Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0783
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans Microsoft Azure. Elles permettent à un attaquant de provoquer une élévation de privilèges et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 erlang 26.2.5.20-1 versions antérieures à 26.2.5.21-2 | ||
| Microsoft | N/A | azl3 python-pip 24.2-8 versions antérieures à 24.2-9 | ||
| Microsoft | N/A | azl3 edk2 20240524git3e722403cd16-17 versions antérieures à 20240524git3e722403cd16-18 | ||
| Microsoft | N/A | azl3 qemu 9.1.0-7 versions antérieures à 9.1.0-8 | ||
| Microsoft | N/A | azl3 opensc 0.27.1-1 versions antérieures à 0.27.1-2 | ||
| Microsoft | N/A | azl3 kernel 6.6.139.1-1 versions antérieures à 6.6.141.1-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 erlang 26.2.5.20-1 versions ant\u00e9rieures \u00e0 26.2.5.21-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-pip 24.2-8 versions ant\u00e9rieures \u00e0 24.2-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 edk2 20240524git3e722403cd16-17 versions ant\u00e9rieures \u00e0 20240524git3e722403cd16-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 qemu 9.1.0-7 versions ant\u00e9rieures \u00e0 9.1.0-8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 opensc 0.27.1-1 versions ant\u00e9rieures \u00e0 0.27.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.139.1-1 versions ant\u00e9rieures \u00e0 6.6.141.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-46307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46307"
},
{
"name": "CVE-2026-34180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34180"
},
{
"name": "CVE-2026-42766",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42766"
},
{
"name": "CVE-2026-49760",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49760"
},
{
"name": "CVE-2026-9076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9076"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-46280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46280"
},
{
"name": "CVE-2026-46287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46287"
},
{
"name": "CVE-2026-46303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46303"
},
{
"name": "CVE-2026-45445",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45445"
},
{
"name": "CVE-2026-10275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10275"
},
{
"name": "CVE-2026-7383",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7383"
},
{
"name": "CVE-2026-48858",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48858"
},
{
"name": "CVE-2026-49759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49759"
},
{
"name": "CVE-2026-48855",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48855"
},
{
"name": "CVE-2026-46296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46296"
},
{
"name": "CVE-2026-46293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46293"
},
{
"name": "CVE-2026-46301",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46301"
},
{
"name": "CVE-2026-46289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46289"
},
{
"name": "CVE-2026-46285",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46285"
},
{
"name": "CVE-2026-45447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45447"
},
{
"name": "CVE-2026-48856",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48856"
},
{
"name": "CVE-2026-46291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46291"
},
{
"name": "CVE-2026-46312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46312"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46292"
},
{
"name": "CVE-2026-42767",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42767"
},
{
"name": "CVE-2026-48914",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48914"
},
{
"name": "CVE-2026-48860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48860"
},
{
"name": "CVE-2026-8643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8643"
},
{
"name": "CVE-2026-46306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46306"
},
{
"name": "CVE-2026-46299",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46299"
},
{
"name": "CVE-2026-46304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46304"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0783",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure",
"vendor_advisories": [
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42766",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42766"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46280",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46280"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42767",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42767"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45447",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45447"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45445",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45445"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49759",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49759"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46307",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46307"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46291",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46291"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46301",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46301"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46303"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46306",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46306"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48856",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48856"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46287",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46287"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48860",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48860"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34180"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46292",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46292"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46285",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46285"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46312",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46312"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49760",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49760"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46319",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46319"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46293"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48914",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48914"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-7383",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7383"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46296",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46296"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-9076",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9076"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46274"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48855",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48855"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-10275",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10275"
},
{
"published_at": "2026-06-04",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-8643",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8643"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48858",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48858"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46289",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46289"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46299",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46299"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46304"
}
]
}
CVE-2026-46289 (GCVE-0-2026-46289)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:06
VLAI
EPSS
Title
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made by sashiko.dev.
The main bugs are:
- The length for an sglist entry when extracting from
a kvec can exceed the number of bytes in the page. This
is obviously not intended.
- When extracting a user buffer the sglist is temporarily
used as a scratch buffer for extracted page pointers.
If the sglist already contains some elements this scratch
buffer could overlap with existing entries in the sglist.
The series adds test cases to the kunit_iov_iter test that demonstrate all
of these bugs. Additionally, there is a memory leak fix for the test
itself.
The bugs were orignally introduced into kernel v6.3 where the function
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in
v6.5. Thus the actual fix is only marked for backports to v6.5+.
This patch (of 5):
When extracting from a kvec to a scatterlist, do not cross page
boundaries. The required length was already calculated but not used as
intended.
Adjust the copied length if the loop runs out of sglist entries without
extracting everything.
While there, return immediately from extract_iter_to_sg if there are no
sglist entries at all.
