list()
xfrm_net_exit()
xfrm_nat_keepalive_net_fini()
cancel_delayed_work_sync(nat_keepalive_work);
xfrm_state_fini()
xfrm_state_flush()
xfrm_state_delete(x)
__xfrm_state_delete(x)
xfrm_nat_keepalive_state_updated(x)
schedule_delayed_work(nat_keepalive_work);
rcu_barrier();
net_complete_free();
net_passive_dec(net);
llist_add(&net->defer_free_list, &defer_free_list);
cleanup_net() [Round 2]
rcu_barrier();
net_complete_free()
kmem_cache_free(net_cachep, net);
nat_keepalive_work()
// on freed net
To prevent this, cancel_delayed_work_sync() is replaced with
disable_delayed_work_sync().
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae , < 32d0f44c2f14d60fe8e920e69a28c11051543ec1
(git)
Affected: f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae , < 2255ed6adbc3100d2c4a83abd9d0396d04b87792 (git) Affected: f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae , < 21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 (git) Affected: f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae , < daf8e3b253aa760ff9e96c7768a464bc1d6b3c90 (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_nat_keepalive.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d0f44c2f14d60fe8e920e69a28c11051543ec1",
"status": "affected",
"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae",
"versionType": "git"
},
{
"lessThan": "2255ed6adbc3100d2c4a83abd9d0396d04b87792",
"status": "affected",
"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae",
"versionType": "git"
},
{
"lessThan": "21f2fc49ca6faa393c31da33b8a4e6c41fc84c13",
"status": "affected",
"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae",
"versionType": "git"
},
{
"lessThan": "daf8e3b253aa760ff9e96c7768a464bc1d6b3c90",
"status": "affected",
"version": "f531d13bdfe3f4f084aaa8acae2cb0f02295f5ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_nat_keepalive.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()\n\nAfter cancel_delayed_work_sync() is called from\nxfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining\nstates via __xfrm_state_delete(), which calls\nxfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ncleanup_net() [Round 1]\n ops_undo_list()\n xfrm_net_exit()\n xfrm_nat_keepalive_net_fini()\n cancel_delayed_work_sync(nat_keepalive_work);\n xfrm_state_fini()\n xfrm_state_flush()\n xfrm_state_delete(x)\n __xfrm_state_delete(x)\n xfrm_nat_keepalive_state_updated(x)\n schedule_delayed_work(nat_keepalive_work);\n rcu_barrier();\n net_complete_free();\n net_passive_dec(net);\n llist_add(\u0026net-\u003edefer_free_list, \u0026defer_free_list);\n\ncleanup_net() [Round 2]\n rcu_barrier();\n net_complete_free()\n kmem_cache_free(net_cachep, net);\n nat_keepalive_work()\n // on freed net\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:05.678Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1"
},
{
"url": "https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792"
},
{
"url": "https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13"
},
{
"url": "https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90"
}
],
"title": "xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31406",
"datePublished": "2026-04-06T07:38:18.840Z",
"dateReserved": "2026-03-09T15:48:24.086Z",
"dateUpdated": "2026-05-11T22:08:05.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31464 (GCVE-0-2026-31464)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:09
VLAI
EPSS
Title
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.
Fix by clamping num_written to max_targets before storing it.
