Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0215
Vulnerability from csaf_certbund - Published: 2026-01-25 23:00 - Updated: 2026-03-30 22:00Summary
Linux Kernel: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff: Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Betroffene Betriebssysteme: - Linux
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service- Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0215 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0215.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0215 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0215"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71145",
"url": "https://lore.kernel.org/linux-cve-announce/2026012321-CVE-2025-71145-4c0a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71146",
"url": "https://lore.kernel.org/linux-cve-announce/2026012325-CVE-2025-71146-96cf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71147",
"url": "https://lore.kernel.org/linux-cve-announce/2026012327-CVE-2025-71147-a296@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71148",
"url": "https://lore.kernel.org/linux-cve-announce/2026012327-CVE-2025-71148-78e6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71149",
"url": "https://lore.kernel.org/linux-cve-announce/2026012328-CVE-2025-71149-c9ee@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71150",
"url": "https://lore.kernel.org/linux-cve-announce/2026012328-CVE-2025-71150-1b7c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71151",
"url": "https://lore.kernel.org/linux-cve-announce/2026012328-CVE-2025-71151-1a45@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71152",
"url": "https://lore.kernel.org/linux-cve-announce/2026012302-CVE-2025-71152-055a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71153",
"url": "https://lore.kernel.org/linux-cve-announce/2026012305-CVE-2025-71153-246e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71154",
"url": "https://lore.kernel.org/linux-cve-announce/2026012305-CVE-2025-71154-bc99@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71155",
"url": "https://lore.kernel.org/linux-cve-announce/2026012306-CVE-2025-71155-7691@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71156",
"url": "https://lore.kernel.org/linux-cve-announce/2026012306-CVE-2025-71156-f8f2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71157",
"url": "https://lore.kernel.org/linux-cve-announce/2026012306-CVE-2025-71157-3a03@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71158",
"url": "https://lore.kernel.org/linux-cve-announce/2026012344-CVE-2025-71158-1cfa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71159",
"url": "https://lore.kernel.org/linux-cve-announce/2026012346-CVE-2025-71159-417a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71160",
"url": "https://lore.kernel.org/linux-cve-announce/2026012346-CVE-2025-71160-8c5d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71161",
"url": "https://lore.kernel.org/linux-cve-announce/2026012346-CVE-2025-71161-4b58@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71162",
"url": "https://lore.kernel.org/linux-cve-announce/2026012530-CVE-2025-71162-c0b7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71163",
"url": "https://lore.kernel.org/linux-cve-announce/2026012532-CVE-2025-71163-03ce@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22978",
"url": "https://lore.kernel.org/linux-cve-announce/2026012347-CVE-2026-22978-4e34@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22979",
"url": "https://lore.kernel.org/linux-cve-announce/2026012347-CVE-2026-22979-b883@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22980",
"url": "https://lore.kernel.org/linux-cve-announce/2026012347-CVE-2026-22980-6031@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22981",
"url": "https://lore.kernel.org/linux-cve-announce/2026012348-CVE-2026-22981-94c5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22982",
"url": "https://lore.kernel.org/linux-cve-announce/2026012348-CVE-2026-22982-b250@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22983",
"url": "https://lore.kernel.org/linux-cve-announce/2026012348-CVE-2026-22983-db37@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22984",
"url": "https://lore.kernel.org/linux-cve-announce/2026012349-CVE-2026-22984-001c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22985",
"url": "https://lore.kernel.org/linux-cve-announce/2026012349-CVE-2026-22985-9a80@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22986",
"url": "https://lore.kernel.org/linux-cve-announce/2026012349-CVE-2026-22986-5992@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22987",
"url": "https://lore.kernel.org/linux-cve-announce/2026012350-CVE-2026-22987-8984@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22988",
"url": "https://lore.kernel.org/linux-cve-announce/2026012350-CVE-2026-22988-1ee5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22989",
"url": "https://lore.kernel.org/linux-cve-announce/2026012350-CVE-2026-22989-06be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22990",
"url": "https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22990-a62e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22991",
"url": "https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22991-e4a2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22992",
"url": "https://lore.kernel.org/linux-cve-announce/2026012351-CVE-2026-22992-0607@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22993",
"url": "https://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22993-2e35@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22994",
"url": "https://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22994-ab5f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22995",
"url": "https://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22995-7465@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22996",
"url": "https://lore.kernel.org/linux-cve-announce/2026012532-CVE-2026-22996-f977@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22997",
"url": "https://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22997-42ca@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22998",
"url": "https://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22998-8392@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-22999",
"url": "https://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22999-c098@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23000",
"url": "https://lore.kernel.org/linux-cve-announce/2026012534-CVE-2026-23000-36e1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23001",
"url": "https://lore.kernel.org/linux-cve-announce/2026012534-CVE-2026-23001-7ab0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23002",
"url": "https://lore.kernel.org/linux-cve-announce/2026012534-CVE-2026-23002-ffa4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23003",
"url": "https://lore.kernel.org/linux-cve-announce/2026012535-CVE-2026-23003-e684@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23004",
"url": "https://lore.kernel.org/linux-cve-announce/2026012535-CVE-2026-23004-205e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23005",
"url": "https://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23005-df15@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23006",
"url": "https://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23006-241b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23007",
"url": "https://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23007-38b1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23008",
"url": "https://lore.kernel.org/linux-cve-announce/2026012537-CVE-2026-23008-d435@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23009",
"url": "https://lore.kernel.org/linux-cve-announce/2026012537-CVE-2026-23009-7209@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23010",
"url": "https://lore.kernel.org/linux-cve-announce/2026012537-CVE-2026-23010-91ab@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23011",
"url": "https://lore.kernel.org/linux-cve-announce/2026012538-CVE-2026-23011-d4fd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23012",
"url": "https://lore.kernel.org/linux-cve-announce/2026012538-CVE-2026-23012-8a3d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23013",
"url": "https://lore.kernel.org/linux-cve-announce/2026012538-CVE-2026-23013-303c@gregkh/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2264 vom 2026-02-09",
"url": "https://access.redhat.com/errata/RHSA-2026:2264"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6126 vom 2026-02-09",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00035.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6127 vom 2026-02-10",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00036.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2378 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2378"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2264 vom 2026-02-10",
"url": "https://linux.oracle.com/errata/ELSA-2026-2264.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4475 vom 2026-02-11",
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00016.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0447-1 vom 2026-02-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024124.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4476 vom 2026-02-11",
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00017.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8034-1 vom 2026-02-12",
"url": "https://ubuntu.com/security/notices/USN-8034-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0475-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024139.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0473-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024136.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0474-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024140.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0471-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024142.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0472-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024141.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0496-1 vom 2026-02-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024158.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0495-1 vom 2026-02-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024159.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2264 vom 2026-02-15",
"url": "https://errata.build.resf.org/RLSA-2026:2264"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2721 vom 2026-02-16",
"url": "https://access.redhat.com/errata/RHSA-2026:2721"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2722 vom 2026-02-16",
"url": "https://access.redhat.com/errata/RHSA-2026:2722"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2721 vom 2026-02-17",
"url": "https://linux.oracle.com/errata/ELSA-2026-2721.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2722 vom 2026-02-17",
"url": "https://linux.oracle.com/errata/ELSA-2026-2722.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8034-2 vom 2026-02-17",
"url": "https://ubuntu.com/security/notices/USN-8034-2"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2026-113 vom 2026-02-19",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-113.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0587-1 vom 2026-02-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024356.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2722 vom 2026-02-24",
"url": "https://errata.build.resf.org/RLSA-2026:2722"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0617-1 vom 2026-02-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024378.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2721 vom 2026-02-24",
"url": "https://errata.build.resf.org/RLSA-2026:2721"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20479-1 vom 2026-02-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024407.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20477-1 vom 2026-02-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024409.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20498-1 vom 2026-02-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024476.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20287-1 vom 2026-02-28",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K7KIWX7XP3UMVFSHT47OOZ24TQQYNNHI/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20520-1 vom 2026-02-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024455.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.15-2026-098 vom 2026-03-06",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-2026-098.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20599-1 vom 2026-03-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024614.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20570-1 vom 2026-03-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024574.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20615-1 vom 2026-03-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024605.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20555-1 vom 2026-03-05",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024590.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:3966 vom 2026-03-09",
"url": "https://access.redhat.com/errata/RHSA-2026:3966"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:3964 vom 2026-03-09",
"url": "https://access.redhat.com/errata/RHSA-2026:3964"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:3963 vom 2026-03-09",
"url": "https://access.redhat.com/errata/RHSA-2026:3963"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:4012 vom 2026-03-09",
"url": "https://access.redhat.com/errata/RHSA-2026:4012"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-3963 vom 2026-03-09",
"url": "https://linux.oracle.com/errata/ELSA-2026-3963.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-4012 vom 2026-03-10",
"url": "https://linux.oracle.com/errata/ELSA-2026-4012.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-3966 vom 2026-03-10",
"url": "https://linux.oracle.com/errata/ELSA-2026-3966.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-50145 vom 2026-03-12",
"url": "https://linux.oracle.com/errata/ELSA-2026-50145.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-50144 vom 2026-03-11",
"url": "https://linux.oracle.com/errata/ELSA-2026-50144.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8096-1 vom 2026-03-17",
"url": "https://ubuntu.com/security/notices/USN-8096-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8096-2 vom 2026-03-17",
"url": "https://ubuntu.com/security/notices/USN-8096-2"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:4723 vom 2026-03-17",
"url": "https://access.redhat.com/errata/RHSA-2026:4723"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8096-4 vom 2026-03-17",
"url": "https://ubuntu.com/security/notices/USN-8096-4"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8096-3 vom 2026-03-17",
"url": "https://ubuntu.com/security/notices/USN-8096-3"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-4723 vom 2026-03-17",
"url": "https://linux.oracle.com/errata/ELSA-2026-4723.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20667-1 vom 2026-03-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024746.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0928-1 vom 2026-03-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024762.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20711-1 vom 2026-03-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024715.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20713-1 vom 2026-03-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024771.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2026-114 vom 2026-03-19",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-114.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.15-2026-099 vom 2026-03-19",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-2026-099.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20720-1 vom 2026-03-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024766.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:5197 vom 2026-03-23",
"url": "https://access.redhat.com/errata/RHSA-2026:5197"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8116-1 vom 2026-03-23",
"url": "https://ubuntu.com/security/notices/USN-8116-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0962-1 vom 2026-03-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024803.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8096-5 vom 2026-03-23",
"url": "https://ubuntu.com/security/notices/USN-8096-5"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0961-1 vom 2026-03-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024805.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20794-1 vom 2026-03-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024895.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20772-1 vom 2026-03-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024862.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20819-1 vom 2026-03-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024871.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0984-1 vom 2026-03-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024841.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1041-1 vom 2026-03-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024928.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1003-1 vom 2026-03-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024925.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:3964 vom 2026-03-26",
"url": "https://errata.build.resf.org/RLSA-2026:3964"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:3963 vom 2026-03-26",
"url": "https://errata.build.resf.org/RLSA-2026:3963"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1081-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024953.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1077-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024956.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1078-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024954.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:4723 vom 2026-03-27",
"url": "https://errata.build.resf.org/RLSA-2026:4723"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20873-1 vom 2026-03-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024968.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1131-1 vom 2026-03-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/025031.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20845-1 vom 2026-03-28",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024994.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20872-1 vom 2026-03-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024969.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20838-1 vom 2026-03-28",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024999.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20876-1 vom 2026-03-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/025054.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-30T22:00:00.000+00:00",
"generator": {
"date": "2026-03-31T08:19:11.586+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0215",
"initial_release_date": "2026-01-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-01-26T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-4616, EUVD-2026-4617, EUVD-2026-4623, EUVD-2026-4626, EUVD-2026-4619, EUVD-2026-4625, EUVD-2026-4628"
},
{
"date": "2026-02-08T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-09T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian und Red Hat aufgenommen"
},
{
"date": "2026-02-10T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-02-11T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Debian und SUSE aufgenommen"
},
{
"date": "2026-02-12T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-15T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE und Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-02-16T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2026-02-17T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Oracle Linux und Ubuntu aufgenommen"
},
{
"date": "2026-02-18T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2026-02-22T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-24T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Rocky Enterprise Software Foundation und SUSE aufgenommen"
},
{
"date": "2026-02-26T23:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-01T23:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von SUSE und openSUSE aufgenommen"
},
{
"date": "2026-03-05T23:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Amazon und SUSE aufgenommen"
},
{
"date": "2026-03-08T23:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-03-09T23:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-03-10T23:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-03-11T23:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-03-16T23:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2026-03-17T23:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von Red Hat, Ubuntu und Oracle Linux aufgenommen"
},
{
"date": "2026-03-18T23:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-19T23:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von SUSE und Amazon aufgenommen"
},
{
"date": "2026-03-22T23:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-03-23T23:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von Ubuntu und SUSE aufgenommen"
},
{
"date": "2026-03-24T23:00:00.000+00:00",
"number": "27",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-25T23:00:00.000+00:00",
"number": "28",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-26T23:00:00.000+00:00",
"number": "29",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-29T22:00:00.000+00:00",
"number": "30",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-30T22:00:00.000+00:00",
"number": "31",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "31"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T050304",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-71145",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71145"
},
{
"cve": "CVE-2025-71146",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71146"
},
{
"cve": "CVE-2025-71147",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71147"
},
{
"cve": "CVE-2025-71148",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71148"
},
{
"cve": "CVE-2025-71149",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71149"
},
{
"cve": "CVE-2025-71150",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71150"
},
{
"cve": "CVE-2025-71151",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71151"
},
{
"cve": "CVE-2025-71152",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71152"
},
{
"cve": "CVE-2025-71153",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71153"
},
{
"cve": "CVE-2025-71154",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71154"
},
{
"cve": "CVE-2025-71155",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71155"
},
{
"cve": "CVE-2025-71156",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71156"
},
{
"cve": "CVE-2025-71157",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71157"
},
{
"cve": "CVE-2025-71158",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71158"
},
{
"cve": "CVE-2025-71159",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71159"
},
{
"cve": "CVE-2025-71160",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71160"
},
{
"cve": "CVE-2025-71161",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71161"
},
{
"cve": "CVE-2025-71162",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71162"
},
{
"cve": "CVE-2025-71163",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2025-71163"
},
{
"cve": "CVE-2026-22978",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22978"
},
{
"cve": "CVE-2026-22979",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22979"
},
{
"cve": "CVE-2026-22980",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22980"
},
{
"cve": "CVE-2026-22981",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22981"
},
{
"cve": "CVE-2026-22982",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22982"
},
{
"cve": "CVE-2026-22983",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22983"
},
{
"cve": "CVE-2026-22984",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22984"
},
{
"cve": "CVE-2026-22985",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22985"
},
{
"cve": "CVE-2026-22986",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22986"
},
{
"cve": "CVE-2026-22987",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22987"
},
{
"cve": "CVE-2026-22988",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22988"
},
{
"cve": "CVE-2026-22989",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22989"
},
{
"cve": "CVE-2026-22990",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22990"
},
{
"cve": "CVE-2026-22991",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22991"
},
{
"cve": "CVE-2026-22992",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22992"
},
{
"cve": "CVE-2026-22993",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22993"
},
{
"cve": "CVE-2026-22994",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22994"
},
{
"cve": "CVE-2026-22995",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22995"
},
{
"cve": "CVE-2026-22996",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22996"
},
{
"cve": "CVE-2026-22997",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22997"
},
{
"cve": "CVE-2026-22998",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22998"
},
{
"cve": "CVE-2026-22999",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-22999"
},
{
"cve": "CVE-2026-23000",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23000"
},
{
"cve": "CVE-2026-23001",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23001"
},
{
"cve": "CVE-2026-23002",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23002"
},
{
"cve": "CVE-2026-23003",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23003"
},
{
"cve": "CVE-2026-23004",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23004"
},
{
"cve": "CVE-2026-23005",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23005"
},
{
"cve": "CVE-2026-23006",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23006"
},
{
"cve": "CVE-2026-23007",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23007"
},
{
"cve": "CVE-2026-23008",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23008"
},
{
"cve": "CVE-2026-23009",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23009"
},
{
"cve": "CVE-2026-23010",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23010"
},
{
"cve": "CVE-2026-23011",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23011"
},
{
"cve": "CVE-2026-23012",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23012"
},
{
"cve": "CVE-2026-23013",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T050304",
"T000126",
"T027843",
"398363",
"T004914",
"T032255"
]
},
"release_date": "2026-01-25T23:00:00.000+00:00",
"title": "CVE-2026-23013"
}
]
}
CVE-2026-22983 (GCVE-0-2026-22983)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: do not write to msg_get_inq in callee
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: do not write to msg_get_inq in callee
NULL pointer dereference fix.
msg_get_inq is an input field from caller to callee. Don't set it in
the callee, as the caller may not clear it on struct reuse.