A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Severity
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0185846975339a5c348373aa450a977f5242366b , < 3f17500e86d730c76db638bb3ae52f9b5e496c76
(git)
Affected: 0185846975339a5c348373aa450a977f5242366b , < e5e22fc9963469e678c4f4bb38d26adcec107f1e (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 8fbba6829057979149d1b37d65690c037f3ddf4d (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 9d38756d0a93b66163554219fa9c3365f40c4035 (git) Affected: 0185846975339a5c348373aa450a977f5242366b , < 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 (git) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/scatterlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f17500e86d730c76db638bb3ae52f9b5e496c76",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "e5e22fc9963469e678c4f4bb38d26adcec107f1e",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "8fbba6829057979149d1b37d65690c037f3ddf4d",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "9d38756d0a93b66163554219fa9c3365f40c4035",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
},
{
"lessThan": "07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45",
"status": "affected",
"version": "0185846975339a5c348373aa450a977f5242366b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/scatterlist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/scatterlist: fix length calculations in extract_kvec_to_sg\n\nPatch series \"Fix bugs in extract_iter_to_sg()\", v3.\n\nFix bugs in the kvec and user variants of extract_iter_to_sg. This series\nis growing due to useful remarks made by sashiko.dev.\n\nThe main bugs are:\n- The length for an sglist entry when extracting from\n a kvec can exceed the number of bytes in the page. This\n is obviously not intended.\n- When extracting a user buffer the sglist is temporarily\n used as a scratch buffer for extracted page pointers.\n If the sglist already contains some elements this scratch\n buffer could overlap with existing entries in the sglist.\n\nThe series adds test cases to the kunit_iov_iter test that demonstrate all\nof these bugs. Additionally, there is a memory leak fix for the test\nitself.\n\nThe bugs were orignally introduced into kernel v6.3 where the function\nlived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in\nv6.5. Thus the actual fix is only marked for backports to v6.5+.\n\n\nThis patch (of 5):\n\nWhen extracting from a kvec to a scatterlist, do not cross page\nboundaries. The required length was already calculated but not used as\nintended.\n\nAdjust the copied length if the loop runs out of sglist entries without\nextracting everything.\n\nWhile there, return immediately from extract_iter_to_sg if there are no\nsglist entries at all.\n\nA subsequent commit will add kunit test cases that demonstrate that the\npatch is necessary."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:06:42.893Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f17500e86d730c76db638bb3ae52f9b5e496c76"
},
{
"url": "https://git.kernel.org/stable/c/e5e22fc9963469e678c4f4bb38d26adcec107f1e"
},
{
"url": "https://git.kernel.org/stable/c/8fbba6829057979149d1b37d65690c037f3ddf4d"
},
{
"url": "https://git.kernel.org/stable/c/9d38756d0a93b66163554219fa9c3365f40c4035"
},
{
"url": "https://git.kernel.org/stable/c/07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45"
}
],
"title": "lib/scatterlist: fix length calculations in extract_kvec_to_sg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46289",
"datePublished": "2026-06-08T15:46:15.888Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:06:42.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46291 (GCVE-0-2026-46291)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI
EPSS
Title
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e8e72fdf47bd5ef7a… | |
| https://git.kernel.org/stable/c/cd849c07b8d706425… | |
| https://git.kernel.org/stable/c/a9207798fe619cbc8… | |
| https://git.kernel.org/stable/c/2adbfca7452eeac45… | |
| https://git.kernel.org/stable/c/c7e52fe3f7901ccb9… | |
| https://git.kernel.org/stable/c/5cffe3c136891aa4d… | |
| https://git.kernel.org/stable/c/b8f12d9b00c195077… | |
| https://git.kernel.org/stable/c/177730a273b18e195… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < e8e72fdf47bd5ef7abe642b034c6178a61a8580a
(git)
Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < cd849c07b8d706425e60a4dfcef54b7b67c967ce (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < a9207798fe619cbc85c8744a9b9e2af1db2b6e1a (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 2adbfca7452eeac45117b8e803288a2767f7075f (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48 (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 5cffe3c136891aa4d579bf5c079a68f7cb371b0c (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < b8f12d9b00c1950779e5679b9c13908584682bb6 (git) Affected: 045e36780f11523e26d1e4a8c78bdc57f4003bd0 , < 177730a273b18e195263ed953853273e901b5064 (git) |
|
| Linux | Linux |
Affected:
3.6
Unaffected: 0 , < 3.6 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/caam/caamalg_qi2.c",
"drivers/crypto/caam/caamhash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e72fdf47bd5ef7abe642b034c6178a61a8580a",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "cd849c07b8d706425e60a4dfcef54b7b67c967ce",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "a9207798fe619cbc85c8744a9b9e2af1db2b6e1a",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "2adbfca7452eeac45117b8e803288a2767f7075f",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "5cffe3c136891aa4d579bf5c079a68f7cb371b0c",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "b8f12d9b00c1950779e5679b9c13908584682bb6",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
},
{
"lessThan": "177730a273b18e195263ed953853273e901b5064",
"status": "affected",
"version": "045e36780f11523e26d1e4a8c78bdc57f4003bd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/caam/caamalg_qi2.c",
"drivers/crypto/caam/caamhash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - guard HMAC key hex dumps in hash_digest_key\n\nUse print_hex_dump_devel() for dumping sensitive HMAC key bytes in\nhash_digest_key() to avoid leaking secrets at runtime when\nCONFIG_DYNAMIC_DEBUG is enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:06.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e72fdf47bd5ef7abe642b034c6178a61a8580a"
},
{
"url": "https://git.kernel.org/stable/c/cd849c07b8d706425e60a4dfcef54b7b67c967ce"
},
{
"url": "https://git.kernel.org/stable/c/a9207798fe619cbc85c8744a9b9e2af1db2b6e1a"
},
{
"url": "https://git.kernel.org/stable/c/2adbfca7452eeac45117b8e803288a2767f7075f"
},
{
"url": "https://git.kernel.org/stable/c/c7e52fe3f7901ccb9cd29b3f7c683d809ba87e48"
},
{
"url": "https://git.kernel.org/stable/c/5cffe3c136891aa4d579bf5c079a68f7cb371b0c"
},
{
"url": "https://git.kernel.org/stable/c/b8f12d9b00c1950779e5679b9c13908584682bb6"
},
{
"url": "https://git.kernel.org/stable/c/177730a273b18e195263ed953853273e901b5064"
}
],
"title": "crypto: caam - guard HMAC key hex dumps in hash_digest_key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46291",
"datePublished": "2026-06-08T15:46:18.317Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:06.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46292 (GCVE-0-2026-46292)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI
EPSS
Title
pmdomain: core: Fix detach procedure for virtual devices in genpd
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: core: Fix detach procedure for virtual devices in genpd
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e8f8dad44f024a5c9… | |
| https://git.kernel.org/stable/c/98b8104978474d381… | |
| https://git.kernel.org/stable/c/52e485ed0dcb54968… | |
| https://git.kernel.org/stable/c/707cb5df3eab32ddc… | |
| https://git.kernel.org/stable/c/361518a26e4434e87… | |
| https://git.kernel.org/stable/c/51a7dd9cbae921033… | |
| https://git.kernel.org/stable/c/8d44391a7f29e4601… | |
| https://git.kernel.org/stable/c/26735dfdd8930d9ef… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3c095f32a92be4d07f3172a777dab1aacdb6a728 , < e8f8dad44f024a5c99e54a48ad5c943fa8e54319