Severity
8.1 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/d842348f8a00d5b1d… | |
| https://git.kernel.org/stable/c/a007246cb6c9ebdc9… | |
| https://git.kernel.org/stable/c/394a1cac3c12fdd7d… | |
| https://git.kernel.org/stable/c/4ed727e35b0ab17d3… | |
| https://git.kernel.org/stable/c/d1466bf991b2343cf… | |
| https://git.kernel.org/stable/c/786f10b1966e48504… | |
| https://git.kernel.org/stable/c/bae4df0a643fa7f84… | |
| https://git.kernel.org/stable/c/61d099ac4a7a8fb11… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d842348f8a00d5b1d7358f207eb34ffcf5b16df3
(git)
Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < a007246cb6c9ebdc93dafbf63cc2d43d98f402cc (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 4ed727e35b0ab17d3eeeb1e8023768396e2be161 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < d1466bf991b2343cf2ba8336e440c8faf3cbb780 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 786f10b1966e485046839f992e89f2c18cbd1983 (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < bae4df0a643fa7f84663473aa3082a9c2ed139db (git) Affected: 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 , < 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f (git) |
|
| Linux | Linux |
Affected:
2.6.27
Unaffected: 0 , < 2.6.27 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d842348f8a00d5b1d7358f207eb34ffcf5b16df3",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "a007246cb6c9ebdc93dafbf63cc2d43d98f402cc",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "4ed727e35b0ab17d3eeeb1e8023768396e2be161",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "d1466bf991b2343cf2ba8336e440c8faf3cbb780",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "786f10b1966e485046839f992e89f2c18cbd1983",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "bae4df0a643fa7f84663473aa3082a9c2ed139db",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
},
{
"lessThan": "61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f",
"status": "affected",
"version": "072b91f9c6510d0ec4a49d07dbc318760c7da7b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost-\u003enum_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation. The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:14.078Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3"
},
{
"url": "https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc"
},
{
"url": "https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89"
},
{
"url": "https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161"
},
{
"url": "https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780"
},
{
"url": "https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983"
},
{
"url": "https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db"
},
{
"url": "https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f"
}
],
"title": "scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31464",
"datePublished": "2026-04-22T13:53:54.970Z",
"dateReserved": "2026-03-09T15:48:24.097Z",
"dateUpdated": "2026-05-11T22:09:14.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31473 (GCVE-0-2026-31473)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI
EPSS
Title
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.
We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.
This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.
Severity
7.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/331242998a7ade5c2… | |
| https://git.kernel.org/stable/c/2c685e99efb3b3bd2… | |
| https://git.kernel.org/stable/c/585fd9a2063dacce8… | |
| https://git.kernel.org/stable/c/1a0d9083c24fbd5d2… | |
| https://git.kernel.org/stable/c/d8549a453d5bdc0a7… | |
| https://git.kernel.org/stable/c/72b9e81e0203f03c4… | |
| https://git.kernel.org/stable/c/cf2023e84f0888f96… | |
| https://git.kernel.org/stable/c/bef4f4a88b73e4cc5… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 331242998a7ade5c2f65e14988901614629f3db5
(git)
Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 2c685e99efb3b3bd2b78699fba6b1cf321975db0 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 585fd9a2063dacce8b2820f675ef23d5d17434c5 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 1a0d9083c24fbd5d22f7100f09d11e4d696a5f01 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < d8549a453d5bdc0a71de66ad47a1106703406a56 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < 72b9e81e0203f03c40f3adb457f55bd4c8eb112d (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < cf2023e84f0888f96f4b65dc0804e7f3651969c1 (git) Affected: 6093d3002eabd7c2913d97f1d1f4ce34b072acf9 , < bef4f4a88b73e4cc550d25f665b8a9952af22773 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "331242998a7ade5c2f65e14988901614629f3db5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "2c685e99efb3b3bd2b78699fba6b1cf321975db0",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "585fd9a2063dacce8b2820f675ef23d5d17434c5",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "1a0d9083c24fbd5d22f7100f09d11e4d696a5f01",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "d8549a453d5bdc0a71de66ad47a1106703406a56",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "72b9e81e0203f03c40f3adb457f55bd4c8eb112d",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "cf2023e84f0888f96f4b65dc0804e7f3651969c1",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
},
{
"lessThan": "bef4f4a88b73e4cc550d25f665b8a9952af22773",
"status": "affected",
"version": "6093d3002eabd7c2913d97f1d1f4ce34b072acf9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/mc/mc-request.c",
"drivers/media/v4l2-core/v4l2-ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:24.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5"
},
{
"url": "https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0"
},
{
"url": "https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5"
},
{
"url": "https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01"
},
{
"url": "https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56"
},
{
"url": "https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d"
},
{
"url": "https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1"
},
{
"url": "https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773"
}
],
"title": "media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31473",
"datePublished": "2026-04-22T13:54:00.970Z",
"dateReserved": "2026-03-09T15:48:24.098Z",
"dateUpdated": "2026-05-11T22:09:24.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31480 (GCVE-0-2026-31480)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI
EPSS
Title
tracing: Fix potential deadlock in cpu hotplug with osnoise
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix potential deadlock in cpu hotplug with osnoise
The following sequence may leads deadlock in cpu hotplug:
task1 task2 task3
----- ----- -----
mutex_lock(&interface_lock)
[CPU GOING OFFLINE]
cpus_write_lock();
osnoise_cpu_die();
kthread_stop(task3);
wait_for_completion();
osnoise_sleep();
mutex_lock(&interface_lock);
cpus_read_lock();
[DEAD LOCK]
Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
Severity
No CVSS data available.