This is a kernel-internal variant of msghdr only, and the only user
does reinitialize the field. So this is not critical for that reason.
But it is more robust to avoid the write, and slightly simpler code.
And it fixes a bug, see below.
Callers set msg_get_inq to request the input queue length to be
returned in msg_inq. This is equivalent to but independent from the
SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
To reduce branching in the hot path the second also sets the msg_inq.
That is WAI.
This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
SO_INQ unless explicitly asked for"), which fixed the inverse.
Also avoid NULL pointer dereference in unix_stream_read_generic if
state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
implement splice for stream af_unix sockets").
Also collapse two branches using a bitwise or.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c",
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffa2be496ef65055b28b39c6bd9a7d66943ee89a",
"status": "affected",
"version": "089e50f29eeec8eef6ae1450fc88138d719291cb",
"versionType": "git"
},
{
"lessThan": "7d11e047eda5f98514ae62507065ac961981c025",
"status": "affected",
"version": "4d1442979e4a53b9457ce1e373e187e1511ff688",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp.c",
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.6",
"status": "affected",
"version": "6.18.4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.18.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not write to msg_get_inq in callee\n\nNULL pointer dereference fix.\n\nmsg_get_inq is an input field from caller to callee. Don\u0027t set it in\nthe callee, as the caller may not clear it on struct reuse.\n\nThis is a kernel-internal variant of msghdr only, and the only user\ndoes reinitialize the field. So this is not critical for that reason.\nBut it is more robust to avoid the write, and slightly simpler code.\nAnd it fixes a bug, see below.\n\nCallers set msg_get_inq to request the input queue length to be\nreturned in msg_inq. This is equivalent to but independent from the\nSO_INQ request to return that same info as a cmsg (tp-\u003erecvmsg_inq).\nTo reduce branching in the hot path the second also sets the msg_inq.\nThat is WAI.\n\nThis is a fix to commit 4d1442979e4a (\"af_unix: don\u0027t post cmsg for\nSO_INQ unless explicitly asked for\"), which fixed the inverse.\n\nAlso avoid NULL pointer dereference in unix_stream_read_generic if\nstate-\u003emsg is NULL and msg-\u003emsg_get_inq is written. A NULL state-\u003emsg\ncan happen when splicing as of commit 2b514574f7e8 (\"net: af_unix:\nimplement splice for stream af_unix sockets\").\n\nAlso collapse two branches using a bitwise or."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:33.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a"
},
{
"url": "https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025"
}
],
"title": "net: do not write to msg_get_inq in callee",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22983",
"datePublished": "2026-01-23T15:24:05.394Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:33.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22982 (GCVE-0-2026-22982)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: mscc: ocelot: Fix crash when adding interface under a lag
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mscc: ocelot: Fix crash when adding interface under a lag
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
528d3f190c98c8f7d9581f68db4af021696727b2 , < 8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d
(git)
Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < b17818307446c5a8d925a39a792261dbfa930041 (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 2985712dc76dfa670eb7fd607c09d4d48e5f5c6e (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 03fb1708b7d1e76aecebf767ad059c319845039f (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < f490af47bbee02441e356a1e0b86e3b3dd5120ff (git) Affected: 528d3f190c98c8f7d9581f68db4af021696727b2 , < 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "b17818307446c5a8d925a39a792261dbfa930041",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "2985712dc76dfa670eb7fd607c09d4d48e5f5c6e",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "03fb1708b7d1e76aecebf767ad059c319845039f",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "f490af47bbee02441e356a1e0b86e3b3dd5120ff",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
},
{
"lessThan": "34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95",
"status": "affected",
"version": "528d3f190c98c8f7d9581f68db4af021696727b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mscc/ocelot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:32.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d"
},
{
"url": "https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041"
},
{
"url": "https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e"
},
{
"url": "https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f"
},
{
"url": "https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff"
},
{
"url": "https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95"
}
],
"title": "net: mscc: ocelot: Fix crash when adding interface under a lag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22982",
"datePublished": "2026-01-23T15:24:04.556Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:32.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71160 (GCVE-0-2025-71160)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
netfilter: nf_tables: avoid chain re-validation if possible
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: avoid chain re-validation if possible
Hamza Mahfooz reports cpu soft lock-ups in
nft_chain_validate():
watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]
[..]
RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]
[..]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_table_validate+0x6b/0xb0 [nf_tables]
nf_tables_validate+0x8b/0xa0 [nf_tables]
nf_tables_commit+0x1df/0x1eb0 [nf_tables]
[..]
Currently nf_tables will traverse the entire table (chain graph), starting
from the entry points (base chains), exploring all possible paths
(chain jumps). But there are cases where we could avoid revalidation.
Consider:
1 input -> j2 -> j3
2 input -> j2 -> j3
3 input -> j1 -> j2 -> j3
Then the second rule does not need to revalidate j2, and, by extension j3,
because this was already checked during validation of the first rule.
We need to validate it only for rule 3.
This is needed because chain loop detection also ensures we do not exceed
the jump stack: Just because we know that j2 is cycle free, its last jump
might now exceed the allowed stack size. We also need to update all
reachable chains with the new largest observed call depth.
Care has to be taken to revalidate even if the chain depth won't be an
issue: chain validation also ensures that expressions are not called from
invalid base chains. For example, the masquerade expression can only be
called from NAT postrouting base chains.
Therefore we also need to keep record of the base chain context (type,
hooknum) and revalidate if the chain becomes reachable from a different
hook location.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a654de8fdc1815676ab750e70cab231fc814c29f , < 53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1
(git)
Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 14fa3d1927f1382f86e3f70a51f26005c8e3cff6 (git) Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 09d6074995c186e449979fe6c1b0f1a69cf9bd3b (git) Affected: a654de8fdc1815676ab750e70cab231fc814c29f , < 8e1a1bc4f5a42747c08130b8242ebebd1210b32f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "14fa3d1927f1382f86e3f70a51f26005c8e3cff6",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "09d6074995c186e449979fe6c1b0f1a69cf9bd3b",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
},
{
"lessThan": "8e1a1bc4f5a42747c08130b8242ebebd1210b32f",
"status": "affected",
"version": "a654de8fdc1815676ab750e70cab231fc814c29f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: avoid chain re-validation if possible\n\nHamza Mahfooz reports cpu soft lock-ups in\nnft_chain_validate():\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]\n[..]\n RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]\n[..]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_table_validate+0x6b/0xb0 [nf_tables]\n nf_tables_validate+0x8b/0xa0 [nf_tables]\n nf_tables_commit+0x1df/0x1eb0 [nf_tables]\n[..]\n\nCurrently nf_tables will traverse the entire table (chain graph), starting\nfrom the entry points (base chains), exploring all possible paths\n(chain jumps). But there are cases where we could avoid revalidation.\n\nConsider:\n1 input -\u003e j2 -\u003e j3\n2 input -\u003e j2 -\u003e j3\n3 input -\u003e j1 -\u003e j2 -\u003e j3\n\nThen the second rule does not need to revalidate j2, and, by extension j3,\nbecause this was already checked during validation of the first rule.\nWe need to validate it only for rule 3.\n\nThis is needed because chain loop detection also ensures we do not exceed\nthe jump stack: Just because we know that j2 is cycle free, its last jump\nmight now exceed the allowed stack size. We also need to update all\nreachable chains with the new largest observed call depth.\n\nCare has to be taken to revalidate even if the chain depth won\u0027t be an\nissue: chain validation also ensures that expressions are not called from\ninvalid base chains. For example, the masquerade expression can only be\ncalled from NAT postrouting base chains.\n\nTherefore we also need to keep record of the base chain context (type,\nhooknum) and revalidate if the chain becomes reachable from a different\nhook location."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:58.807Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1"
},
{
"url": "https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6"
},
{
"url": "https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b"
},
{
"url": "https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f"
}
],
"title": "netfilter: nf_tables: avoid chain re-validation if possible",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71160",
"datePublished": "2026-01-23T15:23:58.652Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-02-09T08:35:58.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22999 (GCVE-0-2026-22999)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < cff6cd703f41d8071995956142729e4bba160363 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f06f7635499bc806cbe2bbc8805c7cef8b1edddf (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 0a234660dc70ce45d771cbc76b20d925b73ec160 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 362e269bb03f7076ba9990e518aeddb898232e50 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < e9d8f11652fa08c647bf7bba7dd8163241a332cd (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "cff6cd703f41d8071995956142729e4bba160363",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f06f7635499bc806cbe2bbc8805c7cef8b1edddf",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "0a234660dc70ce45d771cbc76b20d925b73ec160",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "362e269bb03f7076ba9990e518aeddb898232e50",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "e9d8f11652fa08c647bf7bba7dd8163241a332cd",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3879cffd9d07aa0377c4b8835c4f64b4fb24ac78",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:51.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"
},
{
"url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"
},
{
"url": "https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"
},
{
"url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"
},
{
"url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"
},
{
"url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"
},
{
"url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"
}
],
"title": "net/sched: sch_qfq: do not free existing class in qfq_change_class()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22999",
"datePublished": "2026-01-25T14:36:13.909Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:51.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22980 (GCVE-0-2026-22980)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
nfsd: provide locking for v4_end_grace
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: provide locking for v4_end_grace
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ca97360860eb02e3ae4ba42c19b439a0fcecbf06
(git)
Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < e8bfa2401d4c51eca6e48e9b33c798828ca9df61 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 34eb22836e0cdba093baac66599d68c4cd245a9d (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 06600719d0f7a723811c45e4d51f5b742f345309 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < ba4811c8b433bfa681729ca42cc62b6034f223b0 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 53f07d095e7e680c5e4569a55a019f2c0348cdc6 (git) Affected: 7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 , < 2857bd59feb63fcf40fe4baf55401baea6b4feb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca97360860eb02e3ae4ba42c19b439a0fcecbf06",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "e8bfa2401d4c51eca6e48e9b33c798828ca9df61",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "34eb22836e0cdba093baac66599d68c4cd245a9d",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "06600719d0f7a723811c45e4d51f5b742f345309",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "ba4811c8b433bfa681729ca42cc62b6034f223b0",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "53f07d095e7e680c5e4569a55a019f2c0348cdc6",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
},
{
"lessThan": "2857bd59feb63fcf40fe4baf55401baea6b4feb4",
"status": "affected",
"version": "7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/netns.h",
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op-\u003einit() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn\u0027t require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn\u0027t restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn-\u003eclient_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:30.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06"
},
{
"url": "https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61"
},
{
"url": "https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d"
},
{
"url": "https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309"
},
{
"url": "https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0"
},
{
"url": "https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6"
},
{
"url": "https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4"
}
],
"title": "nfsd: provide locking for v4_end_grace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22980",
"datePublished": "2026-01-23T15:24:02.924Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:30.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71145 (GCVE-0-2025-71145)
Vulnerability from cvelistv5 – Published: 2026-01-23 13:39 – Updated: 2026-01-23 13:39
VLAI?
EPSS
Title
usb: phy: isp1301: fix non-OF device reference imbalance
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: phy: isp1301: fix non-OF device reference imbalance
A recent change fixing a device reference leak in a UDC driver
introduced a potential use-after-free in the non-OF case as the
isp1301_get_client() helper only increases the reference count for the
returned I2C device in the OF case.
Increment the reference count also for non-OF so that the caller can
decrement it unconditionally.
Note that this is inherently racy just as using the returned I2C device
is since nothing is preventing the PHY driver from being unbound while
in use.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0c2b0e747010fa645342138d71339a0ecb823bb0 , < 43e58abad6c08c5f0943594126ef4cd6559aac0b
(git)
Affected: 33c2e2a87313bc1afe9f7febbbb2014c431a2c5d , < 03bbdaa4da8c6ea0c8431a5011db188a07822c8a (git) Affected: 8481323710062051b3c42bff94ee5b18a2b496ca , < 75c5d9bce072abbbc09b701a49869ac23c34a906 (git) Affected: 8bd518ea03b81eb7b4a734b7b901866c448f6c07 , < 5d3df03f70547d4e3fc10ed4381c052eff51b157 (git) Affected: cefaad839a384a72331aedad927b1944fb6943dc , < 7501ecfe3e5202490c2d13dc7e181203601fcd69 (git) Affected: c84117912bddd9e5d87e68daf182410c98181407 , < b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 (git) Affected: 21c7c83d592e6335bfb6d65608da3726f976bad4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-isp1301.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43e58abad6c08c5f0943594126ef4cd6559aac0b",
"status": "affected",
"version": "0c2b0e747010fa645342138d71339a0ecb823bb0",
"versionType": "git"
},
{
"lessThan": "03bbdaa4da8c6ea0c8431a5011db188a07822c8a",
"status": "affected",
"version": "33c2e2a87313bc1afe9f7febbbb2014c431a2c5d",
"versionType": "git"
},
{
"lessThan": "75c5d9bce072abbbc09b701a49869ac23c34a906",
"status": "affected",
"version": "8481323710062051b3c42bff94ee5b18a2b496ca",
"versionType": "git"
},
{
"lessThan": "5d3df03f70547d4e3fc10ed4381c052eff51b157",
"status": "affected",
"version": "8bd518ea03b81eb7b4a734b7b901866c448f6c07",
"versionType": "git"
},
{
"lessThan": "7501ecfe3e5202490c2d13dc7e181203601fcd69",
"status": "affected",
"version": "cefaad839a384a72331aedad927b1944fb6943dc",
"versionType": "git"
},
{
"lessThan": "b4b64fda4d30a83a7f00e92a0c8a1d47699609f3",
"status": "affected",
"version": "c84117912bddd9e5d87e68daf182410c98181407",
"versionType": "git"
},
{
"status": "affected",
"version": "21c7c83d592e6335bfb6d65608da3726f976bad4",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-isp1301.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.248",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: isp1301: fix non-OF device reference imbalance\n\nA recent change fixing a device reference leak in a UDC driver\nintroduced a potential use-after-free in the non-OF case as the\nisp1301_get_client() helper only increases the reference count for the\nreturned I2C device in the OF case.\n\nIncrement the reference count also for non-OF so that the caller can\ndecrement it unconditionally.\n\nNote that this is inherently racy just as using the returned I2C device\nis since nothing is preventing the PHY driver from being unbound while\nin use."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T13:39:17.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b"
},
{
"url": "https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a"
},
{
"url": "https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906"
},
{
"url": "https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157"
},
{
"url": "https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69"
},
{
"url": "https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3"
}
],
"title": "usb: phy: isp1301: fix non-OF device reference imbalance",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71145",
"datePublished": "2026-01-23T13:39:17.857Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-01-23T13:39:17.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22996 (GCVE-0-2026-22996)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to
reference the netdev and mdev associated with that struct. Instead,
store netdev directly into mlx5e_dev and get mdev from the containing
mlx5_adev aux device structure.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000520
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_remove+0x68/0x130
RSP: 0018:ffffc900034838f0 EFLAGS: 00010246
RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10
R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0
R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400
FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0
Call Trace:
<TASK>
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "a3d4f87d41f5140f1cf5c02fce5cdad2637f6244",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "123eda2e5b1638e298e3a66bb1e64a8da92de5e1",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don\u0027t store mlx5e_priv in mlx5e_dev devlink priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails, mlx5e_priv in mlx5e_dev devlink private is used to\nreference the netdev and mdev associated with that struct. Instead,\nstore netdev directly into mlx5e_dev and get mdev from the containing\nmlx5_adev aux device structure.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==\u003e oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000520\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_remove+0x68/0x130\nRSP: 0018:ffffc900034838f0 EFLAGS: 00010246\nRAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10\nR10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0\nR13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400\nFS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:47.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe"
},
{
"url": "https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244"
},
{
"url": "https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1"
}
],
"title": "net/mlx5e: Don\u0027t store mlx5e_priv in mlx5e_dev devlink priv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22996",
"datePublished": "2026-01-25T14:36:11.195Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:47.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22993 (GCVE-0-2026-22993)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-04-02 11:30
VLAI?