(git)
Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 98b8104978474d381256a2b2fb0e7ca8e05a7bfa (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 52e485ed0dcb5496864003ba9ffcef7d5b613f83 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 707cb5df3eab32ddc52979418f7ace62941e6381 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 361518a26e4434e879db6ff43bf364795dcbfbff (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 51a7dd9cbae9210335ce398642ecaaa52c939eb5 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 8d44391a7f29e4601e8243f13498d0219bab2576 (git) Affected: 3c095f32a92be4d07f3172a777dab1aacdb6a728 , < 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 (git) |
|
| Linux | Linux |
Affected:
4.18
Unaffected: 0 , < 4.18 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8f8dad44f024a5c99e54a48ad5c943fa8e54319",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "98b8104978474d381256a2b2fb0e7ca8e05a7bfa",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "52e485ed0dcb5496864003ba9ffcef7d5b613f83",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "707cb5df3eab32ddc52979418f7ace62941e6381",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "361518a26e4434e879db6ff43bf364795dcbfbff",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "51a7dd9cbae9210335ce398642ecaaa52c939eb5",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "8d44391a7f29e4601e8243f13498d0219bab2576",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
},
{
"lessThan": "26735dfdd8930d9ef1fa92e590a9bf77726efdf6",
"status": "affected",
"version": "3c095f32a92be4d07f3172a777dab1aacdb6a728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: core: Fix detach procedure for virtual devices in genpd\n\nIf a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),\ngenpd calls pm_runtime_enable() for the corresponding virtual device that\nit registers. While this avoids boilerplate code in drivers, there is no\ncorresponding call to pm_runtime_disable() in genpd_dev_pm_detach().\n\nThis means these virtual devices are typically detached from its genpd,\nwhile runtime PM remains enabled for them, which is not how things are\ndesigned to work. In worst cases it may lead to critical errors, like a\nNULL pointer dereference bug in genpd_runtime_suspend(), which was recently\nreported. For another case, we may end up keeping an unnecessary vote for a\nperformance state for the device.\n\nTo fix these problems, let\u0027s add this missing call to pm_runtime_disable()\nin genpd_dev_pm_detach()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:08.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8f8dad44f024a5c99e54a48ad5c943fa8e54319"
},
{
"url": "https://git.kernel.org/stable/c/98b8104978474d381256a2b2fb0e7ca8e05a7bfa"
},
{
"url": "https://git.kernel.org/stable/c/52e485ed0dcb5496864003ba9ffcef7d5b613f83"
},
{
"url": "https://git.kernel.org/stable/c/707cb5df3eab32ddc52979418f7ace62941e6381"
},
{
"url": "https://git.kernel.org/stable/c/361518a26e4434e879db6ff43bf364795dcbfbff"
},
{
"url": "https://git.kernel.org/stable/c/51a7dd9cbae9210335ce398642ecaaa52c939eb5"
},
{
"url": "https://git.kernel.org/stable/c/8d44391a7f29e4601e8243f13498d0219bab2576"
},
{
"url": "https://git.kernel.org/stable/c/26735dfdd8930d9ef1fa92e590a9bf77726efdf6"
}
],
"title": "pmdomain: core: Fix detach procedure for virtual devices in genpd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46292",
"datePublished": "2026-06-08T15:46:19.431Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:08.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46293 (GCVE-0-2026-46293)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI
EPSS
Title
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
UBSAN reported an out of bounds access during registration of the last
two outputs. This out of bounds access occurs because space is only
allocated in the hws array for two PLLs and the four output dividers
that each has, but the defined IDs contain two DLLS and their two
outputs each, which are not supported by the driver. The ID order is
PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
by two while adding them to the array to avoid the problem.
Severity
No CVSS data available.
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/9ed9b580a81477348… | |
| https://git.kernel.org/stable/c/47bc7a03449c39805… | |
| https://git.kernel.org/stable/c/dbfcb09656cb30439… | |
| https://git.kernel.org/stable/c/a0780aeea166a7cf4… | |
| https://git.kernel.org/stable/c/f24efd415455b98a1… | |
| https://git.kernel.org/stable/c/2f7ae8ab6aa73daaf… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d39fb172760e426e0628f16b785c85e16d17bd5e , < 9ed9b580a814773482c0a4f1be045636e68cc109
(git)
Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < 47bc7a03449c39805bc2665d3e57c73195d5bcf8 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < dbfcb09656cb30439577325c9dea2250203c2e3c (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < a0780aeea166a7cf4706c45af4cadbb2a43a1fc9 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < f24efd415455b98a1f1cfc6071fe6fde71986706 (git) Affected: d39fb172760e426e0628f16b785c85e16d17bd5e , < 2f7ae8ab6aa73daaf080d5332110357c29df9c36 (git) |
|
| Linux | Linux |
Affected:
6.1
Unaffected: 0 , < 6.1 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs-ccc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ed9b580a814773482c0a4f1be045636e68cc109",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "47bc7a03449c39805bc2665d3e57c73195d5bcf8",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "dbfcb09656cb30439577325c9dea2250203c2e3c",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "a0780aeea166a7cf4706c45af4cadbb2a43a1fc9",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "f24efd415455b98a1f1cfc6071fe6fde71986706",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
},
{
"lessThan": "2f7ae8ab6aa73daaf080d5332110357c29df9c36",
"status": "affected",
"version": "d39fb172760e426e0628f16b785c85e16d17bd5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/microchip/clk-mpfs-ccc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: microchip: mpfs-ccc: fix out of bounds access during output registration\n\nUBSAN reported an out of bounds access during registration of the last\ntwo outputs. This out of bounds access occurs because space is only\nallocated in the hws array for two PLLs and the four output dividers\nthat each has, but the defined IDs contain two DLLS and their two\noutputs each, which are not supported by the driver. The ID order is\nPLLs -\u003e DLLs -\u003e PLL outputs -\u003e DLL outputs. Decrement the PLL output IDs\nby two while adding them to the array to avoid the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:01.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ed9b580a814773482c0a4f1be045636e68cc109"
},
{
"url": "https://git.kernel.org/stable/c/47bc7a03449c39805bc2665d3e57c73195d5bcf8"
},
{
"url": "https://git.kernel.org/stable/c/dbfcb09656cb30439577325c9dea2250203c2e3c"
},
{
"url": "https://git.kernel.org/stable/c/a0780aeea166a7cf4706c45af4cadbb2a43a1fc9"
},
{
"url": "https://git.kernel.org/stable/c/f24efd415455b98a1f1cfc6071fe6fde71986706"
},
{
"url": "https://git.kernel.org/stable/c/2f7ae8ab6aa73daaf080d5332110357c29df9c36"
}
],
"title": "clk: microchip: mpfs-ccc: fix out of bounds access during output registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46293",
"datePublished": "2026-06-08T15:46:20.288Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-14T18:07:01.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46296 (GCVE-0-2026-46296)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI
EPSS
Title
spi: s3c64xx: fix NULL-deref on driver unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: s3c64xx: fix NULL-deref on driver unbind
A change moving DMA channel allocation from probe() back to
s3c64xx_spi_prepare_transfer() failed to remove the corresponding
deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a
NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Severity
No CVSS data available.