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/cf929c21eeed5bd39… | |
| https://git.kernel.org/stable/c/7aa095ce7d224308c… | |
| https://git.kernel.org/stable/c/ef41a85a55022e27c… | |
| https://git.kernel.org/stable/c/03474a01c199de17a… | |
| https://git.kernel.org/stable/c/f278b8ebf7eba2a16… | |
| https://git.kernel.org/stable/c/7a41d4633cd2c15eb… | |
| https://git.kernel.org/stable/c/1f9885732248d22f7… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < cf929c21eeed5bd39873fb14bfdfff963fa6f1da
(git)
Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7aa095ce7d224308cb6979956f0de8607df93d4f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < ef41a85a55022e27cdaebf22a6676910b66f65aa (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 03474a01c199de17a8e2d39b51df6beb9c76e831 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7 (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f (git) Affected: bce29ac9ce0bb0b0b146b687ab978378c21e9078 , < 1f9885732248d22f788e4992c739a98c88ab8a55 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf929c21eeed5bd39873fb14bfdfff963fa6f1da",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7aa095ce7d224308cb6979956f0de8607df93d4f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "ef41a85a55022e27cdaebf22a6676910b66f65aa",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "03474a01c199de17a8e2d39b51df6beb9c76e831",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
},
{
"lessThan": "1f9885732248d22f788e4992c739a98c88ab8a55",
"status": "affected",
"version": "bce29ac9ce0bb0b0b146b687ab978378c21e9078",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential deadlock in cpu hotplug with osnoise\n\nThe following sequence may leads deadlock in cpu hotplug:\n\n task1 task2 task3\n ----- ----- -----\n\n mutex_lock(\u0026interface_lock)\n\n [CPU GOING OFFLINE]\n\n cpus_write_lock();\n osnoise_cpu_die();\n kthread_stop(task3);\n wait_for_completion();\n\n osnoise_sleep();\n mutex_lock(\u0026interface_lock);\n\n cpus_read_lock();\n\n [DEAD LOCK]\n\nFix by swap the order of cpus_read_lock() and mutex_lock(\u0026interface_lock)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:32.978Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf929c21eeed5bd39873fb14bfdfff963fa6f1da"
},
{
"url": "https://git.kernel.org/stable/c/7aa095ce7d224308cb6979956f0de8607df93d4f"
},
{
"url": "https://git.kernel.org/stable/c/ef41a85a55022e27cdaebf22a6676910b66f65aa"
},
{
"url": "https://git.kernel.org/stable/c/03474a01c199de17a8e2d39b51df6beb9c76e831"
},
{
"url": "https://git.kernel.org/stable/c/f278b8ebf7eba2a1699cfc7bf30dd3ef898d60d7"
},
{
"url": "https://git.kernel.org/stable/c/7a41d4633cd2c15eb5ed31e8f3b16910e50a8c9f"
},
{
"url": "https://git.kernel.org/stable/c/1f9885732248d22f788e4992c739a98c88ab8a55"
}
],
"title": "tracing: Fix potential deadlock in cpu hotplug with osnoise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31480",
"datePublished": "2026-04-22T13:54:07.566Z",
"dateReserved": "2026-03-09T15:48:24.100Z",
"dateUpdated": "2026-05-11T22:09:32.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31483 (GCVE-0-2026-31483)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI
EPSS
Title
s390/syscalls: Add spectre boundary for syscall dispatch table
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/syscalls: Add spectre boundary for syscall dispatch table
The s390 syscall number is directly controlled by userspace, but does
not have an array_index_nospec() boundary to prevent access past the
syscall function pointer tables.
Severity
No CVSS data available.