EPSS
Title
idpf: Fix RSS LUT NULL ptr issue after soft reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: Fix RSS LUT NULL ptr issue after soft reset
During soft reset, the RSS LUT is freed and not restored unless the
interface is up. If an ethtool command that accesses the rss lut is
attempted immediately after reset, it will result in NULL ptr
dereference. Also, there is no need to reset the rss lut if the soft reset
does not involve queue count change.
After soft reset, set the RSS LUT to default values based on the updated
queue count only if the reset was a result of a queue count change and
the LUT was not configured by the user. In all other cases, don't touch
the LUT.
Steps to reproduce:
** Bring the interface down (if up)
ifconfig eth1 down
** update the queue count (eg., 27->20)
ethtool -L eth1 combined 20
** display the RSS LUT
ethtool -x eth1
[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000
[82375.558373] #PF: supervisor read access in kernel mode
[82375.558391] #PF: error_code(0x0000) - not-present page
[82375.558408] PGD 0 P4D 0
[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI
<snip>
[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]
[82375.558786] Call Trace:
[82375.558793] <TASK>
[82375.558804] rss_prepare.isra.0+0x187/0x2a0
[82375.558827] rss_prepare_data+0x3a/0x50
[82375.558845] ethnl_default_doit+0x13d/0x3e0
[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180
[82375.558886] genl_rcv_msg+0x1ad/0x2b0
[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10
[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10
[82375.558937] netlink_rcv_skb+0x58/0x100
[82375.558957] genl_rcv+0x2c/0x50
[82375.558971] netlink_unicast+0x289/0x3e0
[82375.558988] netlink_sendmsg+0x215/0x440
[82375.559005] __sys_sendto+0x234/0x240
[82375.559555] __x64_sys_sendto+0x28/0x30
[82375.560068] x64_sys_call+0x1909/0x1da0
[82375.560576] do_syscall_64+0x7a/0xfa0
[82375.561076] ? clear_bhb_loop+0x60/0xb0
[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e
<snip>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb , < a09380354d2f14759b9dd45de1bc2f6bf49e651b
(git)
Affected: 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb , < ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f (git) Affected: 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb , < ebecca5b093895da801b3eba1a55b4ec4027d196 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a09380354d2f14759b9dd45de1bc2f6bf49e651b",
"status": "affected",
"version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb",
"versionType": "git"
},
{
"lessThan": "ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f",
"status": "affected",
"version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb",
"versionType": "git"
},
{
"lessThan": "ebecca5b093895da801b3eba1a55b4ec4027d196",
"status": "affected",
"version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don\u0027t touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27-\u003e20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003csnip\u003e\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793] \u003cTASK\u003e\n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\u003csnip\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:50.312Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a09380354d2f14759b9dd45de1bc2f6bf49e651b"
},
{
"url": "https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f"
},
{
"url": "https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196"
}
],
"title": "idpf: Fix RSS LUT NULL ptr issue after soft reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22993",
"datePublished": "2026-01-23T15:24:13.790Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-04-02T11:30:50.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23010 (GCVE-0-2026-23010)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
ipv6: Fix use-after-free in inet6_addr_del().
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix use-after-free in inet6_addr_del().
syzbot reported use-after-free of inet6_ifaddr in
inet6_addr_del(). [0]
The cited commit accidentally moved ipv6_del_addr() for
mngtmpaddr before reading its ifp->flags for temporary
addresses in inet6_addr_del().
Let's move ipv6_del_addr() down to fix the UAF.
[0]:
BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f164cf8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
</TASK>
Allocated by task 9593:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6099:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free_freelist_hook mm/slub.c:2569 [inline]
slab_free_bulk mm/slub.c:6696 [inline]
kmem_cache_free_bulk mm/slub.c:7383 [inline]
kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
kfree_bulk include/linux/slab.h:830 [inline]
kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqu
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ca97dd10424860a3806ad3a9e26b9dce2901ee0c , < 6e89d60b4f03014f7d412ce64b17a840840d490e
(git)
Affected: 836deb96383ed9c1a411f172954d74b3f74ec6ac , < 9356b69d03d0f50cce91cebdabd33dda023fbd64 (git) Affected: cb74207ef98317f8874a0b9780bb339c2eb700b0 , < 2684610a9c9c53f262fd864fa5c407e79f304804 (git) Affected: 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f , < 8b6dcb565e419846bd521e31d5e1f98e4d0e1179 (git) Affected: 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f , < ddf96c393a33aef4887e2e406c76c2f8cda1419c (git) Affected: 851b3bb105c595cc20b8dcc1b4de029061ce2b76 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e89d60b4f03014f7d412ce64b17a840840d490e",
"status": "affected",
"version": "ca97dd10424860a3806ad3a9e26b9dce2901ee0c",
"versionType": "git"
},
{
"lessThan": "9356b69d03d0f50cce91cebdabd33dda023fbd64",
"status": "affected",
"version": "836deb96383ed9c1a411f172954d74b3f74ec6ac",
"versionType": "git"
},
{
"lessThan": "2684610a9c9c53f262fd864fa5c407e79f304804",
"status": "affected",
"version": "cb74207ef98317f8874a0b9780bb339c2eb700b0",
"versionType": "git"
},
{
"lessThan": "8b6dcb565e419846bd521e31d5e1f98e4d0e1179",
"status": "affected",
"version": "00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f",
"versionType": "git"
},
{
"lessThan": "ddf96c393a33aef4887e2e406c76c2f8cda1419c",
"status": "affected",
"version": "00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f",
"versionType": "git"
},
{
"status": "affected",
"version": "851b3bb105c595cc20b8dcc1b4de029061ce2b76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/addrconf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix use-after-free in inet6_addr_del().\n\nsyzbot reported use-after-free of inet6_ifaddr in\ninet6_addr_del(). [0]\n\nThe cited commit accidentally moved ipv6_del_addr() for\nmngtmpaddr before reading its ifp-\u003eflags for temporary\naddresses in inet6_addr_del().\n\nLet\u0027s move ipv6_del_addr() down to fix the UAF.\n\n[0]:\nBUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\nRead of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593\n\nCPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\n addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181\n inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f164cf8f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749\nRDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003\nRBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288\n \u003c/TASK\u003e\n\nAllocated by task 9593:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120\n inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050\n addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160\n inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6099:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free_freelist_hook mm/slub.c:2569 [inline]\n slab_free_bulk mm/slub.c:6696 [inline]\n kmem_cache_free_bulk mm/slub.c:7383 [inline]\n kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362\n kfree_bulk include/linux/slab.h:830 [inline]\n kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523\n kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]\n kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqu\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:03.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e89d60b4f03014f7d412ce64b17a840840d490e"
},
{
"url": "https://git.kernel.org/stable/c/9356b69d03d0f50cce91cebdabd33dda023fbd64"
},
{
"url": "https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804"
},
{
"url": "https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179"
},
{
"url": "https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c"
}
],
"title": "ipv6: Fix use-after-free in inet6_addr_del().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23010",
"datePublished": "2026-01-25T14:36:23.593Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:37:03.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71155 (GCVE-0-2025-71155)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
KVM: s390: Fix gmap_helper_zap_one_page() again
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: s390: Fix gmap_helper_zap_one_page() again
A few checks were missing in gmap_helper_zap_one_page(), which can lead
to memory corruption in the guest under specific circumstances.
Add the missing checks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/gmap_helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7",
"status": "affected",
"version": "5deafa27d9ae040b75d392f60b12e300b42b4792",
"versionType": "git"
},
{
"lessThan": "2f393c228cc519ddf19b8c6c05bf15723241aa96",
"status": "affected",
"version": "5deafa27d9ae040b75d392f60b12e300b42b4792",
"versionType": "git"
},
{
"status": "affected",
"version": "919efcadb63fc3d3a82c3de7194140e0b28903dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/gmap_helpers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: Fix gmap_helper_zap_one_page() again\n\nA few checks were missing in gmap_helper_zap_one_page(), which can lead\nto memory corruption in the guest under specific circumstances.\n\nAdd the missing checks."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:53.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7"
},
{
"url": "https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96"
}
],
"title": "KVM: s390: Fix gmap_helper_zap_one_page() again",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71155",
"datePublished": "2026-01-23T14:25:54.663Z",
"dateReserved": "2026-01-13T15:30:19.663Z",
"dateUpdated": "2026-02-09T08:35:53.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23001 (GCVE-0-2026-23001)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
macvlan: fix possible UAF in macvlan_forward_source()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8133e85b8a3ec9f10d861e0002ec6037256e987e
(git)
Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 484919832e2db6ce1e8add92c469e5d459a516b5 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 232afc74a6dde0fe1830988e5827921f5ec9bb3f (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 15f6faf36e162532bec5cc05eb3fc622108bf2ed (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 6dbead9c7677186f22b7981dd085a0feec1f038e (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 7470a7a63dc162f07c26dbf960e41ee1e248d80e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8133e85b8a3ec9f10d861e0002ec6037256e987e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "484919832e2db6ce1e8add92c469e5d459a516b5",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "232afc74a6dde0fe1830988e5827921f5ec9bb3f",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "15f6faf36e162532bec5cc05eb3fc622108bf2ed",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "8518712a2ca952d6da2238c6f0a16b4ae5ea3f13",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "6dbead9c7677186f22b7981dd085a0feec1f038e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "7470a7a63dc162f07c26dbf960e41ee1e248d80e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)-\u003evlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry-\u003evlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:53.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e"
},
{
"url": "https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5"
},
{
"url": "https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f"
},
{
"url": "https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed"
},
{
"url": "https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13"
},
{
"url": "https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e"
},
{
"url": "https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e"
}
],
"title": "macvlan: fix possible UAF in macvlan_forward_source()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23001",
"datePublished": "2026-01-25T14:36:15.790Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:53.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71152 (GCVE-0-2025-71152)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
net: dsa: properly keep track of conduit reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: properly keep track of conduit reference
Problem description
-------------------
DSA has a mumbo-jumbo of reference handling of the conduit net device
and its kobject which, sadly, is just wrong and doesn't make sense.
There are two distinct problems.
1. The OF path, which uses of_find_net_device_by_node(), never releases
the elevated refcount on the conduit's kobject. Nominally, the OF and
non-OF paths should result in objects having identical reference
counts taken, and it is already suspicious that
dsa_dev_to_net_device() has a put_device() call which is missing in
dsa_port_parse_of(), but we can actually even verify that an issue
exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command
"before" and "after" applying this patch:
(unbind the conduit driver for net device eno2)
echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind
we see these lines in the output diff which appear only with the patch
applied:
kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)
kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)
2. After we find the conduit interface one way (OF) or another (non-OF),
it can get unregistered at any time, and DSA remains with a long-lived,
but in this case stale, cpu_dp->conduit pointer. Holding the net
device's underlying kobject isn't actually of much help, it just
prevents it from being freed (but we never need that kobject
directly). What helps us to prevent the net device from being
unregistered is the parallel netdev reference mechanism (dev_hold()
and dev_put()).
Actually we actually use that netdev tracker mechanism implicitly on
user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with
the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link().
But time still passes at DSA switch probe time between the initial
of_find_net_device_by_node() code and the user port creation time, time
during which the conduit could unregister itself and DSA wouldn't know
about it.
So we have to run of_find_net_device_by_node() under rtnl_lock() to
prevent that from happening, and release the lock only with the netdev
tracker having acquired the reference.
Do we need to keep the reference until dsa_unregister_switch() /
dsa_switch_shutdown()?
1: Maybe yes. A switch device will still be registered even if all user
ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not
make user port errors fatal"), and the cpu_dp->conduit pointers
remain valid. I haven't audited all call paths to see whether they
will actually use the conduit in lack of any user port, but if they
do, it seems safer to not rely on user ports for that reference.
2. Definitely yes. We support changing the conduit which a user port is
associated to, and we can get into a situation where we've moved all
user ports away from a conduit, thus no longer hold any reference to
it via the net device tracker. But we shouldn't let it go nonetheless
- see the next change in relation to dsa_tree_find_first_conduit()
and LAG conduits which disappear.
We have to be prepared to return to the physical conduit, so the CPU
port must explicitly keep another reference to it. This is also to
say: the user ports and their CPU ports may not always keep a
reference to the same conduit net device, and both are needed.
As for the conduit's kobject for the /sys/class/net/ entry, we don't
care about it, we can release it as soon as we hold the net device
object itself.
History and blame attribution
-----------------------------
The code has been refactored so many times, it is very difficult to
follow and properly attribute a blame, but I'll try to make a short
history which I hope to be correct.