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/29e219a18e21258bd… | |
| https://git.kernel.org/stable/c/1108b8722b9ff0cdd… | |
| https://git.kernel.org/stable/c/323a258f4b1916b5a… | |
| https://git.kernel.org/stable/c/1b66f16a571a10ba8… | |
| https://git.kernel.org/stable/c/22788b1a8611380b1… | |
| https://git.kernel.org/stable/c/45daacbead8a00984… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7
(git)
Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 1108b8722b9ff0cdd3e8aa18d98244fcd93b6760 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 323a258f4b1916b5a3098618e036e033b2f2317f (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 1b66f16a571a10ba8889ac471755c8af9c5b9266 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 22788b1a8611380b141e09a8896702e32d164238 (git) Affected: f52b03c707444c5a3d1a0b9c5724f93ddc3c588e , < 45daacbead8a009844bd5dba6cfa731332184d17 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-s3c64xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "1108b8722b9ff0cdd3e8aa18d98244fcd93b6760",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "323a258f4b1916b5a3098618e036e033b2f2317f",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "1b66f16a571a10ba8889ac471755c8af9c5b9266",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "22788b1a8611380b141e09a8896702e32d164238",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
},
{
"lessThan": "45daacbead8a009844bd5dba6cfa731332184d17",
"status": "affected",
"version": "f52b03c707444c5a3d1a0b9c5724f93ddc3c588e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-s3c64xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: s3c64xx: fix NULL-deref on driver unbind\n\nA change moving DMA channel allocation from probe() back to\ns3c64xx_spi_prepare_transfer() failed to remove the corresponding\ndeallocation from remove().\n\nDrop the bogus DMA channel release from remove() to avoid triggering a\nNULL-pointer dereference on driver unbind.\n\nThis issue was flagged by Sashiko when reviewing a controller\nderegistration fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:10.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e219a18e21258bdb4ee12cecd0e9ec87d7e6a7"
},
{
"url": "https://git.kernel.org/stable/c/1108b8722b9ff0cdd3e8aa18d98244fcd93b6760"
},
{
"url": "https://git.kernel.org/stable/c/323a258f4b1916b5a3098618e036e033b2f2317f"
},
{
"url": "https://git.kernel.org/stable/c/1b66f16a571a10ba8889ac471755c8af9c5b9266"
},
{
"url": "https://git.kernel.org/stable/c/22788b1a8611380b141e09a8896702e32d164238"
},
{
"url": "https://git.kernel.org/stable/c/45daacbead8a009844bd5dba6cfa731332184d17"
}
],
"title": "spi: s3c64xx: fix NULL-deref on driver unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46296",
"datePublished": "2026-06-08T15:46:23.539Z",
"dateReserved": "2026-05-13T15:03:33.110Z",
"dateUpdated": "2026-06-19T12:00:10.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46299 (GCVE-0-2026-46299)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-19 12:00
VLAI
EPSS
Title
hfsplus: fix held lock freed on hfsplus_fill_super()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix held lock freed on hfsplus_fill_super()
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b
---truncated---
Severity
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e890656accee4c26d… | |
| https://git.kernel.org/stable/c/6499c9c8ec437a369… | |
| https://git.kernel.org/stable/c/c554ddc87af4d4e4b… | |
| https://git.kernel.org/stable/c/3ca80e3012c8be85b… | |
| https://git.kernel.org/stable/c/041acda6d9f960067… | |
| https://git.kernel.org/stable/c/d309d3308de658d87… | |
| https://git.kernel.org/stable/c/bfbcce6a7b0552a39… | |
| https://git.kernel.org/stable/c/90c500e4fd83fa33c… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < e890656accee4c26d932ea388eb8936a6e22184d
(git)
Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 6499c9c8ec437a369e7e221dad91f6122b50759d (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < c554ddc87af4d4e4be42f8aed1baec9e1c7588e0 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 041acda6d9f96006703466449c10c9a69590c8b9 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < d309d3308de658d87c42d97e044c89a226327526 (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc (git) Affected: 89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 , < 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 (git) |
|
| Linux | Linux |
Affected:
3.19
Unaffected: 0 , < 3.19 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e890656accee4c26d932ea388eb8936a6e22184d",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "6499c9c8ec437a369e7e221dad91f6122b50759d",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "c554ddc87af4d4e4be42f8aed1baec9e1c7588e0",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "041acda6d9f96006703466449c10c9a69590c8b9",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "d309d3308de658d87c42d97e044c89a226327526",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
},
{
"lessThan": "90c500e4fd83fa33c09bc7ee23b6d9cc487ac733",
"status": "affected",
"version": "89ac9b4d3d1a049ae1054f99b1aed81092cd0a82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix held lock freed on hfsplus_fill_super()\n\nhfsplus_fill_super() calls hfs_find_init() to initialize a search\nstructure, which acquires tree-\u003etree_lock. If the subsequent call to\nhfsplus_cat_build_key() fails, the function jumps to the out_put_root\nerror label without releasing the lock. The later cleanup path then\nfrees the tree data structure with the lock still held, triggering a\nheld lock freed warning.\n\nFix this by adding the missing hfs_find_exit(\u0026fd) call before jumping\nto the out_put_root error label. This ensures that tree-\u003etree_lock is\nproperly released on the error path.\n\nThe bug was originally detected on v6.13-rc1 using an experimental\nstatic analysis tool we are developing, and we have verified that the\nissue persists in the latest mainline kernel. The tool is specifically\ndesigned to detect memory management issues. It is currently under active\ndevelopment and not yet publicly available.\n\nWe confirmed the bug by runtime testing under QEMU with x86_64 defconfig,\nlockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we\nused GDB to dynamically shrink the max_unistr_len parameter to 1 before\nhfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally\nreturn -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and\nexercises the faulty error path. The following warning was observed\nduring mount:\n\n\t=========================\n\tWARNING: held lock freed!\n\t7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted\n\t-------------------------\n\tmount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!