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/3c3b97064764899c3… | |
| https://git.kernel.org/stable/c/1cb9c7bc9025c6375… | |
| https://git.kernel.org/stable/c/7a5260fbc6e79a159… | |
| https://git.kernel.org/stable/c/f8c444b918d639e1f… | |
| https://git.kernel.org/stable/c/87776f02449e3bded… | |
| https://git.kernel.org/stable/c/4d05dd18d867d58c6… | |
| https://git.kernel.org/stable/c/48b8814e25d073dd8… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
56e62a73702836017564eaacd5212e4d0fa1c01d , < 3c3b97064764899c39a0abbd35a6caa031e70333
(git)
Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 1cb9c7bc9025c637564fabc7fcc3c9343949e310 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 7a5260fbc6e79a1595328ec5c6aa3f937504a1f0 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < f8c444b918d639e1f9a621ee20fe481c1d10dfc4 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 87776f02449e3bded95b2ccbd6b012e9ae64e6f3 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 4d05dd18d867d58c6952a3bc260d244899da7256 (git) Affected: 56e62a73702836017564eaacd5212e4d0fa1c01d , < 48b8814e25d073dd84daf990a879a820bad2bcbd (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c3b97064764899c39a0abbd35a6caa031e70333",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "1cb9c7bc9025c637564fabc7fcc3c9343949e310",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "7a5260fbc6e79a1595328ec5c6aa3f937504a1f0",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "f8c444b918d639e1f9a621ee20fe481c1d10dfc4",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "87776f02449e3bded95b2ccbd6b012e9ae64e6f3",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "4d05dd18d867d58c6952a3bc260d244899da7256",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
},
{
"lessThan": "48b8814e25d073dd84daf990a879a820bad2bcbd",
"status": "affected",
"version": "56e62a73702836017564eaacd5212e4d0fa1c01d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/syscalls: Add spectre boundary for syscall dispatch table\n\nThe s390 syscall number is directly controlled by userspace, but does\nnot have an array_index_nospec() boundary to prevent access past the\nsyscall function pointer tables."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:36.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c3b97064764899c39a0abbd35a6caa031e70333"
},
{
"url": "https://git.kernel.org/stable/c/1cb9c7bc9025c637564fabc7fcc3c9343949e310"
},
{
"url": "https://git.kernel.org/stable/c/7a5260fbc6e79a1595328ec5c6aa3f937504a1f0"
},
{
"url": "https://git.kernel.org/stable/c/f8c444b918d639e1f9a621ee20fe481c1d10dfc4"
},
{
"url": "https://git.kernel.org/stable/c/87776f02449e3bded95b2ccbd6b012e9ae64e6f3"
},
{
"url": "https://git.kernel.org/stable/c/4d05dd18d867d58c6952a3bc260d244899da7256"
},
{
"url": "https://git.kernel.org/stable/c/48b8814e25d073dd84daf990a879a820bad2bcbd"
}
],
"title": "s390/syscalls: Add spectre boundary for syscall dispatch table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31483",
"datePublished": "2026-04-22T13:54:09.561Z",
"dateReserved": "2026-03-09T15:48:24.101Z",
"dateUpdated": "2026-05-11T22:09:36.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31493 (GCVE-0-2026-31493)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:09
VLAI
EPSS
Title
RDMA/efa: Fix use of completion ctx after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/efa: Fix use of completion ctx after free
On admin queue completion handling, if the admin command completed with
error we print data from the completion context. The issue is that we
already freed the completion context in polling/interrupts handler which
means we print data from context in an unknown state (it might be
already used again).
Change the admin submission flow so alloc/dealloc of the context will be
symmetric and dealloc will be called after any potential use of the
context.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < 0dd98aea1c0c45987fa2dd92f988b0eb1a72c125
(git)
Affected: 68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < 1cf95fe5dc5471efea947b4c6f8913da6bc7976e (git) Affected: 68fb9f3e312a36e49fd05ec2d6b668daf2c4931a , < ef3b06742c8a201d0e83edc9a33a89a4fe3009f8 (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0dd98aea1c0c45987fa2dd92f988b0eb1a72c125",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
},
{
"lessThan": "1cf95fe5dc5471efea947b4c6f8913da6bc7976e",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
},
{
"lessThan": "ef3b06742c8a201d0e83edc9a33a89a4fe3009f8",
"status": "affected",
"version": "68fb9f3e312a36e49fd05ec2d6b668daf2c4931a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_com.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix use of completion ctx after free\n\nOn admin queue completion handling, if the admin command completed with\nerror we print data from the completion context. The issue is that we\nalready freed the completion context in polling/interrupts handler which\nmeans we print data from context in an unknown state (it might be\nalready used again).\nChange the admin submission flow so alloc/dealloc of the context will be\nsymmetric and dealloc will be called after any potential use of the\ncontext."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:09:47.997Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dd98aea1c0c45987fa2dd92f988b0eb1a72c125"