We have two distinct probing paths:
- one for OF, introduced in 2016 i
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
83c0afaec7b730b16c518aecc8e6246ec91b265e , < ec2b34acb1894cfc10ed22d8277ca4f11e9f4b23
(git)
Affected: 83c0afaec7b730b16c518aecc8e6246ec91b265e , < b358fc6ff3b35a29f7f677da1c67af67d0d560cb (git) Affected: 83c0afaec7b730b16c518aecc8e6246ec91b265e , < 0e766b77ba5093583dfe609fae0aa1545c46dbbd (git) Affected: 83c0afaec7b730b16c518aecc8e6246ec91b265e , < 06e219f6a706c367c93051f408ac61417643d2f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec2b34acb1894cfc10ed22d8277ca4f11e9f4b23",
"status": "affected",
"version": "83c0afaec7b730b16c518aecc8e6246ec91b265e",
"versionType": "git"
},
{
"lessThan": "b358fc6ff3b35a29f7f677da1c67af67d0d560cb",
"status": "affected",
"version": "83c0afaec7b730b16c518aecc8e6246ec91b265e",
"versionType": "git"
},
{
"lessThan": "0e766b77ba5093583dfe609fae0aa1545c46dbbd",
"status": "affected",
"version": "83c0afaec7b730b16c518aecc8e6246ec91b265e",
"versionType": "git"
},
{
"lessThan": "06e219f6a706c367c93051f408ac61417643d2f9",
"status": "affected",
"version": "83c0afaec7b730b16c518aecc8e6246ec91b265e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: properly keep track of conduit reference\n\nProblem description\n-------------------\n\nDSA has a mumbo-jumbo of reference handling of the conduit net device\nand its kobject which, sadly, is just wrong and doesn\u0027t make sense.\n\nThere are two distinct problems.\n\n1. The OF path, which uses of_find_net_device_by_node(), never releases\n the elevated refcount on the conduit\u0027s kobject. Nominally, the OF and\n non-OF paths should result in objects having identical reference\n counts taken, and it is already suspicious that\n dsa_dev_to_net_device() has a put_device() call which is missing in\n dsa_port_parse_of(), but we can actually even verify that an issue\n exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command\n \"before\" and \"after\" applying this patch:\n\n(unbind the conduit driver for net device eno2)\necho 0000:00:00.2 \u003e /sys/bus/pci/drivers/fsl_enetc/unbind\n\nwe see these lines in the output diff which appear only with the patch\napplied:\n\nkobject: \u0027eno2\u0027 (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)\nkobject: \u0027109\u0027 (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)\n\n2. After we find the conduit interface one way (OF) or another (non-OF),\n it can get unregistered at any time, and DSA remains with a long-lived,\n but in this case stale, cpu_dp-\u003econduit pointer. Holding the net\n device\u0027s underlying kobject isn\u0027t actually of much help, it just\n prevents it from being freed (but we never need that kobject\n directly). What helps us to prevent the net device from being\n unregistered is the parallel netdev reference mechanism (dev_hold()\n and dev_put()).\n\nActually we actually use that netdev tracker mechanism implicitly on\nuser ports since commit 2f1e8ea726e9 (\"net: dsa: link interfaces with\nthe DSA master to get rid of lockdep warnings\"), via netdev_upper_dev_link().\nBut time still passes at DSA switch probe time between the initial\nof_find_net_device_by_node() code and the user port creation time, time\nduring which the conduit could unregister itself and DSA wouldn\u0027t know\nabout it.\n\nSo we have to run of_find_net_device_by_node() under rtnl_lock() to\nprevent that from happening, and release the lock only with the netdev\ntracker having acquired the reference.\n\nDo we need to keep the reference until dsa_unregister_switch() /\ndsa_switch_shutdown()?\n1: Maybe yes. A switch device will still be registered even if all user\n ports failed to probe, see commit 86f8b1c01a0a (\"net: dsa: Do not\n make user port errors fatal\"), and the cpu_dp-\u003econduit pointers\n remain valid. I haven\u0027t audited all call paths to see whether they\n will actually use the conduit in lack of any user port, but if they\n do, it seems safer to not rely on user ports for that reference.\n2. Definitely yes. We support changing the conduit which a user port is\n associated to, and we can get into a situation where we\u0027ve moved all\n user ports away from a conduit, thus no longer hold any reference to\n it via the net device tracker. But we shouldn\u0027t let it go nonetheless\n - see the next change in relation to dsa_tree_find_first_conduit()\n and LAG conduits which disappear.\n We have to be prepared to return to the physical conduit, so the CPU\n port must explicitly keep another reference to it. This is also to\n say: the user ports and their CPU ports may not always keep a\n reference to the same conduit net device, and both are needed.\n\nAs for the conduit\u0027s kobject for the /sys/class/net/ entry, we don\u0027t\ncare about it, we can release it as soon as we hold the net device\nobject itself.\n\nHistory and blame attribution\n-----------------------------\n\nThe code has been refactored so many times, it is very difficult to\nfollow and properly attribute a blame, but I\u0027ll try to make a short\nhistory which I hope to be correct.\n\nWe have two distinct probing paths:\n- one for OF, introduced in 2016 i\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:03.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec2b34acb1894cfc10ed22d8277ca4f11e9f4b23"
},
{
"url": "https://git.kernel.org/stable/c/b358fc6ff3b35a29f7f677da1c67af67d0d560cb"
},
{
"url": "https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd"
},
{
"url": "https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9"
}
],
"title": "net: dsa: properly keep track of conduit reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71152",
"datePublished": "2026-01-23T14:25:52.022Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-03-25T10:20:03.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71163 (GCVE-0-2025-71163)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
dmaengine: idxd: fix device leaks on compat bind and unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: fix device leaks on compat bind and unbind
Make sure to drop the reference taken when looking up the idxd device as
part of the compat bind and unbind sysfs interface.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < b7bd948f89271c92d9ca9b2b682bfba56896e959
(git)
Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < b2d077180a56e3b7c97b7517d0465b584adc693b (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99 (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < 0c97ff108f825a70c3bb29d65ddf0a013d231bb9 (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < a7226fd61def74b60dd8e47ec84cabafc39d575b (git) Affected: 6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 , < 799900f01792cf8b525a44764f065f83fcafd468 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7bd948f89271c92d9ca9b2b682bfba56896e959",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "b2d077180a56e3b7c97b7517d0465b584adc693b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "0c97ff108f825a70c3bb29d65ddf0a013d231bb9",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "a7226fd61def74b60dd8e47ec84cabafc39d575b",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
},
{
"lessThan": "799900f01792cf8b525a44764f065f83fcafd468",
"status": "affected",
"version": "6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/compat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix device leaks on compat bind and unbind\n\nMake sure to drop the reference taken when looking up the idxd device as\npart of the compat bind and unbind sysfs interface."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:02.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7bd948f89271c92d9ca9b2b682bfba56896e959"
},
{
"url": "https://git.kernel.org/stable/c/b2d077180a56e3b7c97b7517d0465b584adc693b"
},
{
"url": "https://git.kernel.org/stable/c/c81ea0222eaaafdd77348e27d1e84a1b8cfc0c99"
},
{
"url": "https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9"
},
{
"url": "https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b"
},
{
"url": "https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468"
}
],
"title": "dmaengine: idxd: fix device leaks on compat bind and unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71163",
"datePublished": "2026-01-25T14:36:10.142Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-02-09T08:36:02.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71148 (GCVE-0-2025-71148)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
net/handshake: restore destructor on submit failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: restore destructor on submit failure
handshake_req_submit() replaces sk->sk_destruct but never restores it when
submission fails before the request is hashed. handshake_sk_destruct() then
returns early and the original destructor never runs, leaking the socket.
Restore sk_destruct on the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b3009ea8abb713b022d94fba95ec270cf6e7eae , < cd8cf2be3717137554744233fda051ffc09d1d44
(git)
Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 7b82a1d6ae869533d8bdb0282a3a78faed8e63dd (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < b225325be7b247c7268e65eea6090db1fc786d1f (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 6af2a01d65f89e73c1cbb9267f8880d83a88cee4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd8cf2be3717137554744233fda051ffc09d1d44",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "7b82a1d6ae869533d8bdb0282a3a78faed8e63dd",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "b225325be7b247c7268e65eea6090db1fc786d1f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "6af2a01d65f89e73c1cbb9267f8880d83a88cee4",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: restore destructor on submit failure\n\nhandshake_req_submit() replaces sk-\u003esk_destruct but never restores it when\nsubmission fails before the request is hashed. handshake_sk_destruct() then\nreturns early and the original destructor never runs, leaking the socket.\nRestore sk_destruct on the error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:45.279Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44"
},
{
"url": "https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd"
},
{
"url": "https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f"
},
{
"url": "https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4"
}
],
"title": "net/handshake: restore destructor on submit failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71148",
"datePublished": "2026-01-23T14:15:14.963Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:45.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23011 (GCVE-0-2026-23011)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
ipv4: ip_gre: make ipgre_header() robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: ip_gre: make ipgre_header() robust
Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Over the years, syzbot found many ways to crash the kernel
in ipgre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ipgre device.
[1]
skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
kernel BUG at net/core/skbuff.c:213 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
Call Trace:
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c54419321455631079c7d6e60bc732dd0c5914c5 , < eeb9a521de40c6fadccc12fa5205e5a1b364d5a8
(git)
Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 8d5b6b2d79c1c22a5b0db1187a6439dff375a022 (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 2ecf0aa7cc262472a9599cc51ba02ada0897a17a (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 06fe0801396a36cab865b34f666de1d65bc5ce8e (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < aa57bfea4674e6da8104fa3a37760a6f5f255dad (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < 554201ed0a8f4d32e719f42caeaeb2735a9ed6ca (git) Affected: c54419321455631079c7d6e60bc732dd0c5914c5 , < e67c577d89894811ce4dcd1a9ed29d8b63476667 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eeb9a521de40c6fadccc12fa5205e5a1b364d5a8",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "8d5b6b2d79c1c22a5b0db1187a6439dff375a022",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "2ecf0aa7cc262472a9599cc51ba02ada0897a17a",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "06fe0801396a36cab865b34f666de1d65bc5ce8e",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "aa57bfea4674e6da8104fa3a37760a6f5f255dad",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "554201ed0a8f4d32e719f42caeaeb2735a9ed6ca",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
},
{
"lessThan": "e67c577d89894811ce4dcd1a9ed29d8b63476667",
"status": "affected",
"version": "c54419321455631079c7d6e60bc732dd0c5914c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to commit db5b4e39c4e6 (\"ip6_gre: make ip6gre_header() robust\")\n\nOver the years, syzbot found many ways to crash the kernel\nin ipgre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ipgre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0\n kernel BUG at net/core/skbuff.c:213 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: mld mld_ifc_work\n RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213\nCall Trace:\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:04.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eeb9a521de40c6fadccc12fa5205e5a1b364d5a8"
},
{
"url": "https://git.kernel.org/stable/c/8d5b6b2d79c1c22a5b0db1187a6439dff375a022"
},
{
"url": "https://git.kernel.org/stable/c/2ecf0aa7cc262472a9599cc51ba02ada0897a17a"
},
{
"url": "https://git.kernel.org/stable/c/06fe0801396a36cab865b34f666de1d65bc5ce8e"
},
{
"url": "https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad"
},
{
"url": "https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca"
},
{
"url": "https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667"
}
],
"title": "ipv4: ip_gre: make ipgre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23011",
"datePublished": "2026-01-25T14:36:24.455Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:37:04.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23005 (GCVE-0-2026-23005)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in
response to a guest WRMSR, clear XFD-disabled features in the saved (or to
be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for
features that are disabled via the guest's XFD. Because the kernel
executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1
will cause XRSTOR to #NM and panic the kernel.
E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848
Modules linked in: kvm_intel kvm irqbypass
CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
switch_fpu_return+0x4a/0xb0
kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,
and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's
call to fpu_update_guest_xfd().
and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867
Modules linked in: kvm_intel kvm irqbypass
CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
fpu_swap_kvm_fpstate+0x6b/0x120
kvm_load_guest_fpu+0x30/0x80 [kvm]
kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
The new behavior is consistent with the AMX architecture. Per Intel's SDM,
XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD
(and non-compacted XSAVE saves the initial configuration of the state
component):
If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,
the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;
instead, it operates as if XINUSE[i] = 0 (and the state component was
in its initial state): it saves bit i of XSTATE_BV field of the XSAVE
header as 0; in addition, XSAVE saves the initial configuration of the
state component (the other instructions do not save state component i).
Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using
a constant XFD based on the set of enabled features when XSAVEing for
a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled
features can only happen in the above interrupt case, or in similar
scenarios involving preemption on preemptible kernels, because
fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the
outgoing FPU state with the current XFD; and that is (on all but the
first WRMSR to XFD) the guest XFD.
Therefore, XFD can only go out of sync with XSTATE_BV in the above
interrupt case, or in similar scenarios involving preemption on
preemptible kernels, and it we can consider it (de facto) part of KVM
ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.
[Move clea
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
820a6ee944e74e57255ac2e90916ecdaade57b95 , < b5995c01ba53d84182ecb9492fc4d91cfe8a362d
(git)
Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < 1e2848bda819af569dfe7ab186223855e092a2cb (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < f577508cc8a0adb8b4ebe9480bba7683b6149930 (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < eea6f395ca502c4528314c8112da9b5d65f685eb (git) Affected: 820a6ee944e74e57255ac2e90916ecdaade57b95 , < b45f721775947a84996deb5c661602254ce25ce6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5995c01ba53d84182ecb9492fc4d91cfe8a362d",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "1e2848bda819af569dfe7ab186223855e092a2cb",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "f577508cc8a0adb8b4ebe9480bba7683b6149930",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "eea6f395ca502c4528314c8112da9b5d65f685eb",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
},
{
"lessThan": "b45f721775947a84996deb5c661602254ce25ce6",
"status": "affected",
"version": "820a6ee944e74e57255ac2e90916ecdaade57b95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/fpu/core.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1\n\nWhen loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in\nresponse to a guest WRMSR, clear XFD-disabled features in the saved (or to\nbe restored) XSTATE_BV to ensure KVM doesn\u0027t attempt to load state for\nfeatures that are disabled via the guest\u0027s XFD. Because the kernel\nexecutes XRSTOR with the guest\u0027s XFD, saving XSTATE_BV[i]=1 with XFD[i]=1\nwill cause XRSTOR to #NM and panic the kernel.\n\nE.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n switch_fpu_return+0x4a/0xb0\n kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThis can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,\nand a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler\u0027s\ncall to fpu_update_guest_xfd().\n\nand if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n fpu_swap_kvm_fpstate+0x6b/0x120\n kvm_load_guest_fpu+0x30/0x80 [kvm]\n kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThe new behavior is consistent with the AMX architecture. Per Intel\u0027s SDM,\nXSAVE saves XSTATE_BV as \u00270\u0027 for components that are disabled via XFD\n(and non-compacted XSAVE saves the initial configuration of the state\ncomponent):\n\n If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,\n the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;\n instead, it operates as if XINUSE[i] = 0 (and the state component was\n in its initial state): it saves bit i of XSTATE_BV field of the XSAVE\n header as 0; in addition, XSAVE saves the initial configuration of the\n state component (the other instructions do not save state component i).\n\nAlternatively, KVM could always do XRSTOR with XFD=0, e.g. by using\na constant XFD based on the set of enabled features when XSAVEing for\na struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled\nfeatures can only happen in the above interrupt case, or in similar\nscenarios involving preemption on preemptible kernels, because\nfpu_swap_kvm_fpstate()\u0027s call to save_fpregs_to_fpstate() saves the\noutgoing FPU state with the current XFD; and that is (on all but the\nfirst WRMSR to XFD) the guest XFD.\n\nTherefore, XFD can only go out of sync with XSTATE_BV in the above\ninterrupt case, or in similar scenarios involving preemption on\npreemptible kernels, and it we can consider it (de facto) part of KVM\nABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.\n\n[Move clea\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:57.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5995c01ba53d84182ecb9492fc4d91cfe8a362d"
},
{
"url": "https://git.kernel.org/stable/c/1e2848bda819af569dfe7ab186223855e092a2cb"
},
{
"url": "https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930"
},
{
"url": "https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb"
},
{
"url": "https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6"
}
],
"title": "x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23005",
"datePublished": "2026-01-25T14:36:19.021Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:36:57.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22994 (GCVE-0-2026-22994)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
syzbot is reporting
unregister_netdevice: waiting for sit0 to become free. Usage count = 2
problem. A debug printk() patch found that a refcount is obtained at
xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().
According to commit ec94670fcb3b ("bpf: Support specifying ingress via
xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by
xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().
Therefore, we can consider that the error handling path introduced by
commit 1c1949982524 ("bpf: introduce frags support to
bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1c194998252469cad00a08bd9ef0b99fd255c260 , < 368569bc546d3368ee9980ba79fc42fdff9a3365
(git)
Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < 98676ee71fd4eafeb8be63c7f3f1905d40e03101 (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < fb9ef40cccdbacce36029b305d0ef1e12e4fea38 (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < 737be05a765761d7d7c9f7fe92274bd8e6f6951e (git) Affected: 1c194998252469cad00a08bd9ef0b99fd255c260 , < ec69daabe45256f98ac86c651b8ad1b2574489a7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "368569bc546d3368ee9980ba79fc42fdff9a3365",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "98676ee71fd4eafeb8be63c7f3f1905d40e03101",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "fb9ef40cccdbacce36029b305d0ef1e12e4fea38",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "737be05a765761d7d7c9f7fe92274bd8e6f6951e",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
},
{
"lessThan": "ec69daabe45256f98ac86c651b8ad1b2574489a7",
"status": "affected",
"version": "1c194998252469cad00a08bd9ef0b99fd255c260",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:45.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365"
},
{
"url": "https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101"
},
{
"url": "https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38"
},
{
"url": "https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e"
},
{
"url": "https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7"
}
],
"title": "bpf: Fix reference count leak in bpf_prog_test_run_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22994",
"datePublished": "2026-01-23T15:24:14.749Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:45.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22986 (GCVE-0-2026-22986)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
gpiolib: fix race condition for gdev->srcu
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: fix race condition for gdev->srcu
If two drivers were calling gpiochip_add_data_with_key(), one may be
traversing the srcu-protected list in gpio_name_to_desc(), meanwhile
other has just added its gdev in gpiodev_add_to_list_unlocked().