\n\tffff888103f920b0 (\u0026tree-\u003etree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\t2 locks held by mount/174:\n\t#0: ffff888103f960e0 (\u0026type-\u003es_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40\n\t#1: ffff888103f920b0 (\u0026tree-\u003etree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\n\tstack backtrace:\n\tCPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tCall Trace:\n\t\u003cTASK\u003e\n\tdump_stack_lvl+0x82/0xd0\n\tdebug_check_no_locks_freed+0x13a/0x180\n\tkfree+0x16b/0x510\n\t? hfsplus_fill_super+0xcb4/0x18a0\n\thfsplus_fill_super+0xcb4/0x18a0\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x65f/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? pointer+0x4ce/0xbf0\n\t? trace_contention_end+0x11c/0x150\n\t? __pfx_pointer+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x79b/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? vsnprintf+0x6da/0x1270\n\t? srso_return_thunk+0x5/0x5f\n\t? __mutex_unlock_slowpath+0x157/0x740\n\t? __pfx_vsnprintf+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? mark_held_locks+0x49/0x80\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? irqentry_exit+0x17b/0x5e0\n\t? trace_irq_disable.constprop.0+0x116/0x150\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\tget_tree_bdev_flags+0x302/0x580\n\t? __pfx_get_tree_bdev_flags+0x10/0x10\n\t? vfs_parse_fs_qstr+0x129/0x1a0\n\t? __pfx_vfs_parse_fs_qstr+0x3/0x10\n\tvfs_get_tree+0x89/0x320\n\tfc_mount+0x10/0x1d0\n\tpath_mount+0x5c5/0x21c0\n\t? __pfx_path_mount+0x10/0x10\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? kmem_cache_free+0x307/0x540\n\t? user_path_at+0x51/0x60\n\t? __x64_sys_mount+0x212/0x280\n\t? srso_return_thunk+0x5/0x5f\n\t__x64_sys_mount+0x212/0x280\n\t? __pfx___x64_sys_mount+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\tdo_syscall_64+0x111/0x680\n\tentry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7ffacad55eae\n\tCode: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8\n\tRSP: 002b\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:12.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e890656accee4c26d932ea388eb8936a6e22184d"
},
{
"url": "https://git.kernel.org/stable/c/6499c9c8ec437a369e7e221dad91f6122b50759d"
},
{
"url": "https://git.kernel.org/stable/c/c554ddc87af4d4e4be42f8aed1baec9e1c7588e0"
},
{
"url": "https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e"
},
{
"url": "https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9"
},
{
"url": "https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526"
},
{
"url": "https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc"
},
{
"url": "https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733"
}
],
"title": "hfsplus: fix held lock freed on hfsplus_fill_super()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46299",
"datePublished": "2026-06-08T15:46:26.670Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-19T12:00:12.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46301 (GCVE-0-2026-46301)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI
EPSS
Title
spi: topcliff-pch: fix use-after-free on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: topcliff-pch: fix use-after-free on unbind
Give the driver a chance to flush its queue before releasing the DMA
buffers on driver unbind
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/43334836b907adc21… | |
| https://git.kernel.org/stable/c/36e58c436d2c2a797… | |
| https://git.kernel.org/stable/c/4ca90deeca1c7dd72… | |
| https://git.kernel.org/stable/c/d79e92161b65832e0… | |
| https://git.kernel.org/stable/c/8822980668c96b5aa… | |
| https://git.kernel.org/stable/c/d50ef3553acbacce6… | |
| https://git.kernel.org/stable/c/0e8e57f9737ea2576… | |
| https://git.kernel.org/stable/c/9d72732fe70c11424… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c37f3c2749b53225d36faa5c583203c5f12ae15b , < 43334836b907adc21eab3079d2e6b26754468786
(git)
Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 36e58c436d2c2a797800427dc04d74ffd8b6ce1c (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 4ca90deeca1c7dd72c1c380ba8143565516def2d (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < d79e92161b65832e0b8cad5f3d84d17e5cd7a970 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 8822980668c96b5aa251c1e2daec1873262b8f3f (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < d50ef3553acbacce6f2843304d41d06dca358bb6 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 0e8e57f9737ea257634db1d152fc430a0788a3e1 (git) Affected: c37f3c2749b53225d36faa5c583203c5f12ae15b , < 9d72732fe70c11424bc90ed466c7ccfa58b42a9a (git) |
|
| Linux | Linux |
Affected:
3.1
Unaffected: 0 , < 3.1 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-topcliff-pch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43334836b907adc21eab3079d2e6b26754468786",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "36e58c436d2c2a797800427dc04d74ffd8b6ce1c",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "4ca90deeca1c7dd72c1c380ba8143565516def2d",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "d79e92161b65832e0b8cad5f3d84d17e5cd7a970",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "8822980668c96b5aa251c1e2daec1873262b8f3f",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "d50ef3553acbacce6f2843304d41d06dca358bb6",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "0e8e57f9737ea257634db1d152fc430a0788a3e1",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
},
{
"lessThan": "9d72732fe70c11424bc90ed466c7ccfa58b42a9a",
"status": "affected",
"version": "c37f3c2749b53225d36faa5c583203c5f12ae15b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-topcliff-pch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: topcliff-pch: fix use-after-free on unbind\n\nGive the driver a chance to flush its queue before releasing the DMA\nbuffers on driver unbind"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:38.861Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43334836b907adc21eab3079d2e6b26754468786"
},
{
"url": "https://git.kernel.org/stable/c/36e58c436d2c2a797800427dc04d74ffd8b6ce1c"
},
{
"url": "https://git.kernel.org/stable/c/4ca90deeca1c7dd72c1c380ba8143565516def2d"
},
{
"url": "https://git.kernel.org/stable/c/d79e92161b65832e0b8cad5f3d84d17e5cd7a970"
},
{
"url": "https://git.kernel.org/stable/c/8822980668c96b5aa251c1e2daec1873262b8f3f"
},
{
"url": "https://git.kernel.org/stable/c/d50ef3553acbacce6f2843304d41d06dca358bb6"
},
{
"url": "https://git.kernel.org/stable/c/0e8e57f9737ea257634db1d152fc430a0788a3e1"
},
{
"url": "https://git.kernel.org/stable/c/9d72732fe70c11424bc90ed466c7ccfa58b42a9a"
}
],
"title": "spi: topcliff-pch: fix use-after-free on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46301",
"datePublished": "2026-06-08T15:46:28.004Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:38.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46303 (GCVE-0-2026-46303)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI
EPSS
Title
isofs: validate Rock Ridge CE continuation extent against volume size
Summary
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate Rock Ridge CE continuation extent against volume size
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Severity
8.2 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/8356fb821016797f5… | |
| https://git.kernel.org/stable/c/d582e12378bc1637f… | |
| https://git.kernel.org/stable/c/bf1bc673c587f5ef7… | |