},
{
"url": "https://git.kernel.org/stable/c/1cf95fe5dc5471efea947b4c6f8913da6bc7976e"
},
{
"url": "https://git.kernel.org/stable/c/ef3b06742c8a201d0e83edc9a33a89a4fe3009f8"
}
],
"title": "RDMA/efa: Fix use of completion ctx after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31493",
"datePublished": "2026-04-22T13:54:16.255Z",
"dateReserved": "2026-03-09T15:48:24.102Z",
"dateUpdated": "2026-05-11T22:09:47.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3150 (GCVE-0-2026-3150)
Vulnerability from cvelistv5 – Published: 2026-02-25 04:32 – Updated: 2026-02-25 14:49 X_Freeware
VLAI
EPSS
Title
itsourcecode College Management System display-teacher.php sql injection
Summary
A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347658 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347658 | signaturepermissions-required |
| https://vuldb.com/?submit.758829 | third-party-advisory |
| https://github.com/Zhangchao404/cve/issues/2 | exploitissue-tracking |
| https://itsourcecode.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| itsourcecode | College Management System |
Affected:
1.0
|
Credits
Zhangchao404 (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:48:59.060111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:49:09.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "College Management System",
"vendor": "itsourcecode",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Zhangchao404 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T04:32:08.455Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347658 | itsourcecode College Management System display-teacher.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347658"
},
{
"name": "VDB-347658 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347658"
},
{
"name": "Submit #758829 | itsourcecode College Management System V1.0 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.758829"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Zhangchao404/cve/issues/2"
},
{
"tags": [
"product"
],
"url": "https://itsourcecode.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-24T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-24T21:13:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "itsourcecode College Management System display-teacher.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3150",
"datePublished": "2026-02-25T04:32:08.455Z",
"dateReserved": "2026-02-24T20:08:09.987Z",
"dateUpdated": "2026-02-25T14:49:09.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31516 (GCVE-0-2026-31516)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-05-11 22:10
VLAI
EPSS
Title
xfrm: prevent policy_hthresh.work from racing with netns teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: prevent policy_hthresh.work from racing with netns teardown
A XFRM_MSG_NEWSPDINFO request can queue the per-net work item
policy_hthresh.work onto the system workqueue.
The queued callback, xfrm_hash_rebuild(), retrieves the enclosing
struct net via container_of(). If the net namespace is torn down
before that work runs, the associated struct net may already have
been freed, and xfrm_hash_rebuild() may then dereference stale memory.
xfrm_policy_fini() already flushes policy_hash_work during teardown,
but it does not synchronize policy_hthresh.work.
Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the
queued work cannot outlive the net namespace teardown and access a
freed struct net.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 56ea2257b83ee29a543f158159e3d1abc1e3e4fe
(git)
Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 8854e9367465d784046362698731c1111e3b39b8 (git) Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 4e2e77843fef473ef47e322d52436d8308582a96 (git) Affected: 880a6fab8f6ba5b5abe59ea68533202ddea1012c , < 29fe3a61bcdce398ee3955101c39f89c01a8a77e (git) |
|
| Linux | Linux |
Affected:
3.18
Unaffected: 0 , < 3.18 (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56ea2257b83ee29a543f158159e3d1abc1e3e4fe",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "8854e9367465d784046362698731c1111e3b39b8",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "4e2e77843fef473ef47e322d52436d8308582a96",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
},
{
"lessThan": "29fe3a61bcdce398ee3955101c39f89c01a8a77e",
"status": "affected",
"version": "880a6fab8f6ba5b5abe59ea68533202ddea1012c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:10:18.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ea2257b83ee29a543f158159e3d1abc1e3e4fe"
},
{
"url": "https://git.kernel.org/stable/c/8854e9367465d784046362698731c1111e3b39b8"
},
{
"url": "https://git.kernel.org/stable/c/4e2e77843fef473ef47e322d52436d8308582a96"
},
{
"url": "https://git.kernel.org/stable/c/29fe3a61bcdce398ee3955101c39f89c01a8a77e"
}
],
"title": "xfrm: prevent policy_hthresh.work from racing with netns teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31516",
"datePublished": "2026-04-22T13:54:32.851Z",
"dateReserved": "2026-03-09T15:48:24.107Z",
"dateUpdated": "2026-05-11T22:10:18.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…