Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0809
Vulnerability from certfr_avis - Published: 2026-06-26 - Updated: 2026-06-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-45842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45842"
},
{
"name": "CVE-2026-45845",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45845"
},
{
"name": "CVE-2025-22069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22069"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-31486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31486"
},
{
"name": "CVE-2026-23346",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23346"
},
{
"name": "CVE-2026-23247",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23247"
},
{
"name": "CVE-2026-46170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46170"
},
{
"name": "CVE-2026-46117",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46117"
},
{
"name": "CVE-2025-71289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71289"
},
{
"name": "CVE-2026-31613",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31613"
},
{
"name": "CVE-2026-43331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43331"
},
{
"name": "CVE-2026-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46158"
},
{
"name": "CVE-2026-46320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46320"
},
{
"name": "CVE-2026-46137",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46137"
},
{
"name": "CVE-2026-45841",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45841"
},
{
"name": "CVE-2026-46331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46331"
},
{
"name": "CVE-2026-23469",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23469"
},
{
"name": "CVE-2026-31420",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31420"
},
{
"name": "CVE-2026-46203",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46203"
},
{
"name": "CVE-2026-31663",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31663"
},
{
"name": "CVE-2026-45846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45846"
},
{
"name": "CVE-2026-46323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46323"
},
{
"name": "CVE-2025-68768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68768"
},
{
"name": "CVE-2026-46315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46315"
},
{
"name": "CVE-2025-68251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68251"
},
{
"name": "CVE-2026-46321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46321"
},
{
"name": "CVE-2026-52908",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52908"
},
{
"name": "CVE-2026-45840",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45840"
},
{
"name": "CVE-2026-45844",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45844"
},
{
"name": "CVE-2026-52910",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52910"
},
{
"name": "CVE-2026-45930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45930"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46244",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46244"
},
{
"name": "CVE-2026-31717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31717"
},
{
"name": "CVE-2026-52911",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52911"
},
{
"name": "CVE-2026-45843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45843"
},
{
"name": "CVE-2026-46316",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46316"
},
{
"name": "CVE-2026-46160",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46160"
},
{
"name": "CVE-2026-43303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43303"
},
{
"name": "CVE-2026-43245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43245"
},
{
"name": "CVE-2026-52909",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52909"
},
{
"name": "CVE-2026-23394",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23394"
},
{
"name": "CVE-2026-45838",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45838"
},
{
"name": "CVE-2026-23272",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23272"
},
{
"name": "CVE-2026-31560",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31560"
},
{
"name": "CVE-2026-46216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46216"
},
{
"name": "CVE-2026-46275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46275"
},
{
"name": "CVE-2026-45850",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45850"
},
{
"name": "CVE-2026-43116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43116"
},
{
"name": "CVE-2026-46322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46322"
},
{
"name": "CVE-2026-45839",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45839"
},
{
"name": "CVE-2026-43219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43219"
}
],
"initial_release_date": "2026-06-26T00:00:00",
"last_revision_date": "2026-06-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0809",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian",
"vendor_advisories": [
{
"published_at": "2026-06-21",
"title": "Bulletin de s\u00e9curit\u00e9 Debian msg00266",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00266.html"
}
]
}
CVE-2026-45838 (GCVE-0-2026-45838)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
de9cbbaadba5adf88a19e46df61f7054000838f6 , < 0f3d9dd5e1fd52b39e25328307c6a694e994ffe3
(git)
Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 26d3339e465e54107bd85884341d1609c5300d6a (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6 (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < b4b5a20bed82130da2f2818f04d52378952fbd0b (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 85a2f30e40f7468db732f55659bc6318874f49af (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 32ce55d424395904986f5066f8755f6cb9993377 (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < fc39753b7f92e09177777e9c648afe5aa3abb81f (git) Affected: de9cbbaadba5adf88a19e46df61f7054000838f6 , < 5828b9e5b272ecff7cf5d345128d3de7324117f7 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f3d9dd5e1fd52b39e25328307c6a694e994ffe3",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "26d3339e465e54107bd85884341d1609c5300d6a",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "b4b5a20bed82130da2f2818f04d52378952fbd0b",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "85a2f30e40f7468db732f55659bc6318874f49af",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "32ce55d424395904986f5066f8755f6cb9993377",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "fc39753b7f92e09177777e9c648afe5aa3abb81f",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
},
{
"lessThan": "5828b9e5b272ecff7cf5d345128d3de7324117f7",
"status": "affected",
"version": "de9cbbaadba5adf88a19e46df61f7054000838f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage-\u003ekey from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:05.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3"
},
{
"url": "https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a"
},
{
"url": "https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6"
},
{
"url": "https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b"
},
{
"url": "https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af"
},
{
"url": "https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377"
},
{
"url": "https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f"
},
{
"url": "https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7"
}
],
"title": "bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45838",
"datePublished": "2026-05-27T09:24:36.561Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:05.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45839 (GCVE-0-2026-45839)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.