| https://git.kernel.org/stable/c/c9b37c8b73f6368e4… | |
| https://git.kernel.org/stable/c/22b36fa081f38ab39… | |
| https://git.kernel.org/stable/c/e69da8eeab74b4f45… | |
| https://git.kernel.org/stable/c/ef048470c90bc8c1b… | |
| https://git.kernel.org/stable/c/a36d990f591320e9d… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 8356fb821016797f5677cbeee5ddc0d32a95b4be
(git)
Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < d582e12378bc1637f337622feef762f53c43fd57 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < c9b37c8b73f6368e4750e5ccb0632c380b43c6e5 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 22b36fa081f38ab397c7697f9d539211b51a0cfc (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < e69da8eeab74b4f4505024c38a17bce060fe7df8 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < ef048470c90bc8c1b8318bb2ce329da9ef64b9fe (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < a36d990f591320e9dd379ab30063ebfe91d47e1f (git) Affected: 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56 (git) Affected: 212c4d33ca83e2144064fe9c2911607fbed5386f (git) Affected: 96e44adce250199ec9b2b928be66365779ff1b59 (git) Affected: 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 (git) Affected: fbce0d7dc8965c9fb8d411862040239d4a768c71 (git) Affected: 8190393a88f2b0321263a54f2a9eb5a2aa43be7e (git) Affected: 486aa789eadcf44ed87f972b209299c516454693 (git) Affected: b6d20edb6e7cedb4eedb9e0193d20dd488ebae84 (git) Affected: 2.6.32.66 , < 2.6.33 (semver) Affected: 3.2.67 , < 3.3 (semver) Affected: 3.4.107 , < 3.5 (semver) Affected: 3.10.64 , < 3.11 (semver) Affected: 3.12.36 , < 3.13 (semver) Affected: 3.14.28 , < 3.15 (semver) Affected: 3.17.8 , < 3.18 (semver) Affected: 3.18.2 , < 3.19 (semver) |
|
| Linux | Linux |
Affected:
3.19
Unaffected: 0 , < 3.19 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8356fb821016797f5677cbeee5ddc0d32a95b4be",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "d582e12378bc1637f337622feef762f53c43fd57",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "c9b37c8b73f6368e4750e5ccb0632c380b43c6e5",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "22b36fa081f38ab397c7697f9d539211b51a0cfc",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "e69da8eeab74b4f4505024c38a17bce060fe7df8",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "ef048470c90bc8c1b8318bb2ce329da9ef64b9fe",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "a36d990f591320e9dd379ab30063ebfe91d47e1f",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"status": "affected",
"version": "08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56",
"versionType": "git"
},
{
"status": "affected",
"version": "212c4d33ca83e2144064fe9c2911607fbed5386f",
"versionType": "git"
},
{
"status": "affected",
"version": "96e44adce250199ec9b2b928be66365779ff1b59",
"versionType": "git"
},
{
"status": "affected",
"version": "1fe5620fcd6c2f0a4a927ee10c8e53196da392f3",
"versionType": "git"
},
{
"status": "affected",
"version": "fbce0d7dc8965c9fb8d411862040239d4a768c71",
"versionType": "git"
},
{
"status": "affected",
"version": "8190393a88f2b0321263a54f2a9eb5a2aa43be7e",
"versionType": "git"
},
{
"status": "affected",
"version": "486aa789eadcf44ed87f972b209299c516454693",
"versionType": "git"
},
{
"status": "affected",
"version": "b6d20edb6e7cedb4eedb9e0193d20dd488ebae84",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.66",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.67",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.107",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.64",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.36",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.28",
"versionType": "semver"
},
{
"lessThan": "3.18",
"status": "affected",
"version": "3.17.8",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate Rock Ridge CE continuation extent against volume size\n\nrock_continue() reads rs-\u003econt_extent verbatim from the Rock Ridge CE\nrecord and passes it to sb_bread() without checking that the block\nnumber is within the mounted ISO 9660 volume. commit e595447e177b\n(\"[PATCH] rock.c: handle corrupted directories\") added cont_offset\nand cont_size rejection for the CE continuation but did not validate\nthe extent block number itself. commit f54e18f1b831 (\"isofs: Fix\ninfinite looping over CE entries\") later capped the CE chain length\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\n\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\nor via CAP_SYS_ADMIN mount, rs-\u003econt_extent can therefore point at\nan out-of-range block or at blocks belonging to an adjacent\nfilesystem on the same block device. sb_bread() on an out-of-range\nblock returns NULL cleanly via the block layer EIO path, so there\nis no memory-safety violation. For in-range reads of adjacent-\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\nonly the text of SL sub-records reaches userspace through\nreadlink(), which makes the info-leak channel narrow and difficult\nto exploit; still, rejecting the malformed CE outright matches the\nrejection shape already present in the same function for\ncont_offset and cont_size.\n\nAdd an ISOFS_SB(sb)-\u003es_nzones bounds check to rock_continue() next\nto the existing offset/size rejection, printing the same\ncorrupted-directory-entry notice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:47.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be"
},
{
"url": "https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57"
},
{
"url": "https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9"
},
{
"url": "https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5"
},
{
"url": "https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc"
},
{
"url": "https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8"
},
{
"url": "https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe"
},
{
"url": "https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f"
}
],
"title": "isofs: validate Rock Ridge CE continuation extent against volume size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46303",
"datePublished": "2026-06-08T15:46:30.642Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:47.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46304 (GCVE-0-2026-46304)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI
EPSS
Title
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the
final controller reference through nvmet_cq_put(). If that triggers
nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on
the same nvmet-wq.
Call chain:
nvmet_tcp_schedule_release_queue()
kref_put(&queue->kref, nvmet_tcp_release_queue)
nvmet_tcp_release_queue()
queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq
process_one_work()
nvmet_tcp_release_queue_work()
nvmet_cq_put(&queue->nvme_cq)
nvmet_cq_destroy()
nvmet_ctrl_put(cq->ctrl)
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work) <--- nvmet_wq
Previously Scheduled by :-
nvmet_add_async_event
queue_work(nvmet_wq, &ctrl->async_event_work);
This trips lockdep with a possible recursive locking warning.