This creates a non-mutexed and non-protected timeframe, when one
instance is dereferencing and using &gdev->srcu, before the other
has initialized it, resulting in crash:
[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000
[ 4.943396] Mem abort info:
[ 4.943400] ESR = 0x0000000096000005
[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.943407] SET = 0, FnV = 0
[ 4.943410] EA = 0, S1PTW = 0
[ 4.943413] FSC = 0x05: level 1 translation fault
[ 4.943416] Data abort info:
[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000
[ 4.961449] [ffff800272bcc000] pgd=0000000000000000
[ 4.969203] , p4d=1000000039739003
[ 4.979730] , pud=0000000000000000
[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset"
[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
...
[ 5.121359] pc : __srcu_read_lock+0x44/0x98
[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0
[ 5.153671] sp : ffff8000833bb430
[ 5.298440]
[ 5.298443] Call trace:
[ 5.298445] __srcu_read_lock+0x44/0x98
[ 5.309484] gpio_name_to_desc+0x60/0x1a0
[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00
5.946419] ---[ end trace 0000000000000000 ]---
Move initialization code for gdev fields before it is added to
gpio_devices, with adjacent initialization code.
Adjust goto statements to reflect modified order of operations
[Bartosz: fixed a build issue, removed stray newline]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb674c8f1a5d8dd3113a7326030f963fa2d79c02",
"status": "affected",
"version": "47d8b4c1d868148c8fb51b785a89e58ca2d02c4d",
"versionType": "git"
},
{
"lessThan": "a7ac22d53d0990152b108c3f4fe30df45fcb0181",
"status": "affected",
"version": "47d8b4c1d868148c8fb51b785a89e58ca2d02c4d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix race condition for gdev-\u003esrcu\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using \u0026gdev-\u003esrcu, before the other\nhas initialized it, resulting in crash:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements to reflect modified order of operations\n\n[Bartosz: fixed a build issue, removed stray newline]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:36.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02"
},
{
"url": "https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181"
}
],
"title": "gpiolib: fix race condition for gdev-\u003esrcu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22986",
"datePublished": "2026-01-23T15:24:07.932Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:36.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22998 (GCVE-0-2026-22998)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f775f2621c2ac5cc3a0b3a64665dad4fb146e510 , < baabe43a0edefac8cd7b981ff87f967f6034dafe
(git)
Affected: 4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d , < 76abc83a9d25593c2b7613c549413079c14a4686 (git) Affected: 2871aa407007f6f531fae181ad252486e022df42 , < 7d75570002929d20e40110d6b03e46202c9d1bc7 (git) Affected: 24e05760186dc070d3db190ca61efdbce23afc88 , < fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4 (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 3def5243150716be86599c2a1767c29c68838b6d (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 374b095e265fa27465f34780e0eb162ff1bef913 (git) Affected: efa56305908ba20de2104f1b8508c6a7401833be , < 32b63acd78f577b332d976aa06b56e70d054cbba (git) Affected: ee5e7632e981673f42a50ade25e71e612e543d9d (git) Affected: 70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "baabe43a0edefac8cd7b981ff87f967f6034dafe",
"status": "affected",
"version": "f775f2621c2ac5cc3a0b3a64665dad4fb146e510",
"versionType": "git"
},
{
"lessThan": "76abc83a9d25593c2b7613c549413079c14a4686",
"status": "affected",
"version": "4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d",
"versionType": "git"
},
{
"lessThan": "7d75570002929d20e40110d6b03e46202c9d1bc7",
"status": "affected",
"version": "2871aa407007f6f531fae181ad252486e022df42",
"versionType": "git"
},
{
"lessThan": "fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4",
"status": "affected",
"version": "24e05760186dc070d3db190ca61efdbce23afc88",
"versionType": "git"
},
{
"lessThan": "3def5243150716be86599c2a1767c29c68838b6d",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "374b095e265fa27465f34780e0eb162ff1bef913",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"lessThan": "32b63acd78f577b332d976aa06b56e70d054cbba",
"status": "affected",
"version": "efa56305908ba20de2104f1b8508c6a7401833be",
"versionType": "git"
},
{
"status": "affected",
"version": "ee5e7632e981673f42a50ade25e71e612e543d9d",
"versionType": "git"
},
{
"status": "affected",
"version": "70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command\u0027s data structures (cmd-\u003ereq.sg and cmd-\u003eiov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd-\u003ereq.sg and cmd-\u003eiov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n- WRITE commands: both allocated"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:50.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"
},
{
"url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"
},
{
"url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"
},
{
"url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"
},
{
"url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"
},
{
"url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"
},
{
"url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"
}
],
"title": "nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22998",
"datePublished": "2026-01-25T14:36:12.935Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:50.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71161 (GCVE-0-2025-71161)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
dm-verity: disable recursive forward error correction
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-verity: disable recursive forward error correction
There are two problems with the recursive correction:
1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
has 253 iterations. For each iteration, we may call verity_hash_for_block
recursively. There is a limit of 4 nested recursions - that means that
there may be at most 253^4 (4 billion) iterations. Red Hat QE team
actually created an image that pushes dm-verity to this limit - and this
image just makes the udev-worker process get stuck in the 'D' state.
2. It doesn't work. In fec_read_bufs we store data into the variable
"fio->bufs", but fio bufs is shared between recursive invocations, if
"verity_hash_for_block" invoked correction recursively, it would
overwrite partially filled fio->bufs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < e227d2b229c7529bd98d348efc55262ccf24ab35
(git)
Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 897d9006e75f46f8bd7df78faa424327ae6a4bcf (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 4220cb37406915c926c0e4a3dbab77cd9cceeb1e (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < 232948cf600fba69aff36b25d85ef91a73a35756 (git) Affected: a739ff3f543afbb4a041c16cd0182c8e8d366e70 , < d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-fec.c",
"drivers/md/dm-verity-fec.h",
"drivers/md/dm-verity-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e227d2b229c7529bd98d348efc55262ccf24ab35",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "897d9006e75f46f8bd7df78faa424327ae6a4bcf",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "4220cb37406915c926c0e4a3dbab77cd9cceeb1e",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "232948cf600fba69aff36b25d85ef91a73a35756",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
},
{
"lessThan": "d9f3e47d3fae0c101d9094bc956ed24e7a0ee801",
"status": "affected",
"version": "a739ff3f543afbb4a041c16cd0182c8e8d366e70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-fec.c",
"drivers/md/dm-verity-fec.h",
"drivers/md/dm-verity-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the \u0027D\u0027 state.\n\n2. It doesn\u0027t work. In fec_read_bufs we store data into the variable\n\"fio-\u003ebufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio-\u003ebufs."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:05.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e227d2b229c7529bd98d348efc55262ccf24ab35"
},
{
"url": "https://git.kernel.org/stable/c/897d9006e75f46f8bd7df78faa424327ae6a4bcf"
},
{
"url": "https://git.kernel.org/stable/c/4220cb37406915c926c0e4a3dbab77cd9cceeb1e"
},
{
"url": "https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756"
},
{
"url": "https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801"
}
],
"title": "dm-verity: disable recursive forward error correction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71161",
"datePublished": "2026-01-23T15:23:59.464Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-03-25T10:20:05.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22992 (GCVE-0-2026-22992)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: return the handler error from mon_handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: return the handler error from mon_handle_auth_done()
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 77229551f2cf72f3e35636db68e6a825b912cf16
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 33908769248b38a5e77cf9292817bb28e641992d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e097cd858196b1914309e7e3d79b4fa79383754d (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < d2c4a5f6996683f287f3851ef5412797042de7f1 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 9e0101e57534ef0e7578dd09608a6106736b82e5 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < e84b48d31b5008932c0a0902982809fbaa1d3b70 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77229551f2cf72f3e35636db68e6a825b912cf16",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "33908769248b38a5e77cf9292817bb28e641992d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e097cd858196b1914309e7e3d79b4fa79383754d",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "d2c4a5f6996683f287f3851ef5412797042de7f1",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "9e0101e57534ef0e7578dd09608a6106736b82e5",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "e84b48d31b5008932c0a0902982809fbaa1d3b70",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/mon_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn\u0027t returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:43.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16"
},
{
"url": "https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d"
},
{
"url": "https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d"
},
{
"url": "https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1"
},
{
"url": "https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5"
},
{
"url": "https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70"
}
],
"title": "libceph: return the handler error from mon_handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22992",
"datePublished": "2026-01-23T15:24:12.993Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:43.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23009 (GCVE-0-2026-23009)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
xhci: sideband: don't dereference freed ring when removing sideband endpoint
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: sideband: don't dereference freed ring when removing sideband endpoint
xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is
running and has a valid transfer ring.
Lianqin reported a crash during suspend/wake-up stress testing, and
found the cause to be dereferencing a non-existing transfer ring
'ep->ring' during xhci_sideband_remove_endpoint().
The endpoint and its ring may be in unknown state if this function
is called after xHCI was reinitialized in resume (lost power), or if
device is being re-enumerated, disconnected or endpoint already dropped.
Fix this by both removing unnecessary ring access, and by checking
ep->ring exists before dereferencing it. Also make sure endpoint is
running before attempting to stop it.
Remove the xhci_initialize_ring_info() call during sideband endpoint
removal as is it only initializes ring structure enqueue, dequeue and
cycle state values to their starting values without changing actual
hardware enqueue, dequeue and cycle state. Leaving them out of sync
is worse than leaving it as it is. The endpoint will get freed in after
this in most usecases.
If the (audio) class driver want's to reuse the endpoint after offload
then it is up to the class driver to ensure endpoint is properly set up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-sideband.c",
"drivers/usb/host/xhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34f6634dba87ef72b3c3a3a524be663adef7ab42",
"status": "affected",
"version": "de66754e9f8029f8ae955a588959b99cab56b506",
"versionType": "git"
},
{
"lessThan": "dd83dc1249737b837ac5d57c81f2b0977c613d9f",
"status": "affected",
"version": "de66754e9f8029f8ae955a588959b99cab56b506",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-sideband.c",
"drivers/usb/host/xhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: sideband: don\u0027t dereference freed ring when removing sideband endpoint\n\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\nrunning and has a valid transfer ring.\n\nLianqin reported a crash during suspend/wake-up stress testing, and\nfound the cause to be dereferencing a non-existing transfer ring\n\u0027ep-\u003ering\u0027 during xhci_sideband_remove_endpoint().\n\nThe endpoint and its ring may be in unknown state if this function\nis called after xHCI was reinitialized in resume (lost power), or if\ndevice is being re-enumerated, disconnected or endpoint already dropped.\n\nFix this by both removing unnecessary ring access, and by checking\nep-\u003ering exists before dereferencing it. Also make sure endpoint is\nrunning before attempting to stop it.\n\nRemove the xhci_initialize_ring_info() call during sideband endpoint\nremoval as is it only initializes ring structure enqueue, dequeue and\ncycle state values to their starting values without changing actual\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\nis worse than leaving it as it is. The endpoint will get freed in after\nthis in most usecases.\n\nIf the (audio) class driver want\u0027s to reuse the endpoint after offload\nthen it is up to the class driver to ensure endpoint is properly set up."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:02.075Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42"
},
{
"url": "https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f"
}
],
"title": "xhci: sideband: don\u0027t dereference freed ring when removing sideband endpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23009",
"datePublished": "2026-01-25T14:36:22.817Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:37:02.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22989 (GCVE-0-2026-22989)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
nfsd: check that server is running in unlock_filesystem
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: check that server is running in unlock_filesystem
If we are trying to unlock the filesystem via an administrative
interface and nfsd isn't running, it crashes the server. This
happens currently because nfsd4_revoke_states() access state
structures (eg., conf_id_hashtbl) that has been freed as a part
of the server shutdown.
[ 59.465072] Call trace:
[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)
[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]
[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]
[ 59.466780] vfs_write+0x1f0/0x938
[ 59.467088] ksys_write+0xfc/0x1f8
[ 59.467395] __arm64_sys_write+0x74/0xb8
[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8
[ 59.468177] do_el0_svc+0x154/0x1d8
[ 59.468489] el0_svc+0x40/0xe0
[ 59.468767] el0t_64_sync_handler+0xa0/0xe8
[ 59.469138] el0t_64_sync+0x1ac/0x1b0
Ensure this can't happen by taking the nfsd_mutex and checking that
the server is still up, and then holding the mutex across the call to
nfsd4_revoke_states().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1ac3629bf012592cb0320e52a1cceb319a05ad17 , < d95499900fe52f3d461ed26b7a30bebea8f12914
(git)
Affected: 1ac3629bf012592cb0320e52a1cceb319a05ad17 , < e06c9f6c0f554148d4921c2a15bd054260a054ac (git) Affected: 1ac3629bf012592cb0320e52a1cceb319a05ad17 , < d0424066fcd294977f310964bed6f2a487fa4515 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d95499900fe52f3d461ed26b7a30bebea8f12914",
"status": "affected",
"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17",
"versionType": "git"
},
{
"lessThan": "e06c9f6c0f554148d4921c2a15bd054260a054ac",
"status": "affected",
"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17",
"versionType": "git"
},
{
"lessThan": "d0424066fcd294977f310964bed6f2a487fa4515",
"status": "affected",
"version": "1ac3629bf012592cb0320e52a1cceb319a05ad17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c",
"fs/nfsd/nfsctl.c",
"fs/nfsd/state.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: check that server is running in unlock_filesystem\n\nIf we are trying to unlock the filesystem via an administrative\ninterface and nfsd isn\u0027t running, it crashes the server. This\nhappens currently because nfsd4_revoke_states() access state\nstructures (eg., conf_id_hashtbl) that has been freed as a part\nof the server shutdown.\n\n[ 59.465072] Call trace:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nEnsure this can\u0027t happen by taking the nfsd_mutex and checking that\nthe server is still up, and then holding the mutex across the call to\nnfsd4_revoke_states()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:40.267Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914"
},
{
"url": "https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac"
},
{
"url": "https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515"
}
],
"title": "nfsd: check that server is running in unlock_filesystem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22989",
"datePublished": "2026-01-23T15:24:10.523Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:40.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23012 (GCVE-0-2026-23012)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
mm/damon/core: remove call_control in inactive contexts
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: remove call_control in inactive contexts
If damon_call() is executed against a DAMON context that is not running,
the function returns error while keeping the damon_call_control object
linked to the context's call_controls list. Let's suppose the object is
deallocated after the damon_call(), and yet another damon_call() is
executed against the same context. The function tries to add the new
damon_call_control object to the call_controls list, which still has the
pointer to the previous damon_call_control object, which is deallocated.
As a result, use-after-free happens.
This can actually be triggered using the DAMON sysfs interface. It is not
easily exploitable since it requires the sysfs write permission and making
a definitely weird file writes, though. Please refer to the report for
more details about the issue reproduction steps.