When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:
BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>
CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ddc7c3042614e273044f698d2beab25cc3842d45 , < a9e777f856cd2f1efc106afc7bf21aef868509d5
(git)
Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 669349b4612c26b3d7aacfa99d7174681bd19223 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 3ff85ae79e1a74baeb916b78a63d821f6d19a994 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 76f2ebaf79a9ae6d0737b87f045fe769e425d78f (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2 (git) Affected: ddc7c3042614e273044f698d2beab25cc3842d45 , < 1c22483a2c4bbf747787f328392ca3e68619c4dc (git) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/lib/bpf/relo_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9e777f856cd2f1efc106afc7bf21aef868509d5",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "669349b4612c26b3d7aacfa99d7174681bd19223",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "3ff85ae79e1a74baeb916b78a63d821f6d19a994",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "76f2ebaf79a9ae6d0737b87f045fe769e425d78f",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
},
{
"lessThan": "1c22483a2c4bbf747787f328392ca3e68619c4dc",
"status": "affected",
"version": "ddc7c3042614e273044f698d2beab25cc3842d45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/lib/bpf/relo_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted. The\nsubsequent bounds checks (access_idx \u003e= btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) \u003e= (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array. A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\n(default on major distributions). The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n \u003cTASK\u003e\n bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n bpf_core_apply (kernel/bpf/btf.c:9507)\n check_core_relo (kernel/bpf/verifier.c:19475)\n bpf_check (kernel/bpf/verifier.c:26031)\n bpf_prog_load (kernel/bpf/syscall.c:3089)\n __sys_bpf (kernel/bpf/syscall.c:6228)\n \u003c/TASK\u003e\n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:08.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9e777f856cd2f1efc106afc7bf21aef868509d5"
},
{
"url": "https://git.kernel.org/stable/c/669349b4612c26b3d7aacfa99d7174681bd19223"
},
{
"url": "https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994"
},
{
"url": "https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a"
},
{
"url": "https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f"
},
{
"url": "https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2"
},
{
"url": "https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc"
}
],
"title": "bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45839",
"datePublished": "2026-05-27T09:24:37.855Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:08.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45840 (GCVE-0-2026-45840)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
openvswitch: cap upcall PID array size and pre-size vport replies
Summary
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: cap upcall PID array size and pre-size vport replies
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 8d59b80e69dddb665eb2de36e62859ab2073470e
(git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < b39f763d720d623218bc1d95ace6855d7b474e81 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f9ef3db77a383d66847fd082c2b437d8ae4d9c63 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f99ac36b5d7c719d08a69fcdecce40f78a874e15 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 1d6c02b86329883aa467a3a61f8d34369db73a2f (git) Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c",
"net/openvswitch/vport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d59b80e69dddb665eb2de36e62859ab2073470e",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "b39f763d720d623218bc1d95ace6855d7b474e81",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "f9ef3db77a383d66847fd082c2b437d8ae4d9c63",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "f99ac36b5d7c719d08a69fcdecce40f78a874e15",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "1d6c02b86329883aa467a3a61f8d34369db73a2f",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
},
{
"lessThan": "2091c6aa0df6aba47deb5c8ab232b1cb60af3519",
"status": "affected",
"version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c",
"net/openvswitch/vport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: cap upcall PID array size and pre-size vport replies\n\nThe vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids(). Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err \u003c 0). On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n genl_rcv_msg (net/netlink/genetlink.c:1194)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sys_sendto (net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:11.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e"
},
{
"url": "https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0"
},
{
"url": "https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81"
},
{
"url": "https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63"
},
{
"url": "https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15"
},
{
"url": "https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704"
},
{
"url": "https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f"
},
{
"url": "https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519"
}
],
"title": "openvswitch: cap upcall PID array size and pre-size vport replies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45840",
"datePublished": "2026-05-27T09:24:39.478Z",
"dateReserved": "2026-05-13T15:03:33.077Z",