[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55
[ 5223.061801] loop0: detected capacity change from 0 to 2097152
[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"
[ 5233.227718] ============================================
[ 5233.231283] WARNING: possible recursive locking detected
[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N
[ 5233.238434] --------------------------------------------
[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:
[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
[ 5233.251438]
but task is already holding lock:
[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.261125]
other info that might help us debug this:
[ 5233.265333] Possible unsafe locking scenario:
[ 5233.269217] CPU0
[ 5233.270795] ----
[ 5233.272436] lock((wq_completion)nvmet-wq);
[ 5233.275241] lock((wq_completion)nvmet-wq);
[ 5233.278020]
*** DEADLOCK ***
[ 5233.281793] May be due to missing lock nesting notation
[ 5233.286195] 3 locks held by kworker/u192:6/2413:
[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0
[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0
[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
[ 5233.304290]
stack backtrace:
[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)
[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST
[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]
[ 5233.306532] Call Trace:
[ 5233.306534] <TASK>
[ 5233.306536] dump_stack_lvl+0x73/0xb0
[ 5233.306552] print_deadlock_bug+0x225/0x2f0
[ 5233.306556] __lock_acquire+0x13f0/0x2290
[ 5233.306563] lock_acquire+0xd0/0x300
[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306571] ? __flush_work+0x20b/0x530
[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90
[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90
[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90
[ 52
---truncated---
Severity
7.5 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/ae5b0cad163833e10… | |
| https://git.kernel.org/stable/c/8d66ba89480ff098a… | |
| https://git.kernel.org/stable/c/a696fbbd5240b4ac9… | |
| https://git.kernel.org/stable/c/9a4d7222c0955b221… | |
| https://git.kernel.org/stable/c/ee6e20c4bc9eae542… | |
| https://git.kernel.org/stable/c/781f47d641432c26c… | |
| https://git.kernel.org/stable/c/551f445a56a11a645… | |
| https://git.kernel.org/stable/c/aade8abd8b868b6ff… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < ae5b0cad163833e10b271e9becc05d81dae56e5f
(git)
Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 8d66ba89480ff098a58d79003a505f383aa4e920 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < a696fbbd5240b4ac9b166f7bd4c550882ff543f1 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 9a4d7222c0955b221e38bb66d10e6bccb672c8a1 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < ee6e20c4bc9eae542a0954a368449532383169d4 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 781f47d641432c26c19625b2cdd7f40825097592 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < 551f445a56a11a6457550cddcf39c9ebb8bcacc6 (git) Affected: 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 , < aade8abd8b868b6ffa9697aadaea28ec7f65bee6 (git) Affected: 3976dd677e891c0b2c63d08028d445663539472c (git) Affected: 4.9.68 , < 4.10 (semver) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae5b0cad163833e10b271e9becc05d81dae56e5f",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "8d66ba89480ff098a58d79003a505f383aa4e920",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "a696fbbd5240b4ac9b166f7bd4c550882ff543f1",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "9a4d7222c0955b221e38bb66d10e6bccb672c8a1",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "ee6e20c4bc9eae542a0954a368449532383169d4",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "781f47d641432c26c19625b2cdd7f40825097592",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "551f445a56a11a6457550cddcf39c9ebb8bcacc6",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"lessThan": "aade8abd8b868b6ffa9697aadaea28ec7f65bee6",
"status": "affected",
"version": "06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5",
"versionType": "git"
},
{
"status": "affected",
"version": "3976dd677e891c0b2c63d08028d445663539472c",
"versionType": "git"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.68",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free\n\nnvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the\nfinal controller reference through nvmet_cq_put(). If that triggers\nnvmet_ctrl_free(), the teardown path flushes ctrl-\u003easync_event_work on\nthe same nvmet-wq.\n\nCall chain:\n\n nvmet_tcp_schedule_release_queue()\n kref_put(\u0026queue-\u003ekref, nvmet_tcp_release_queue)\n nvmet_tcp_release_queue()\n queue_work(nvmet_wq, \u0026queue-\u003erelease_work) \u003c--- nvmet_wq\n process_one_work()\n nvmet_tcp_release_queue_work()\n nvmet_cq_put(\u0026queue-\u003envme_cq)\n nvmet_cq_destroy()\n nvmet_ctrl_put(cq-\u003ectrl)\n nvmet_ctrl_free()\n flush_work(\u0026ctrl-\u003easync_event_work) \u003c--- nvmet_wq\n\n Previously Scheduled by :-\n\t\t nvmet_add_async_event\n\t\t queue_work(nvmet_wq, \u0026ctrl-\u003easync_event_work);\n\nThis trips lockdep with a possible recursive locking warning.\n\n[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55\n[ 5223.061801] loop0: detected capacity change from 0 to 2097152\n[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1\n[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)\n[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.\n[ 5223.128453] nvme nvme1: new ctrl: NQN \"nqn.2014-08.org.nvmexpress.discovery\", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349\n[ 5233.199447] nvme nvme1: Removing ctrl: NQN \"nqn.2014-08.org.nvmexpress.discovery\"\n\n[ 5233.227718] ============================================\n[ 5233.231283] WARNING: possible recursive locking detected\n[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N\n[ 5233.238434] --------------------------------------------\n[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:\n[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n[ 5233.251438]\n but task is already holding lock:\n[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0\n[ 5233.261125]\n other info that might help us debug this:\n[ 5233.265333] Possible unsafe locking scenario:\n\n[ 5233.269217] CPU0\n[ 5233.270795] ----\n[ 5233.272436] lock((wq_completion)nvmet-wq);\n[ 5233.275241] lock((wq_completion)nvmet-wq);\n[ 5233.278020]\n *** DEADLOCK ***\n\n[ 5233.281793] May be due to missing lock nesting notation\n\n[ 5233.286195] 3 locks held by kworker/u192:6/2413:\n[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0\n[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(\u0026queue-\u003erelease_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0\n[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n[ 5233.304290]\n stack backtrace:\n[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)\n[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST\n[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]\n[ 5233.306532] Call Trace:\n[ 5233.306534] \u003cTASK\u003e\n[ 5233.306536] dump_stack_lvl+0x73/0xb0\n[ 5233.306552] print_deadlock_bug+0x225/0x2f0\n[ 5233.306556] __lock_acquire+0x13f0/0x2290\n[ 5233.306563] lock_acquire+0xd0/0x300\n[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90\n[ 5233.306571] ? __flush_work+0x20b/0x530\n[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90\n[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90\n[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90\n[ 52\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:50.649Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae5b0cad163833e10b271e9becc05d81dae56e5f"