Fix the issue by making two changes. Firstly, move the final
kdamond_call() for cancelling all existing damon_call() requests from
terminating DAMON context to be done before the ctx->kdamond reset. This
makes any code that sees NULL ctx->kdamond can safely assume the context
may not access damon_call() requests anymore. Secondly, let damon_call()
to cleanup the damon_call_control objects that were added to the
already-terminated DAMON context, before returning the error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23b061f421eef03647b512f3df48861706c87db3",
"status": "affected",
"version": "004ded6bee11b8ed463cdc54b89a4390f4b64f6d",
"versionType": "git"
},
{
"lessThan": "f9132fbc2e83baf2c45a77043672a63a675c9394",
"status": "affected",
"version": "004ded6bee11b8ed463cdc54b89a4390f4b64f6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: remove call_control in inactive contexts\n\nIf damon_call() is executed against a DAMON context that is not running,\nthe function returns error while keeping the damon_call_control object\nlinked to the context\u0027s call_controls list. Let\u0027s suppose the object is\ndeallocated after the damon_call(), and yet another damon_call() is\nexecuted against the same context. The function tries to add the new\ndamon_call_control object to the call_controls list, which still has the\npointer to the previous damon_call_control object, which is deallocated. \nAs a result, use-after-free happens.\n\nThis can actually be triggered using the DAMON sysfs interface. It is not\neasily exploitable since it requires the sysfs write permission and making\na definitely weird file writes, though. Please refer to the report for\nmore details about the issue reproduction steps.\n\nFix the issue by making two changes. Firstly, move the final\nkdamond_call() for cancelling all existing damon_call() requests from\nterminating DAMON context to be done before the ctx-\u003ekdamond reset. This\nmakes any code that sees NULL ctx-\u003ekdamond can safely assume the context\nmay not access damon_call() requests anymore. Secondly, let damon_call()\nto cleanup the damon_call_control objects that were added to the\nalready-terminated DAMON context, before returning the error."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:05.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3"
},
{
"url": "https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394"
}
],
"title": "mm/damon/core: remove call_control in inactive contexts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23012",
"datePublished": "2026-01-25T14:36:25.187Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-02-09T08:37:05.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71156 (GCVE-0-2025-71156)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
gve: defer interrupt enabling until NAPI registration
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: defer interrupt enabling until NAPI registration
Currently, interrupts are automatically enabled immediately upon
request. This allows interrupt to fire before the associated NAPI
context is fully initialized and cause failures like below:
[ 0.946369] Call Trace:
[ 0.946369] <IRQ>
[ 0.946369] __napi_poll+0x2a/0x1e0
[ 0.946369] net_rx_action+0x2f9/0x3f0
[ 0.946369] handle_softirqs+0xd6/0x2c0
[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
[ 0.946369] __irq_exit_rcu+0xc3/0xe0
[ 0.946369] common_interrupt+0x81/0xa0
[ 0.946369] </IRQ>
[ 0.946369] <TASK>
[ 0.946369] asm_common_interrupt+0x22/0x40
[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto
enablement and explicitly enable the interrupt in NAPI initialization
path (and disable it during NAPI teardown).
This ensures that interrupt lifecycle is strictly coupled with
readiness of NAPI context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1dfc2e46117e5c41037e27e859e75a7518881ee6 , < f5b7f49bd2377916ad57cbd1210c61196daff013
(git)
Affected: 1dfc2e46117e5c41037e27e859e75a7518881ee6 , < 48f9277680925e1a8623d6b2c50aadb7af824ace (git) Affected: 1dfc2e46117e5c41037e27e859e75a7518881ee6 , < 3d970eda003441f66551a91fda16478ac0711617 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c",
"drivers/net/ethernet/google/gve/gve_utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5b7f49bd2377916ad57cbd1210c61196daff013",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
},
{
"lessThan": "48f9277680925e1a8623d6b2c50aadb7af824ace",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
},
{
"lessThan": "3d970eda003441f66551a91fda16478ac0711617",
"status": "affected",
"version": "1dfc2e46117e5c41037e27e859e75a7518881ee6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_main.c",
"drivers/net/ethernet/google/gve/gve_utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: defer interrupt enabling until NAPI registration\n\nCurrently, interrupts are automatically enabled immediately upon\nrequest. This allows interrupt to fire before the associated NAPI\ncontext is fully initialized and cause failures like below:\n\n[ 0.946369] Call Trace:\n[ 0.946369] \u003cIRQ\u003e\n[ 0.946369] __napi_poll+0x2a/0x1e0\n[ 0.946369] net_rx_action+0x2f9/0x3f0\n[ 0.946369] handle_softirqs+0xd6/0x2c0\n[ 0.946369] ? handle_edge_irq+0xc1/0x1b0\n[ 0.946369] __irq_exit_rcu+0xc3/0xe0\n[ 0.946369] common_interrupt+0x81/0xa0\n[ 0.946369] \u003c/IRQ\u003e\n[ 0.946369] \u003cTASK\u003e\n[ 0.946369] asm_common_interrupt+0x22/0x40\n[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10\n\nUse the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto\nenablement and explicitly enable the interrupt in NAPI initialization\npath (and disable it during NAPI teardown).\n\nThis ensures that interrupt lifecycle is strictly coupled with\nreadiness of NAPI context."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:54.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013"
},
{
"url": "https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace"
},
{
"url": "https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617"
}
],
"title": "gve: defer interrupt enabling until NAPI registration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71156",
"datePublished": "2026-01-23T14:25:55.456Z",
"dateReserved": "2026-01-13T15:30:19.663Z",
"dateUpdated": "2026-02-09T08:35:54.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22988 (GCVE-0-2026-22988)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
arp: do not assume dev_hard_header() does not change skb->head
Summary
In the Linux kernel, the following vulnerability has been resolved:
arp: do not assume dev_hard_header() does not change skb->head
arp_create() is the only dev_hard_header() caller
making assumption about skb->head being unchanged.
A recent commit broke this assumption.
Initialize @arp pointer after dev_hard_header() call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17e7386234f740f3e7d5e58a47b5847ea34c3bc2 , < e432dbff342b95fe44645f9a90fcf333c80f4b5e
(git)
Affected: 41a1a3140aff295dee8063906f70a514548105e8 , < 393525dee5c39acff8d6705275d7fcaabcfb7f0a (git) Affected: adee129db814474f2f81207bd182bf343832a52e , < 70bddc16491ef4681f3569b3a2c80309a3edcdd1 (git) Affected: 1717357007db150c2d703f13f5695460e960f26c , < 029935507d0af6553c45380fbf6feecf756fd226 (git) Affected: 5fe210533e3459197eabfdbf97327dacbdc04d60 , < dd6ccec088adff4bdf33e2b2dd102df20a7128fa (git) Affected: 91a2b25be07ce1a7549ceebbe82017551d2eec92 , < 949647e7771a4a01963fe953a96d81fba7acecf3 (git) Affected: db5b4e39c4e63700c68a7e65fc4e1f1375273476 , < c92510f5e3f82ba11c95991824a41e59a9c5ed81 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e432dbff342b95fe44645f9a90fcf333c80f4b5e",
"status": "affected",
"version": "17e7386234f740f3e7d5e58a47b5847ea34c3bc2",
"versionType": "git"
},
{
"lessThan": "393525dee5c39acff8d6705275d7fcaabcfb7f0a",
"status": "affected",
"version": "41a1a3140aff295dee8063906f70a514548105e8",
"versionType": "git"
},
{
"lessThan": "70bddc16491ef4681f3569b3a2c80309a3edcdd1",
"status": "affected",
"version": "adee129db814474f2f81207bd182bf343832a52e",
"versionType": "git"
},
{
"lessThan": "029935507d0af6553c45380fbf6feecf756fd226",
"status": "affected",
"version": "1717357007db150c2d703f13f5695460e960f26c",
"versionType": "git"
},
{
"lessThan": "dd6ccec088adff4bdf33e2b2dd102df20a7128fa",
"status": "affected",
"version": "5fe210533e3459197eabfdbf97327dacbdc04d60",
"versionType": "git"
},
{
"lessThan": "949647e7771a4a01963fe953a96d81fba7acecf3",
"status": "affected",
"version": "91a2b25be07ce1a7549ceebbe82017551d2eec92",
"versionType": "git"
},
{
"lessThan": "c92510f5e3f82ba11c95991824a41e59a9c5ed81",
"status": "affected",
"version": "db5b4e39c4e63700c68a7e65fc4e1f1375273476",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.161",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThan": "6.6.121",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.66",
"status": "affected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThan": "6.18.6",
"status": "affected",
"version": "6.18.4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.12.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.18.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: do not assume dev_hard_header() does not change skb-\u003ehead\n\narp_create() is the only dev_hard_header() caller\nmaking assumption about skb-\u003ehead being unchanged.\n\nA recent commit broke this assumption.\n\nInitialize @arp pointer after dev_hard_header() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:38.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e"
},
{
"url": "https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a"
},
{
"url": "https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1"
},
{
"url": "https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226"
},
{
"url": "https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa"
},
{
"url": "https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3"
},
{
"url": "https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81"
}
],
"title": "arp: do not assume dev_hard_header() does not change skb-\u003ehead",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22988",
"datePublished": "2026-01-23T15:24:09.756Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:38.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71153 (GCVE-0-2025-71153)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
ksmbd: Fix memory leak in get_file_all_info()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix memory leak in get_file_all_info()
In get_file_all_info(), if vfs_getattr() fails, the function returns
immediately without freeing the allocated filename, leading to a memory
leak.
Fix this by freeing the filename before returning in this error case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c8f7ad2df083c510e640c0bf76166593cc116ff2 , < 5012b4c812230ae066902a00442708c999111183
(git)
Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < 676907004256e0226c7ed3691db9f431404ca258 (git) Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < d026f47db68638521df8543535ef863814fb01b1 (git) Affected: 5614c8c487f6af627614dd2efca038e4afe0c6d7 , < 0c56693b06a68476ba113db6347e7897475f9e4c (git) Affected: f9278ba4967027ad2bf001694f0e489c7bbae6d5 (git) Affected: 88779f09295d82b86601fe42595748488bf5e20c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5012b4c812230ae066902a00442708c999111183",
"status": "affected",
"version": "c8f7ad2df083c510e640c0bf76166593cc116ff2",
"versionType": "git"
},
{
"lessThan": "676907004256e0226c7ed3691db9f431404ca258",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "d026f47db68638521df8543535ef863814fb01b1",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"lessThan": "0c56693b06a68476ba113db6347e7897475f9e4c",
"status": "affected",
"version": "5614c8c487f6af627614dd2efca038e4afe0c6d7",
"versionType": "git"
},
{
"status": "affected",
"version": "f9278ba4967027ad2bf001694f0e489c7bbae6d5",
"versionType": "git"
},
{
"status": "affected",
"version": "88779f09295d82b86601fe42595748488bf5e20c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix memory leak in get_file_all_info()\n\nIn get_file_all_info(), if vfs_getattr() fails, the function returns\nimmediately without freeing the allocated filename, leading to a memory\nleak.\n\nFix this by freeing the filename before returning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:50.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183"
},
{
"url": "https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258"
},
{
"url": "https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1"
},
{
"url": "https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c"
}
],
"title": "ksmbd: Fix memory leak in get_file_all_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71153",
"datePublished": "2026-01-23T14:25:52.988Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22985 (GCVE-0-2026-22985)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-04-02 11:30
VLAI?
EPSS
Title
idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
The RSS LUT is not initialized until the interface comes up, causing
the following NULL pointer crash when ethtool operations like rxhash on/off
are performed before the interface is brought up for the first time.
Move RSS LUT initialization from ndo_open to vport creation to ensure LUT
is always available. This enables RSS configuration via ethtool before
bringing the interface up. Simplify LUT management by maintaining all
changes in the driver's soft copy and programming zeros to the indirection
table when rxhash is disabled. Defer HW programming until the interface
comes up if it is down during rxhash and LUT configuration changes.
Steps to reproduce:
** Load idpf driver; interfaces will be created
modprobe idpf
** Before bringing the interfaces up, turn rxhash off
ethtool -K eth2 rxhash off
[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000
[89408.371908] #PF: supervisor read access in kernel mode
[89408.371924] #PF: error_code(0x0000) - not-present page
[89408.371940] PGD 0 P4D 0
[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI
<snip>
[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130
[89408.372310] Call Trace:
[89408.372317] <TASK>
[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf]
[89408.372363] __netdev_update_features+0x295/0xde0
[89408.372384] ethnl_set_features+0x15e/0x460
[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180
[89408.372429] genl_rcv_msg+0x1ad/0x2b0
[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10
[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10
[89408.372482] netlink_rcv_skb+0x58/0x100
[89408.372502] genl_rcv+0x2c/0x50
[89408.372516] netlink_unicast+0x289/0x3e0
[89408.372533] netlink_sendmsg+0x215/0x440
[89408.372551] __sys_sendto+0x234/0x240
[89408.372571] __x64_sys_sendto+0x28/0x30
[89408.372585] x64_sys_call+0x1909/0x1da0
[89408.372604] do_syscall_64+0x7a/0xfa0
[89408.373140] ? clear_bhb_loop+0x60/0xb0
[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[89408.378887] </TASK>
<snip>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a251eee62133774cf35ff829041377e721ef9c8c , < df2790b5228fbd3ed415b70a231cffdad0431618
(git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < b29a5a7dd1f4293ee49c469938c25bf85a5aa802 (git) Affected: a251eee62133774cf35ff829041377e721ef9c8c , < 83f38f210b85676f40ba8586b5a8edae19b56995 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf.h",
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.h",
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df2790b5228fbd3ed415b70a231cffdad0431618",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
},
{
"lessThan": "b29a5a7dd1f4293ee49c469938c25bf85a5aa802",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
},
{
"lessThan": "83f38f210b85676f40ba8586b5a8edae19b56995",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf.h",
"drivers/net/ethernet/intel/idpf/idpf_lib.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.c",
"drivers/net/ethernet/intel/idpf/idpf_txrx.h",
"drivers/net/ethernet/intel/idpf/idpf_virtchnl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL pointer crash on early ethtool operations\n\nThe RSS LUT is not initialized until the interface comes up, causing\nthe following NULL pointer crash when ethtool operations like rxhash on/off\nare performed before the interface is brought up for the first time.\n\nMove RSS LUT initialization from ndo_open to vport creation to ensure LUT\nis always available. This enables RSS configuration via ethtool before\nbringing the interface up. Simplify LUT management by maintaining all\nchanges in the driver\u0027s soft copy and programming zeros to the indirection\ntable when rxhash is disabled. Defer HW programming until the interface\ncomes up if it is down during rxhash and LUT configuration changes.\n\nSteps to reproduce:\n** Load idpf driver; interfaces will be created\n\tmodprobe idpf\n** Before bringing the interfaces up, turn rxhash off\n\tethtool -K eth2 rxhash off\n\n[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[89408.371908] #PF: supervisor read access in kernel mode\n[89408.371924] #PF: error_code(0x0000) - not-present page\n[89408.371940] PGD 0 P4D 0\n[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003csnip\u003e\n[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130\n[89408.372310] Call Trace:\n[89408.372317] \u003cTASK\u003e\n[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf]\n[89408.372363] __netdev_update_features+0x295/0xde0\n[89408.372384] ethnl_set_features+0x15e/0x460\n[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180\n[89408.372429] genl_rcv_msg+0x1ad/0x2b0\n[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10\n[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10\n[89408.372482] netlink_rcv_skb+0x58/0x100\n[89408.372502] genl_rcv+0x2c/0x50\n[89408.372516] netlink_unicast+0x289/0x3e0\n[89408.372533] netlink_sendmsg+0x215/0x440\n[89408.372551] __sys_sendto+0x234/0x240\n[89408.372571] __x64_sys_sendto+0x28/0x30\n[89408.372585] x64_sys_call+0x1909/0x1da0\n[89408.372604] do_syscall_64+0x7a/0xfa0\n[89408.373140] ? clear_bhb_loop+0x60/0xb0\n[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[89408.378887] \u003c/TASK\u003e\n\u003csnip\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:48.310Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df2790b5228fbd3ed415b70a231cffdad0431618"
},
{
"url": "https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802"
},
{
"url": "https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995"
}
],
"title": "idpf: Fix RSS LUT NULL pointer crash on early ethtool operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22985",
"datePublished": "2026-01-23T15:24:07.133Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-04-02T11:30:48.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22990 (GCVE-0-2026-22990)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 9aa0b0c14cefece078286d78b97d4c09685e372d
(git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 4b106fbb1c7b841cd402abd83eb2447164c799ea (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6afd2a4213524bc742b709599a3663aeaf77193c (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < d3613770e2677683e65d062da5e31f48c409abe9 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6c6cec3db3b418c4fdf815731bc39e46dff75e1b (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 6348d70af847b79805374fe628d3809a63fd7df3 (git) Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e00c3f71b5cf75681dbd74ee3f982a99cb690c2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aa0b0c14cefece078286d78b97d4c09685e372d",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "4b106fbb1c7b841cd402abd83eb2447164c799ea",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6afd2a4213524bc742b709599a3663aeaf77193c",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "d3613770e2677683e65d062da5e31f48c409abe9",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6c6cec3db3b418c4fdf815731bc39e46dff75e1b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "6348d70af847b79805374fe628d3809a63fd7df3",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
},
{
"lessThan": "e00c3f71b5cf75681dbd74ee3f982a99cb690c2b",
"status": "affected",
"version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:41.367Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d"
},
{
"url": "https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea"
},
{
"url": "https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c"
},
{
"url": "https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9"
},
{
"url": "https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b"
},
{
"url": "https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3"
},
{
"url": "https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b"
}
],
"title": "libceph: replace overzealous BUG_ON in osdmap_apply_incremental()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22990",
"datePublished": "2026-01-23T15:24:11.332Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:41.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23006 (GCVE-0-2026-23006)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
ASoC: tlv320adcx140: fix null pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: tlv320adcx140: fix null pointer
The "snd_soc_component" in "adcx140_priv" was only used once but never
set. It was only used for reaching "dev" which is already present in
"adcx140_priv".