"dateUpdated": "2026-06-14T17:46:11.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45841 (GCVE-0-2026-45841)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < cb833bbc1b3c51e08652d3c86298307c07d3f2db
(git)
Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 26900306a5a2c3e4f75c643a064525526bb6e5f3 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 0694618cf3e9b120666e31f5f383a6e466d95a0d (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 8def8fbd23f40e945febe913d04b731012ce0082 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < c55940895245d8ef658ab381248a28755218d625 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 9a05e195618a6d474f2bcd5b6376d0ffc2f00366 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 2195574dc6d9017d32ac346987e12659f931d932 (git) |
|
| Linux | Linux |
Affected:
2.6.31
Unaffected: 0 , < 2.6.31 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb833bbc1b3c51e08652d3c86298307c07d3f2db",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "26900306a5a2c3e4f75c643a064525526bb6e5f3",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "0694618cf3e9b120666e31f5f383a6e466d95a0d",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "8def8fbd23f40e945febe913d04b731012ce0082",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "c55940895245d8ef658ab381248a28755218d625",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "9a05e195618a6d474f2bcd5b6376d0ffc2f00366",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "2195574dc6d9017d32ac346987e12659f931d932",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx-\u003ewindow % f-\u003ewss.val in the\nOSF_WSS_MODULO branch with no guard for f-\u003ewss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f-\u003ewss is per-fingerprint, not per-option, so\nthe check must run regardless of f-\u003eopt_num (including 0). Also\nreject wss.wc \u003e= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \u003cIRQ\u003e\n nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n nf_hook_slow (net/netfilter/core.c:622)\n ip_local_deliver (net/ipv4/ip_input.c:265)\n ip_rcv (include/linux/skbuff.h:1162)\n __netif_receive_skb_one_core (net/core/dev.c:6181)\n process_backlog (net/core/dev.c:6642)\n __napi_poll (net/core/dev.c:7710)\n net_rx_action (net/core/dev.c:7945)\n handle_softirqs (kernel/softirq.c:622)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:14.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db"
},
{
"url": "https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3"
},
{
"url": "https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d"
},
{
"url": "https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082"
},
{
"url": "https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625"
},
{
"url": "https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f"
},
{
"url": "https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366"
},
{
"url": "https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932"
}
],
"title": "netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45841",
"datePublished": "2026-05-27T09:24:40.805Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:14.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45842 (GCVE-0-2026-45842)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
slip: reject VJ receive packets on instances with no rstate array
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: reject VJ receive packets on instances with no rstate array
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 3d71c961febddd855d3ae9a519eeb96c8023f430
(git)
Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 72304fec672e8aac9ee7b9c475db96b37cca8d8d (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 4aa9eca6fda2919027dfd7a7cc69334982d89586 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < c6980e8b1a86288167f34966fa5219031999b6f1 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < de42f86e2cf5028a97e74c25869d1a962b13c301 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 9e1ff0eead073c4f46d874ad2526b7dda5465faf (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < e76607442d5b73e1ba6768f501ef815bb58c2c0e (git) Affected: 42fc512469e78939c1e419d3310c47de55bdcbb8 (git) Affected: df085f1cb3acd3d75408ff94f366983873bce7d2 (git) Affected: a1c3860d3c5fc62bd35f089bcb03f18a37242de9 (git) Affected: f82699de104eaf8a7ffc2849a566a94818dd8a3c (git) Affected: 354b254af5c1350de9586af75fe5a821b35bfb33 (git) Affected: 5148857f5d4c812cc918cf4627f7880521e987eb (git) Affected: 82185755d90c8047c6f4b589c39998ff3d4ca3ad (git) Affected: a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d (git) Affected: 6b4fa561e26526c62636414d267342c945084f44 (git) Affected: 2.6.32.70 , < 2.6.33 (semver) Affected: 3.2.75 , < 3.3 (semver) Affected: 3.4.111 , < 3.5 (semver) Affected: 3.10.96 , < 3.11 (semver) Affected: 3.12.53 , < 3.13 (semver) Affected: 3.14.60 , < 3.15 (semver) Affected: 3.18.27 , < 3.19 (semver) Affected: 4.1.17 , < 4.2 (semver) Affected: 4.3.5 , < 4.4 (semver) |
|
| Linux | Linux |
Affected:
4.4
Unaffected: 0 , < 4.4 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d71c961febddd855d3ae9a519eeb96c8023f430",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "72304fec672e8aac9ee7b9c475db96b37cca8d8d",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "4aa9eca6fda2919027dfd7a7cc69334982d89586",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
"status": "affected",
"version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
"versionType": "git"
},
{
"status": "affected",
"version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
"versionType": "git"
},
{
"status": "affected",
"version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
"versionType": "git"
},
{
"status": "affected",
"version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
"versionType": "git"
},
{
"status": "affected",