},
{
"url": "https://git.kernel.org/stable/c/8d66ba89480ff098a58d79003a505f383aa4e920"
},
{
"url": "https://git.kernel.org/stable/c/a696fbbd5240b4ac9b166f7bd4c550882ff543f1"
},
{
"url": "https://git.kernel.org/stable/c/9a4d7222c0955b221e38bb66d10e6bccb672c8a1"
},
{
"url": "https://git.kernel.org/stable/c/ee6e20c4bc9eae542a0954a368449532383169d4"
},
{
"url": "https://git.kernel.org/stable/c/781f47d641432c26c19625b2cdd7f40825097592"
},
{
"url": "https://git.kernel.org/stable/c/551f445a56a11a6457550cddcf39c9ebb8bcacc6"
},
{
"url": "https://git.kernel.org/stable/c/aade8abd8b868b6ffa9697aadaea28ec7f65bee6"
}
],
"title": "nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46304",
"datePublished": "2026-06-08T15:46:31.747Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:50.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46306 (GCVE-0-2026-46306)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:08
VLAI
EPSS
Title
flow_dissector: do not dissect PPPoE PFC frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
flow_dissector: do not dissect PPPoE PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Severity
7.5 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e7c811ca372d53c2b… | |
| https://git.kernel.org/stable/c/abc5bc84e0f2edc7e… | |
| https://git.kernel.org/stable/c/18ae9eacfc95cc715… | |
| https://git.kernel.org/stable/c/db104b0d8a7856397… | |
| https://git.kernel.org/stable/c/6044392d9cace3a36… | |
| https://git.kernel.org/stable/c/0d00b901506971294… | |
| https://git.kernel.org/stable/c/7c93f353eab4ea911… | |
| https://git.kernel.org/stable/c/d6c19b31a3c1d519f… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
10f665b52a75df6eb26ddebbbc072ee264183731 , < e7c811ca372d53c2be7d01a1614e71fae1054836
(git)
Affected: d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8 , < abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < db104b0d8a7856397c0469d83a4289adf7c54863 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 6044392d9cace3a3672b02c8bc7d38b502e51734 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 0d00b9015069712944934bab09eaa6c542143049 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 7c93f353eab4ea911e394630f07d72e040a729d8 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7c811ca372d53c2be7d01a1614e71fae1054836",
"status": "affected",
"version": "10f665b52a75df6eb26ddebbbc072ee264183731",
"versionType": "git"
},
{
"lessThan": "abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200",
"status": "affected",
"version": "d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8",
"versionType": "git"
},
{
"lessThan": "18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "db104b0d8a7856397c0469d83a4289adf7c54863",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "6044392d9cace3a3672b02c8bc7d38b502e51734",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "0d00b9015069712944934bab09eaa6c542143049",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "7c93f353eab4ea911e394630f07d72e040a729d8",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "d6c19b31a3c1d519fabdcf0aa239e6b6109b9473",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nflow_dissector: do not dissect PPPoE PFC frames\n\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\nPFC for PPPoE sessions, and the flow dissector driver has assumed an\nuncompressed frame until the blamed commit.\n\nDuring the review process of that commit [1], support for PFC is\nsuggested. However, having a compressed (1-byte) protocol field means\nthe subsequent PPP payload is shifted by one byte, causing 4-byte\nmisalignment for the network header and an unaligned access exception\non some architectures.\n\nThe exception can be reproduced by sending a PPPoE PFC frame to an\nethernet interface of a MIPS board, with RPS enabled, even if no PPPoE\nsession is active on that interface:\n\n$ 0 : 00000000 80c40000 00000000 85144817\n$ 4 : 00000008 00000100 80a75758 81dc9bb8\n$ 8 : 00000010 8087ae2c 0000003d 00000000\n$12 : 000000e0 00000039 00000000 00000000\n$16 : 85043240 80a75758 81dc9bb8 00006488\n$20 : 0000002f 00000007 85144810 80a70000\n$24 : 81d1bda0 00000000\n$28 : 81dc8000 81dc9aa8 00000000 805ead08\nHi : 00009d51\nLo : 2163358a\nepc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50\nra : 805ead08 __skb_get_hash_net+0x74/0x12c\nStatus: 11000403 KERNEL EXL IE\nCause : 40800010 (ExcCode 04)\nBadVA : 85144817\nPrId : 0001992f (MIPS 1004Kc)\nCall Trace:\n[\u003c805e91f0\u003e] __skb_flow_dissect+0x1b0/0x1b50\n[\u003c805ead08\u003e] __skb_get_hash_net+0x74/0x12c\n[\u003c805ef330\u003e] get_rps_cpu+0x1b8/0x3fc\n[\u003c805fca70\u003e] netif_receive_skb_list_internal+0x324/0x364\n[\u003c805fd120\u003e] napi_complete_done+0x68/0x2a4\n[\u003c8058de5c\u003e] mtk_napi_rx+0x228/0xfec\n[\u003c805fd398\u003e] __napi_poll+0x3c/0x1c4\n[\u003c805fd754\u003e] napi_threaded_poll_loop+0x234/0x29c\n[\u003c805fd848\u003e] napi_threaded_poll+0x8c/0xb0\n[\u003c80053544\u003e] kthread+0x104/0x12c\n[\u003c80002bd8\u003e] ret_from_kernel_thread+0x14/0x1c\n\nCode: 02d51821 1060045b 00000000 \u003c8c640000\u003e 3084000f 2c820005 144001a2 00042080 8e220000\n\nTo reduce the attack surface and maintain performance, do not process\nPPPoE PFC frames.\n\n[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:00.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7c811ca372d53c2be7d01a1614e71fae1054836"
},
{
"url": "https://git.kernel.org/stable/c/abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200"
},
{
"url": "https://git.kernel.org/stable/c/18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3"
},
{
"url": "https://git.kernel.org/stable/c/db104b0d8a7856397c0469d83a4289adf7c54863"
},
{
"url": "https://git.kernel.org/stable/c/6044392d9cace3a3672b02c8bc7d38b502e51734"
},
{
"url": "https://git.kernel.org/stable/c/0d00b9015069712944934bab09eaa6c542143049"
},
{
"url": "https://git.kernel.org/stable/c/7c93f353eab4ea911e394630f07d72e040a729d8"
},
{
"url": "https://git.kernel.org/stable/c/d6c19b31a3c1d519fabdcf0aa239e6b6109b9473"
}
],
"title": "flow_dissector: do not dissect PPPoE PFC frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46306",
"datePublished": "2026-06-08T15:46:33.936Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:00.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…