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e82971f7b556cff3491c867e8840e7d788693b9 , < 954260a32c21d5072d8e7253c0a8b1627927cb02
(git)
Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 659939d08e5f7bc17b941c53e8c9c0a6c6113b21 (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 61757f5191daab863d25f03680e912b5449a1eed (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < 53bd838ed5950cb18927e4b2e8ee841b7cb10929 (git) Affected: 4e82971f7b556cff3491c867e8840e7d788693b9 , < be7664c81d3129fc313ef62ff275fd3d33cfecd4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/tlv320adcx140.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "954260a32c21d5072d8e7253c0a8b1627927cb02",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "659939d08e5f7bc17b941c53e8c9c0a6c6113b21",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "61757f5191daab863d25f03680e912b5449a1eed",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "53bd838ed5950cb18927e4b2e8ee841b7cb10929",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
},
{
"lessThan": "be7664c81d3129fc313ef62ff275fd3d33cfecd4",
"status": "affected",
"version": "4e82971f7b556cff3491c867e8840e7d788693b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/tlv320adcx140.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: tlv320adcx140: fix null pointer\n\nThe \"snd_soc_component\" in \"adcx140_priv\" was only used once but never\nset. It was only used for reaching \"dev\" which is already present in\n\"adcx140_priv\"."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:58.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/954260a32c21d5072d8e7253c0a8b1627927cb02"
},
{
"url": "https://git.kernel.org/stable/c/659939d08e5f7bc17b941c53e8c9c0a6c6113b21"
},
{
"url": "https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed"
},
{
"url": "https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929"
},
{
"url": "https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4"
}
],
"title": "ASoC: tlv320adcx140: fix null pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23006",
"datePublished": "2026-01-25T14:36:19.819Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:36:58.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23002 (GCVE-0-2026-23002)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
lib/buildid: use __kernel_read() for sleepable context
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/buildid: use __kernel_read() for sleepable context
Prevent a "BUG: unable to handle kernel NULL pointer dereference in
filemap_read_folio".
For the sleepable context, convert freader to use __kernel_read() instead
of direct page cache access via read_cache_folio(). This simplifies the
faultable code path by using the standard kernel file reading interface
which handles all the complexity of reading file data.
At the moment we are not changing the code for non-sleepable context which
uses filemap_get_folio() and only succeeds if the target folios are
already in memory and up-to-date. The reason is to keep the patch simple
and easier to backport to stable kernels.
Syzbot repro does not crash the kernel anymore and the selftests run
successfully.
In the follow up we will make __kernel_read() with IOCB_NOWAIT work for
non-sleepable contexts. In addition, I would like to replace the
secretmem check with a more generic approach and will add fstest for the
buildid code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ad41251c290dfe3c01472c94d2439a59de23fe97 , < b11dfb7708f212b96c7973a474014c071aa02e05
(git)
Affected: ad41251c290dfe3c01472c94d2439a59de23fe97 , < 568aeb3476c770a3863c755dd2a199c212434286 (git) Affected: ad41251c290dfe3c01472c94d2439a59de23fe97 , < 777a8560fd29738350c5094d4166fe5499452409 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/buildid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b11dfb7708f212b96c7973a474014c071aa02e05",
"status": "affected",
"version": "ad41251c290dfe3c01472c94d2439a59de23fe97",
"versionType": "git"
},
{
"lessThan": "568aeb3476c770a3863c755dd2a199c212434286",
"status": "affected",
"version": "ad41251c290dfe3c01472c94d2439a59de23fe97",
"versionType": "git"
},
{
"lessThan": "777a8560fd29738350c5094d4166fe5499452409",
"status": "affected",
"version": "ad41251c290dfe3c01472c94d2439a59de23fe97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/buildid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/buildid: use __kernel_read() for sleepable context\n\nPrevent a \"BUG: unable to handle kernel NULL pointer dereference in\nfilemap_read_folio\".\n\nFor the sleepable context, convert freader to use __kernel_read() instead\nof direct page cache access via read_cache_folio(). This simplifies the\nfaultable code path by using the standard kernel file reading interface\nwhich handles all the complexity of reading file data.\n\nAt the moment we are not changing the code for non-sleepable context which\nuses filemap_get_folio() and only succeeds if the target folios are\nalready in memory and up-to-date. The reason is to keep the patch simple\nand easier to backport to stable kernels.\n\nSyzbot repro does not crash the kernel anymore and the selftests run\nsuccessfully.\n\nIn the follow up we will make __kernel_read() with IOCB_NOWAIT work for\nnon-sleepable contexts. In addition, I would like to replace the\nsecretmem check with a more generic approach and will add fstest for the\nbuildid code."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:54.774Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05"
},
{
"url": "https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286"
},
{
"url": "https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409"
}
],
"title": "lib/buildid: use __kernel_read() for sleepable context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23002",
"datePublished": "2026-01-25T14:36:16.713Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:54.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71147 (GCVE-0-2025-71147)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2219745250f388edacabe6cca73654131c67d0a , < 3fd7df4636d8fd5e3592371967a5941204368936
(git)
Affected: f2219745250f388edacabe6cca73654131c67d0a , < af0689cafb127a8d1af78cc8b72585c9b2a19ecd (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 19166de9737218b77122c41a5730ac87025e089f (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9b015f2918b95bdde2ca9cefa10ef02b138aae1e (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 (git) Affected: f2219745250f388edacabe6cca73654131c67d0a , < 62cd5d480b9762ce70d720a81fa5b373052ae05f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fd7df4636d8fd5e3592371967a5941204368936",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "af0689cafb127a8d1af78cc8b72585c9b2a19ecd",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "19166de9737218b77122c41a5730ac87025e089f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9b015f2918b95bdde2ca9cefa10ef02b138aae1e",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "9e7c63c69f57b1db1a8a1542359a6167ff8fcef1",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
},
{
"lessThan": "62cd5d480b9762ce70d720a81fa5b373052ae05f",
"status": "affected",
"version": "f2219745250f388edacabe6cca73654131c67d0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix a memory leak in tpm2_load_cmd\n\n\u0027tpm2_load_cmd\u0027 allocates a tempoary blob indirectly via \u0027tpm2_key_decode\u0027\nbut it is not freed in the failure paths. Address this by wrapping the blob\ninto with a cleanup helper."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:44.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936"
},
{
"url": "https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd"
},
{
"url": "https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f"
},
{
"url": "https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e"
},
{
"url": "https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1"
},
{
"url": "https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f"
}
],
"title": "KEYS: trusted: Fix a memory leak in tpm2_load_cmd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71147",
"datePublished": "2026-01-23T14:15:13.945Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:44.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71158 (GCVE-0-2025-71158)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
gpio: mpsse: ensure worker is torn down
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: mpsse: ensure worker is torn down
When an IRQ worker is running, unplugging the device would cause a
crash. The sealevel hardware this driver was written for was not
hotpluggable, so I never realized it.
This change uses a spinlock to protect a list of workers, which
it tears down on disconnect.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mpsse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "472d900c8bcac301ae0e40fdca7db799bd989ff5",
"status": "affected",
"version": "c46a74ff05c0ac76ba11ef21c930c3b447abf31a",
"versionType": "git"
},
{
"lessThan": "179ef1127d7a4f09f0e741fa9f30b8a8e7886271",
"status": "affected",
"version": "c46a74ff05c0ac76ba11ef21c930c3b447abf31a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-mpsse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: ensure worker is torn down\n\nWhen an IRQ worker is running, unplugging the device would cause a\ncrash. The sealevel hardware this driver was written for was not\nhotpluggable, so I never realized it.\n\nThis change uses a spinlock to protect a list of workers, which\nit tears down on disconnect."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:56.752Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5"
},
{
"url": "https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271"
}
],
"title": "gpio: mpsse: ensure worker is torn down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71158",
"datePublished": "2026-01-23T15:23:57.016Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-02-09T08:35:56.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22979 (GCVE-0-2026-22979)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: fix memory leak in skb_segment_list for GRO packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2eeab8c47c3c0276e0746bc382f405c9a236a5ad , < 0b27828ebd1ed3107d7929c3737adbe862e99e74
(git)
Affected: fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 , < 88bea149db2057112af3aaf63534b24fab5858ab (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < 3264881431e308b9c72cb8a0159d57a56d67dd79 (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < c114a32a2e70b82d447f409f7ffcfa3058f9d5bd (git) Affected: ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 , < 238e03d0466239410b72294b79494e43d4fabe77 (git) Affected: d225b0ac96dc40d7e8ae2bc227eb2c56e130975f (git) Affected: 5b3b67f731296027cceb3efad881ae281213f86f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b27828ebd1ed3107d7929c3737adbe862e99e74",
"status": "affected",
"version": "2eeab8c47c3c0276e0746bc382f405c9a236a5ad",
"versionType": "git"
},
{
"lessThan": "88bea149db2057112af3aaf63534b24fab5858ab",
"status": "affected",
"version": "fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6",
"versionType": "git"
},
{
"lessThan": "3264881431e308b9c72cb8a0159d57a56d67dd79",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"lessThan": "c114a32a2e70b82d447f409f7ffcfa3058f9d5bd",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"lessThan": "238e03d0466239410b72294b79494e43d4fabe77",
"status": "affected",
"version": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"versionType": "git"
},
{
"status": "affected",
"version": "d225b0ac96dc40d7e8ae2bc227eb2c56e130975f",
"versionType": "git"
},
{
"status": "affected",
"version": "5b3b67f731296027cceb3efad881ae281213f86f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "6.1.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb-\u003esk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment\u0027s\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:29.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74"
},
{
"url": "https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab"
},
{
"url": "https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79"
},
{
"url": "https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd"
},
{
"url": "https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77"
}
],
"title": "net: fix memory leak in skb_segment_list for GRO packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22979",
"datePublished": "2026-01-23T15:24:01.340Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:29.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22991 (GCVE-0-2026-22991)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: make free_choose_arg_map() resilient to partial allocation
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make free_choose_arg_map() resilient to partial allocation
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5cf9c4a9959b6273675310d14a834ef14fbca37c , < 9b3730dabcf3764bfe3ff07caf55e641a0b45234
(git)
Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 851241d3f78a5505224dc21c03d8692f530256b4 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < ec1850f663da64842614c86b20fe734be070c2ba (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < 8081faaf089db5280c3be820948469f7c58ef8dd (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < f21c3fdb96833aac2f533506899fe38c19cf49d5 (git) Affected: 5cf9c4a9959b6273675310d14a834ef14fbca37c , < e3fe30e57649c551757a02e1cad073c47e1e075e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b3730dabcf3764bfe3ff07caf55e641a0b45234",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "851241d3f78a5505224dc21c03d8692f530256b4",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "ec1850f663da64842614c86b20fe734be070c2ba",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "8081faaf089db5280c3be820948469f7c58ef8dd",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "f21c3fdb96833aac2f533506899fe38c19cf49d5",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
},
{
"lessThan": "e3fe30e57649c551757a02e1cad073c47e1e075e",
"status": "affected",
"version": "5cf9c4a9959b6273675310d14a834ef14fbca37c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map-\u003eargs\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map-\u003esize is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map-\u003eargs and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:42.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234"
},
{
"url": "https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4"
},
{
"url": "https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba"
},
{
"url": "https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd"
},
{
"url": "https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf"
},
{
"url": "https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5"
},
{
"url": "https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e"
}
],
"title": "libceph: make free_choose_arg_map() resilient to partial allocation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22991",
"datePublished": "2026-01-23T15:24:12.191Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:42.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23004 (GCVE-0-2026-23004)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
in an interesting way [1]
Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
list->prev, while the prior write on list->next went well.
static inline void INIT_LIST_HEAD(struct list_head *list)
{
WRITE_ONCE(list->next, list); // This went well
WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
}
Issue here is that rt6_uncached_list_del() did not attempt to lock
ul->lock, as list_empty(&rt->dst.rt_uncached) returned
true because the WRITE_ONCE(list->next, list) happened on the other CPU.
We might use list_del_init_careful() and list_empty_careful(),
or make sure rt6_uncached_list_del() always grabs the spinlock
whenever rt->dst.rt_uncached_list has been set.
A similar fix is neeed for IPv4.