"version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
"versionType": "git"
},
{
"status": "affected",
"version": "354b254af5c1350de9586af75fe5a821b35bfb33",
"versionType": "git"
},
{
"status": "affected",
"version": "5148857f5d4c812cc918cf4627f7880521e987eb",
"versionType": "git"
},
{
"status": "affected",
"version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
"versionType": "git"
},
{
"status": "affected",
"version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
"versionType": "git"
},
{
"status": "affected",
"version": "6b4fa561e26526c62636414d267342c945084f44",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.70",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.75",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.111",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.96",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.53",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.60",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.27",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.17",
"versionType": "semver"
},
{
"lessThan": "4.4",
"status": "affected",
"version": "4.3.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n \u003cTASK\u003e\n ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n tasklet_action_common (kernel/softirq.c:926)\n handle_softirqs (kernel/softirq.c:623)\n run_ksoftirqd (kernel/softirq.c:1055)\n smpboot_thread_fn (kernel/smpboot.c:160)\n kthread (kernel/kthread.c:436)\n ret_from_fork (arch/x86/kernel/process.c:164)\n \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:17.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430"
},
{
"url": "https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d"
},
{
"url": "https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586"
},
{
"url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
},
{
"url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
},
{
"url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
},
{
"url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
},
{
"url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
}
],
"title": "slip: reject VJ receive packets on instances with no rstate array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45842",
"datePublished": "2026-05-27T09:24:42.637Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:17.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45843 (GCVE-0-2026-45843)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
slip: bound decode() reads against the compressed packet length
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: bound decode() reads against the compressed packet length
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Severity
8.2 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6268f01ae989013671b526c883e92655342c6f6f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9aafba2f49e1fcccc2018816f5836a609c925879 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 335957df4ed60f02a2ec0432fbedbf0cc7241d8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37537e42e6df387398bee85cb85070cc80bb1e10 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4cefe32639933d652614b0bd50f818f9af4af78f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d42bec6e4f6d6d658be365539400b3314b76b2a7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6268f01ae989013671b526c883e92655342c6f6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9aafba2f49e1fcccc2018816f5836a609c925879",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "335957df4ed60f02a2ec0432fbedbf0cc7241d8b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37537e42e6df387398bee85cb85070cc80bb1e10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4cefe32639933d652614b0bd50f818f9af4af78f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d42bec6e4f6d6d658be365539400b3314b76b2a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/slip/slhc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: bound decode() reads against the compressed packet length\n\nslhc_uncompress() parses a VJ-compressed TCP header by advancing a\npointer through the packet via decode() and pull16(). Neither helper\nbounds-checks against isize, and decode() masks its return with\n\u0026 0xffff so it can never return the -1 that callers test for -- those\nerror paths are dead code.\n\nA short compressed frame whose change byte requests optional fields\nlets decode() read past the end of the packet. The over-read bytes\nare folded into the cached cstate and reflected into subsequent\nreconstructed packets.\n\nMake decode() and pull16() take the packet end pointer and return -1\nwhen exhausted. Add a bounds check before the TCP-checksum read.\nThe existing == -1 tests now do what they were always meant to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:20.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f"
},
{
"url": "https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879"
},
{
"url": "https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b"
},
{
"url": "https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10"
},
{
"url": "https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f"
},
{
"url": "https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d"
},
{
"url": "https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7"
},
{
"url": "https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7"
}
],
"title": "slip: bound decode() reads against the compressed packet length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45843",
"datePublished": "2026-05-27T09:24:45.516Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:20.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45844 (GCVE-0-2026-45844)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Weiming Shi says:
"arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."
Mangle the original patch to always return 0 (no match) in case user
matches on the target hardware address which is never present in
IEEE1394.
Note that this returns 0 (no match) for either normal and inverse match
because matching in the target hardware address in ARPHRD_IEEE1394 has
never been supported by arptables. This is intentional, matching on the
target hardware address should never evaluate true for ARPHRD_IEEE1394.
Moreover, adjust arpt_mangle to drop the packet too as AI suggests:
In arpt_mangle, the logic assumes a standard ARP layout. Because
IEEE1394 (FireWire) omits the target hardware address, the linear
pointer arithmetic miscalculates the offset for the target IP address.
This causes mangling operations to write to the wrong location, leading
to packet corruption. To ensure safety, this patch drops packets
(NF_DROP) when mangling is requested for these fields on IEEE1394
devices, as the current implementation cannot correctly map the FireWire
ARP payload.
This omits both mangling target hardware and IP address. Even if IP
address mangling should be possible in IEEE1394, this would require
to adjust arpt_mangle offset calculation, which has never been
supported.
Based on patch from Weiming Shi <bestswngs@gmail.com>.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 0f23a1457695f1a61f64367e39f0f9cfa29947d1
(git)
Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1e285362ef7096eb12733370d59e033f4a1d294a (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 84e8536c981338d0d8cc6e712cf71a936a93e13f (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 03ea11dbefaa55c502735ee551c89ef773fe753b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1c55053f8ffdc060006df898fd3664e3d1bfac7b (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < ac698d81fd6619c7504cee913f1cab5285fba1b7 (git) Affected: 6752c8db8e0cfedb44ba62806dd15b383ed64000 , < 1e8e3f449b1e73b73a843257635b9c50f0cc0f0a (git) |
|
| Linux | Linux |
Affected:
3.10
Unaffected: 0 , < 3.10 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/arpt_mangle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f23a1457695f1a61f64367e39f0f9cfa29947d1",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1e285362ef7096eb12733370d59e033f4a1d294a",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "84e8536c981338d0d8cc6e712cf71a936a93e13f",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "03ea11dbefaa55c502735ee551c89ef773fe753b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1c55053f8ffdc060006df898fd3664e3d1bfac7b",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "ac698d81fd6619c7504cee913f1cab5285fba1b7",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
},
{
"lessThan": "1e8e3f449b1e73b73a843257635b9c50f0cc0f0a",
"status": "affected",
"version": "6752c8db8e0cfedb44ba62806dd15b383ed64000",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/netfilter/arp_tables.c",
"net/ipv4/netfilter/arpt_mangle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: arp_tables: fix IEEE1394 ARP payload parsing\n\nWeiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nMangle the original patch to always return 0 (no match) in case user\nmatches on the target hardware address which is never present in\nIEEE1394.\n\nNote that this returns 0 (no match) for either normal and inverse match\nbecause matching in the target hardware address in ARPHRD_IEEE1394 has\nnever been supported by arptables. This is intentional, matching on the\ntarget hardware address should never evaluate true for ARPHRD_IEEE1394.\n\nMoreover, adjust arpt_mangle to drop the packet too as AI suggests:\n\nIn arpt_mangle, the logic assumes a standard ARP layout. Because\nIEEE1394 (FireWire) omits the target hardware address, the linear\npointer arithmetic miscalculates the offset for the target IP address.\nThis causes mangling operations to write to the wrong location, leading\nto packet corruption. To ensure safety, this patch drops packets\n(NF_DROP) when mangling is requested for these fields on IEEE1394\ndevices, as the current implementation cannot correctly map the FireWire\nARP payload.\n\nThis omits both mangling target hardware and IP address. Even if IP\naddress mangling should be possible in IEEE1394, this would require\nto adjust arpt_mangle offset calculation, which has never been\nsupported.\n\nBased on patch from Weiming Shi \u003cbestswngs@gmail.com\u003e."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:23.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f23a1457695f1a61f64367e39f0f9cfa29947d1"
},
{
"url": "https://git.kernel.org/stable/c/1e285362ef7096eb12733370d59e033f4a1d294a"
},
{
"url": "https://git.kernel.org/stable/c/84e8536c981338d0d8cc6e712cf71a936a93e13f"
},
{
"url": "https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b"
},
{
"url": "https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b"
},
{
"url": "https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b"
},
{
"url": "https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7"
},
{
"url": "https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a"
}
],
"title": "netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45844",
"datePublished": "2026-05-27T09:24:47.041Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:23.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45845 (GCVE-0-2026-45845)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
net/sched: taprio: fix NULL pointer dereference in class dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: fix NULL pointer dereference in class dump
When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()
is called with new == NULL and stores NULL into q->qdiscs[cl - 1].
Subsequent RTM_GETTCLASS dump operations walk all classes via
taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()
returning the NULL pointer, then dereferences it to read child->handle,
causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel
with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user
namespaces enabled, an unprivileged local user can trigger a kernel
panic by creating a taprio qdisc inside a new network namespace,
grafting an explicit child qdisc, deleting it, and requesting a class
dump. The RTM_GETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)
Call Trace:
<TASK>
tc_fill_tclass (net/sched/sch_api.c:1966)
qdisc_class_dump (net/sched/sch_api.c:2326)
taprio_walk (net/sched/sch_taprio.c:2514)
tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)
tc_dump_tclass_root (net/sched/sch_api.c:2370)
tc_dump_tclass (net/sched/sch_api.c:2431)
rtnl_dumpit (net/core/rtnetlink.c:6864)
netlink_dump (net/netlink/af_netlink.c:2325)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Fix this by substituting &noop_qdisc when new is NULL in
taprio_graft(), a common pattern used by other qdiscs (e.g.,
multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.
This makes control-plane dump paths safe without requiring individual
NULL checks.
Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)
previously had explicit NULL guards that would drop/skip the packet
cleanly, update those checks to test for &noop_qdisc instead. Without
this, packets would reach taprio_enqueue_one() which increments the root
qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc
drops the packet but those counters are never rolled back, permanently
inflating the root qdisc's statistics.
After this change *old can be a valid qdisc, NULL, or &noop_qdisc.
Only call qdisc_put(*old) in the first case to avoid decreasing
noop_qdisc's refcount, which was never increased.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
665338b2a7a0139337d1f85be65ed16e487f84c1 , < ec2501e361b08b50bcb1e7b3253fc861abbda28d
(git)
Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < d02e2fbf60de46678e2ea698a6a904fd21e1cc31 (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 48b26d48e76221dc90b02bf5428bab53643461ca (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 8f1ff8866cb9f655e5faea6994eb902960be8e04 (git) Affected: 665338b2a7a0139337d1f85be65ed16e487f84c1 , < 3d07ca5c0fae311226f737963984bd94bb159a87 (git) |
|
| Linux | Linux |
Affected:
6.6
Unaffected: 0 , < 6.6 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec2501e361b08b50bcb1e7b3253fc861abbda28d",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "d02e2fbf60de46678e2ea698a6a904fd21e1cc31",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "48b26d48e76221dc90b02bf5428bab53643461ca",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "8f1ff8866cb9f655e5faea6994eb902960be8e04",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
},
{
"lessThan": "3d07ca5c0fae311226f737963984bd94bb159a87",
"status": "affected",
"version": "665338b2a7a0139337d1f85be65ed16e487f84c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: fix NULL pointer dereference in class dump\n\nWhen a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()\nis called with new == NULL and stores NULL into q-\u003eqdiscs[cl - 1].\nSubsequent RTM_GETTCLASS dump operations walk all classes via\ntaprio_walk() and call taprio_dump_class(), which calls taprio_leaf()\nreturning the NULL pointer, then dereferences it to read child-\u003ehandle,\ncausing a kernel NULL pointer dereference.\n\nThe bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel\nwith CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user\nnamespaces enabled, an unprivileged local user can trigger a kernel\npanic by creating a taprio qdisc inside a new network namespace,\ngrafting an explicit child qdisc, deleting it, and requesting a class\ndump. The RTM_GETTCLASS dump itself requires no capability.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)\n Call Trace:\n \u003cTASK\u003e\n tc_fill_tclass (net/sched/sch_api.c:1966)\n qdisc_class_dump (net/sched/sch_api.c:2326)\n taprio_walk (net/sched/sch_taprio.c:2514)\n tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)\n tc_dump_tclass_root (net/sched/sch_api.c:2370)\n tc_dump_tclass (net/sched/sch_api.c:2431)\n rtnl_dumpit (net/core/rtnetlink.c:6864)\n netlink_dump (net/netlink/af_netlink.c:2325)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \u003c/TASK\u003e\n\nFix this by substituting \u0026noop_qdisc when new is NULL in\ntaprio_graft(), a common pattern used by other qdiscs (e.g.,\nmultiq_graft()) to ensure the q-\u003eqdiscs[] slots are never NULL.\nThis makes control-plane dump paths safe without requiring individual\nNULL checks.\n\nSince the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)\npreviously had explicit NULL guards that would drop/skip the packet\ncleanly, update those checks to test for \u0026noop_qdisc instead. Without\nthis, packets would reach taprio_enqueue_one() which increments the root\nqdisc\u0027s qlen and backlog before calling the child\u0027s enqueue; noop_qdisc\ndrops the packet but those counters are never rolled back, permanently\ninflating the root qdisc\u0027s statistics.\n\nAfter this change *old can be a valid qdisc, NULL, or \u0026noop_qdisc.\nOnly call qdisc_put(*old) in the first case to avoid decreasing\nnoop_qdisc\u0027s refcount, which was never increased."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:27.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d"
},
{
"url": "https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31"
},
{
"url": "https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca"
},
{
"url": "https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04"
},
{
"url": "https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87"
}
],
"title": "net/sched: taprio: fix NULL pointer dereference in class dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45845",
"datePublished": "2026-05-27T09:24:48.438Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:27.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45846 (GCVE-0-2026-45846)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-06-14 17:46
VLAI
EPSS
Title
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 31e010a106ff6cd8ccac4bfee547fd3fa1015574
(git)
Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 55193df8d6d33318435f19572bf5ea47a22eee28 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 51eef9c072aa3405a6823a96ae666d38a3b48750 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 35a115a204be08f97450b0389413e218268ef4a2 (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 74a02921c48fcd35a7881956c9e5c52b86595f5d (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < 638905520fc4fae6a80991563f264131545ba3df (git) Affected: 571912c69f0ed731bd1e071ade9dc7ca4aa52065 , < aa6c6d9ee064aabfede4402fd1283424e649ca19 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31e010a106ff6cd8ccac4bfee547fd3fa1015574",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "55193df8d6d33318435f19572bf5ea47a22eee28",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "51eef9c072aa3405a6823a96ae666d38a3b48750",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "a0f4e4e8e0f5e24ddd83e3d1221732621cf34636",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "35a115a204be08f97450b0389413e218268ef4a2",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "74a02921c48fcd35a7881956c9e5c52b86595f5d",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "638905520fc4fae6a80991563f264131545ba3df",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
},
{
"lessThan": "aa6c6d9ee064aabfede4402fd1283424e649ca19",
"status": "affected",
"version": "571912c69f0ed731bd1e071ade9dc7ca4aa52065",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bareudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()\n\nbareudp_fill_metadata_dst() passes bareudp-\u003esock to\nudp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.\nThe socket is only created in bareudp_open() and NULLed in\nbareudp_stop(), so calling this function while the device is down\ntriggers a NULL dereference via sock-\u003esk.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)\n Call Trace:\n \u003cTASK\u003e\n bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)\n do_execute_actions (net/openvswitch/actions.c:901)\n ovs_execute_actions (net/openvswitch/actions.c:1589)\n ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1209)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \u003c/TASK\u003e\n\nAdd a NULL check returning -ESHUTDOWN, consistent with the xmit paths\nin the same driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:46:30.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574"
},
{
"url": "https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28"
},
{
"url": "https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750"
},
{
"url": "https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636"
},
{
"url": "https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2"
},
{
"url": "https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d"
},
{
"url": "https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df"
},
{
"url": "https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19"
}
],
"title": "bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45846",
"datePublished": "2026-05-27T09:24:52.122Z",
"dateReserved": "2026-05-13T15:03:33.078Z",
"dateUpdated": "2026-06-14T17:46:30.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45850 (GCVE-0-2026-45850)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:15 – Updated: 2026-06-19 11:58
VLAI
EPSS
Title
ipvs: skip ipv6 extension headers for csum checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: skip ipv6 extension headers for csum checks
Protocol checksum validation fails for IPv6 if there are extension
headers before the protocol header. iph->len already contains its
offset, so use it to fix the problem.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 0bf92a90bf05ecafe52e92d5bc15a585021a64ac
(git)
Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 768f665f3685b455ed686370ed7ccb852a125a3b (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 9aa7edc1347b98774e5167ca34e5b8aa6083bde7 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < d643c1ec80b70508f54dac12179e36920e2c00de (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < cdce1e797addab72393c0dfee31aaca41ef7d937 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4 (git) Affected: 0bbdd42b7efa66685b6d74701bcde3a596a3a59d , < 05cfe9863ef049d98141dc2969eefde72fb07625 (git) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto_sctp.c",
"net/netfilter/ipvs/ip_vs_proto_tcp.c",
"net/netfilter/ipvs/ip_vs_proto_udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bf92a90bf05ecafe52e92d5bc15a585021a64ac",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "768f665f3685b455ed686370ed7ccb852a125a3b",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "9aa7edc1347b98774e5167ca34e5b8aa6083bde7",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "d643c1ec80b70508f54dac12179e36920e2c00de",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "cdce1e797addab72393c0dfee31aaca41ef7d937",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
},
{
"lessThan": "05cfe9863ef049d98141dc2969eefde72fb07625",
"status": "affected",
"version": "0bbdd42b7efa66685b6d74701bcde3a596a3a59d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_proto_sctp.c",
"net/netfilter/ipvs/ip_vs_proto_tcp.c",
"net/netfilter/ipvs/ip_vs_proto_udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: skip ipv6 extension headers for csum checks\n\nProtocol checksum validation fails for IPv6 if there are extension\nheaders before the protocol header. iph-\u003elen already contains its\noffset, so use it to fix the problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:58:42.748Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bf92a90bf05ecafe52e92d5bc15a585021a64ac"
},
{
"url": "https://git.kernel.org/stable/c/54add3b7d3c154ca89ef5bac2582b0ed1a3a15d5"
},
{
"url": "https://git.kernel.org/stable/c/768f665f3685b455ed686370ed7ccb852a125a3b"
},
{
"url": "https://git.kernel.org/stable/c/9aa7edc1347b98774e5167ca34e5b8aa6083bde7"
},
{
"url": "https://git.kernel.org/stable/c/d643c1ec80b70508f54dac12179e36920e2c00de"
},
{
"url": "https://git.kernel.org/stable/c/cdce1e797addab72393c0dfee31aaca41ef7d937"
},
{
"url": "https://git.kernel.org/stable/c/a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4"
},
{
"url": "https://git.kernel.org/stable/c/05cfe9863ef049d98141dc2969eefde72fb07625"
}
],
"title": "ipvs: skip ipv6 extension headers for csum checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45850",
"datePublished": "2026-05-27T12:15:21.389Z",
"dateReserved": "2026-05-13T15:03:33.079Z",
"dateUpdated": "2026-06-19T11:58:42.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…