[1]
BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]
BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]
BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450
CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
INIT_LIST_HEAD include/linux/list.h:46 [inline]
list_del_init include/linux/list.h:296 [inline]
rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853
addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
netif_close_many+0x29c/0x410 net/core/dev.c:1785
unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248
cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 803:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
dst_alloc+0x105/0x170 net/core/dst.c:89
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
78df76a065ae3b5dbcb9a29912adc02f697de498 , < 815db2363e51f0ef416947492d4dac5b7a520f56
(git)
Affected: 78df76a065ae3b5dbcb9a29912adc02f697de498 , < f24a52948c95e02facbca2b3b6eb5a225e27eb01 (git) Affected: 78df76a065ae3b5dbcb9a29912adc02f697de498 , < 722de945216144af7cd4d39bdeb936108d2595a7 (git) Affected: 78df76a065ae3b5dbcb9a29912adc02f697de498 , < 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dst.c",
"net/ipv4/route.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "815db2363e51f0ef416947492d4dac5b7a520f56",
"status": "affected",
"version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
"versionType": "git"
},
{
"lessThan": "f24a52948c95e02facbca2b3b6eb5a225e27eb01",
"status": "affected",
"version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
"versionType": "git"
},
{
"lessThan": "722de945216144af7cd4d39bdeb936108d2595a7",
"status": "affected",
"version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
"versionType": "git"
},
{
"lessThan": "9a6f0c4d5796ab89b5a28a890ce542344d58bd69",
"status": "affected",
"version": "78df76a065ae3b5dbcb9a29912adc02f697de498",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dst.c",
"net/ipv4/route.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()\n\nsyzbot was able to crash the kernel in rt6_uncached_list_flush_dev()\nin an interesting way [1]\n\nCrash happens in list_del_init()/INIT_LIST_HEAD() while writing\nlist-\u003eprev, while the prior write on list-\u003enext went well.\n\nstatic inline void INIT_LIST_HEAD(struct list_head *list)\n{\n\tWRITE_ONCE(list-\u003enext, list); // This went well\n\tWRITE_ONCE(list-\u003eprev, list); // Crash, @list has been freed.\n}\n\nIssue here is that rt6_uncached_list_del() did not attempt to lock\nul-\u003elock, as list_empty(\u0026rt-\u003edst.rt_uncached) returned\ntrue because the WRITE_ONCE(list-\u003enext, list) happened on the other CPU.\n\nWe might use list_del_init_careful() and list_empty_careful(),\nor make sure rt6_uncached_list_del() always grabs the spinlock\nwhenever rt-\u003edst.rt_uncached_list has been set.\n\nA similar fix is neeed for IPv4.\n\n[1]\n\n BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]\n BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]\n BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\nWrite of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450\n\nCPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: netns cleanup_net\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n INIT_LIST_HEAD include/linux/list.h:46 [inline]\n list_del_init include/linux/list.h:296 [inline]\n rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\n addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853\n addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\n call_netdevice_notifiers net/core/dev.c:2282 [inline]\n netif_close_many+0x29c/0x410 net/core/dev.c:1785\n unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353\n ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]\n ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248\n cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\n\nAllocated by task 803:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4953 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270\n dst_alloc+0x105/0x170 net/core/dst.c:89\n ip6_dst_alloc net/ipv6/route.c:342 [inline]\n icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333\n mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:11.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/815db2363e51f0ef416947492d4dac5b7a520f56"
},
{
"url": "https://git.kernel.org/stable/c/f24a52948c95e02facbca2b3b6eb5a225e27eb01"
},
{
"url": "https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7"
},
{
"url": "https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69"
}
],
"title": "dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23004",
"datePublished": "2026-01-25T14:36:18.233Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-03-25T10:20:11.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23008 (GCVE-0-2026-23008)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
EPSS
Title
drm/vmwgfx: Fix KMS with 3D on HW version 10
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix KMS with 3D on HW version 10
HW version 10 does not have GB Surfaces so there is no backing buffer for
surface backed FBs. This would result in a nullptr dereference and crash
the driver causing a black screen.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a91bdd21d5efb3072beefbec13762b7722200c49",
"status": "affected",
"version": "965544150d1cadf0e8f5bb6c13c19697e46e1429",
"versionType": "git"
},
{
"lessThan": "d9186faeae6efb7d0841a5e8eb213ff4c7966614",
"status": "affected",
"version": "965544150d1cadf0e8f5bb6c13c19697e46e1429",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix KMS with 3D on HW version 10\n\nHW version 10 does not have GB Surfaces so there is no backing buffer for\nsurface backed FBs. This would result in a nullptr dereference and crash\nthe driver causing a black screen."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:37:00.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49"
},
{
"url": "https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614"
}
],
"title": "drm/vmwgfx: Fix KMS with 3D on HW version 10",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23008",
"datePublished": "2026-01-25T14:36:21.933Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:37:00.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22984 (GCVE-0-2026-22984)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd1a677cad994021b19665ed476aea63f5d54f31 , < 194cfe2af4d2a1de599d39dad636b47c2f6c2c96
(git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 79fe3511db416d2f2edcfd93569807cb02736e5e (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < ef208ea331ef688729f64089b895ed1b49e842e3 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 2d653bb63d598ae4b096dd678744bdcc34ee89e8 (git) Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 818156caffbf55cb4d368f9c3cac64e458fb49c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "194cfe2af4d2a1de599d39dad636b47c2f6c2c96",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "79fe3511db416d2f2edcfd93569807cb02736e5e",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "ef208ea331ef688729f64089b895ed1b49e842e3",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2802ef3380fa8c4a08cda51ec1f085b1a712e9e2",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "2d653bb63d598ae4b096dd678744bdcc34ee89e8",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
},
{
"lessThan": "818156caffbf55cb4d368f9c3cac64e458fb49c9",
"status": "affected",
"version": "cd1a677cad994021b19665ed476aea63f5d54f31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/messenger_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:34.605Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96"
},
{
"url": "https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e"
},
{
"url": "https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3"
},
{
"url": "https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2"
},
{
"url": "https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8"
},
{
"url": "https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9"
}
],
"title": "libceph: prevent potential out-of-bounds reads in handle_auth_done()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22984",
"datePublished": "2026-01-23T15:24:06.245Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:34.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23013 (GCVE-0-2026-23013)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-04-03 13:31
VLAI?
EPSS
Title
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to
ioq_vector. If request_irq() fails part-way, the rollback loop calls
free_irq() with dev_id set to 'oct', which does not match the original
dev_id and may leave the irqaction registered.
This can keep IRQ handlers alive while ioq_vector is later freed during
unwind/teardown, leading to a use-after-free or crash when an interrupt
fires.
Fix the error path to free IRQs with the same ioq_vector dev_id used
during request_irq().
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 , < aa05a8371ae4a452df623f7202c72409d3c50e40
(git)
Affected: 1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 , < aa4c066229b05fc3d3c5f42693d25b1828533b6e (git) Affected: 1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 , < f93fc5d12d69012788f82151bee55fce937e1432 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa05a8371ae4a452df623f7202c72409d3c50e40",
"status": "affected",
"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1",
"versionType": "git"
},
{
"lessThan": "aa4c066229b05fc3d3c5f42693d25b1828533b6e",
"status": "affected",
"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1",
"versionType": "git"
},
{
"lessThan": "f93fc5d12d69012788f82151bee55fce937e1432",
"status": "affected",
"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback\n\noctep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to\nioq_vector. If request_irq() fails part-way, the rollback loop calls\nfree_irq() with dev_id set to \u0027oct\u0027, which does not match the original\ndev_id and may leave the irqaction registered.\n\nThis can keep IRQ handlers alive while ioq_vector is later freed during\nunwind/teardown, leading to a use-after-free or crash when an interrupt\nfires.\n\nFix the error path to free IRQs with the same ioq_vector dev_id used\nduring request_irq()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:31:49.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40"
},
{
"url": "https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e"
},
{
"url": "https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432"
}
],
"title": "net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23013",
"datePublished": "2026-01-25T14:36:26.208Z",
"dateReserved": "2026-01-13T15:37:45.940Z",
"dateUpdated": "2026-04-03T13:31:49.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22997 (GCVE-0-2026-22997)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as
| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.
problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < a73e7d7e346dae1c22dc3e95b02ca464b12daf2c
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < adabf01c19561e42899da9de56a6a1da0e6b8a5b (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < b1d67607e97d489c0cfbbf55f48a76b00710b0e4 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 809a437e27a3bf3c1c6c8c157773635552116f2b (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < cb2a610867bc379988bae0bb4b8bbc59c0decf1a (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 6121b7564c725b632ffe4764abe85aa239d37703 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 1809c82aa073a11b7d335ae932d81ce51a588a4a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a73e7d7e346dae1c22dc3e95b02ca464b12daf2c",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "adabf01c19561e42899da9de56a6a1da0e6b8a5b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "b1d67607e97d489c0cfbbf55f48a76b00710b0e4",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "809a437e27a3bf3c1c6c8c157773635552116f2b",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "cb2a610867bc379988bae0bb4b8bbc59c0decf1a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "6121b7564c725b632ffe4764abe85aa239d37703",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "1809c82aa073a11b7d335ae932d81ce51a588a4a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts\n\nSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is\ncalled only when the timer is enabled, we need to call\nj1939_session_deactivate_activate_next() if we cancelled the timer.\nOtherwise, refcount for j1939_session leaks, which will later appear as\n\n| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.\n\nproblem."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:48.983Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2c"
},
{
"url": "https://git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5b"
},
{
"url": "https://git.kernel.org/stable/c/b1d67607e97d489c0cfbbf55f48a76b00710b0e4"
},
{
"url": "https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b"
},
{
"url": "https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a"
},
{
"url": "https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703"
},
{
"url": "https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a"
}
],
"title": "net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22997",
"datePublished": "2026-01-25T14:36:12.053Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:48.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71157 (GCVE-0-2025-71157)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add
support to add/delete a sub IB device through netlink") grabs a reference
using ib_device_get_by_index() before calling ib_del_sub_device_and_put(),
we need to drop that reference before returning -EOPNOTSUPP error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bca51197620a257e2954be99b16f05115c3b2630 , < 20436f2742a92b7afeb2504eb559a98d2196b001
(git)
Affected: bca51197620a257e2954be99b16f05115c3b2630 , < fe8d456080423b9ed410469fbd1e2098d3acce2b (git) Affected: bca51197620a257e2954be99b16f05115c3b2630 , < fa3c411d21ebc26ffd175c7256c37cefa35020aa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20436f2742a92b7afeb2504eb559a98d2196b001",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
},
{
"lessThan": "fe8d456080423b9ed410469fbd1e2098d3acce2b",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
},
{
"lessThan": "fa3c411d21ebc26ffd175c7256c37cefa35020aa",
"status": "affected",
"version": "bca51197620a257e2954be99b16f05115c3b2630",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: always drop device refcount in ib_del_sub_device_and_put()\n\nSince nldev_deldev() (introduced by commit 060c642b2ab8 (\"RDMA/nldev: Add\nsupport to add/delete a sub IB device through netlink\") grabs a reference\nusing ib_device_get_by_index() before calling ib_del_sub_device_and_put(),\nwe need to drop that reference before returning -EOPNOTSUPP error."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:55.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001"
},
{
"url": "https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b"
},
{
"url": "https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa"
}
],
"title": "RDMA/core: always drop device refcount in ib_del_sub_device_and_put()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71157",
"datePublished": "2026-01-23T14:25:56.458Z",
"dateReserved": "2026-01-13T15:30:19.663Z",
"dateUpdated": "2026-02-09T08:35:55.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71146 (GCVE-0-2025-71146)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
netfilter: nf_conncount: fix leaked ct in error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: fix leaked ct in error paths
There are some situations where ct might be leaked as error paths are
skipping the refcounted check and return immediately. In order to solve
it make sure that the check is always called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6e86f0eca857ee42787e30e9ec0b726aebfcae0a , < 08fa37f4c8c59c294e9c18fea2d083ee94074e5a
(git)
Affected: b160895d6bc9690459b16ef87799c9bd456af3ec , < e1ac8dce3a893641bef224ad057932f142b8a36f (git) Affected: 8d5a2c94c24dcc226863a7c2b5034750370c2189 , < f381a33f34dda9e4023e38ba68c943bca83245e9 (git) Affected: da9f247fb5efcd5a2730cdc989291b383c439e10 , < 325eb61bb30790ea27782203a17b007ce1754a67 (git) Affected: 3558faee8aace3541189c3a2ca45c7e85e144b44 , < 0b88be7211d21a0d68bb1e56dc805944e3654d6f (git) Affected: f6904ed15ed1a188543057e3cb0d02daa80edfc9 , < 4bd2b89f4028f250dd1c1625eb3da1979b04a5e8 (git) Affected: be102eb6a0e7c03db00e50540622f4e43b2d2844 , < 2e2a720766886190a6d35c116794693aabd332b6 (git) Affected: 8c2da7330214ce30f8333d1799a27ed0a9418f07 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08fa37f4c8c59c294e9c18fea2d083ee94074e5a",
"status": "affected",
"version": "6e86f0eca857ee42787e30e9ec0b726aebfcae0a",
"versionType": "git"
},
{
"lessThan": "e1ac8dce3a893641bef224ad057932f142b8a36f",
"status": "affected",
"version": "b160895d6bc9690459b16ef87799c9bd456af3ec",
"versionType": "git"
},
{
"lessThan": "f381a33f34dda9e4023e38ba68c943bca83245e9",
"status": "affected",
"version": "8d5a2c94c24dcc226863a7c2b5034750370c2189",
"versionType": "git"
},
{
"lessThan": "325eb61bb30790ea27782203a17b007ce1754a67",
"status": "affected",
"version": "da9f247fb5efcd5a2730cdc989291b383c439e10",
"versionType": "git"
},
{
"lessThan": "0b88be7211d21a0d68bb1e56dc805944e3654d6f",
"status": "affected",
"version": "3558faee8aace3541189c3a2ca45c7e85e144b44",
"versionType": "git"
},
{
"lessThan": "4bd2b89f4028f250dd1c1625eb3da1979b04a5e8",
"status": "affected",
"version": "f6904ed15ed1a188543057e3cb0d02daa80edfc9",
"versionType": "git"
},
{
"lessThan": "2e2a720766886190a6d35c116794693aabd332b6",
"status": "affected",
"version": "be102eb6a0e7c03db00e50540622f4e43b2d2844",
"versionType": "git"
},
{
"status": "affected",
"version": "8c2da7330214ce30f8333d1799a27ed0a9418f07",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.64",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.3",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: fix leaked ct in error paths\n\nThere are some situations where ct might be leaked as error paths are\nskipping the refcounted check and return immediately. In order to solve\nit make sure that the check is always called."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:42.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a"
},
{
"url": "https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f"
},
{
"url": "https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9"
},
{
"url": "https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67"
},
{
"url": "https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f"
},
{
"url": "https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8"
},
{
"url": "https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6"
}
],
"title": "netfilter: nf_conncount: fix leaked ct in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71146",
"datePublished": "2026-01-23T14:15:12.998Z",
"dateReserved": "2026-01-13T15:30:19.661Z",
"dateUpdated": "2026-02-09T08:35:42.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23003 (GCVE-0-2026-23003)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Blamed commit did not take care of VLAN encapsulations
as spotted by syzbot [1].
Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
[1]
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
__ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:318 [inline]
ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core net/core/dev.c:6139 [inline]
__netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
netif_receive_skb_internal net/core/dev.c:6338 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6397
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
__alloc_skb+0x805/0x1040 net/core/skbuff.c:690
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
tun_alloc_skb drivers/net/tun.c:1461 [inline]
tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a9bc32879a08f23cdb80a48c738017e39aea1080 , < f9c5c5b791d3850570796f9e067629474e613796
(git)
Affected: af6b5c50d47ab43e5272ad61935d0ed2e264d3f0 , < 64c71d60a21a9ed0a802483dcd422b5b24eb1abe (git) Affected: d54e4da98bbfa8c257bdca94c49652d81d18a4d8 , < 9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af (git) Affected: 350a6640fac4b53564ec20aa3f4a0922cb0ba5e6 , < 2f03dafea0a8096a2eb60f551218b360e5bab9a3 (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < df5ffde9669314500809bc498ae73d6d3d9519ac (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < b9f915340f25cae1562f18e1eb52deafca328414 (git) Affected: 8d975c15c0cd744000ca386247432d57b21f9df0 , < 81c734dae203757fb3c9eee6f9896386940776bd (git) Affected: c835df3bcc14858ae9b27315dd7de76370b94f3a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9c5c5b791d3850570796f9e067629474e613796",
"status": "affected",
"version": "a9bc32879a08f23cdb80a48c738017e39aea1080",
"versionType": "git"
},
{
"lessThan": "64c71d60a21a9ed0a802483dcd422b5b24eb1abe",
"status": "affected",
"version": "af6b5c50d47ab43e5272ad61935d0ed2e264d3f0",
"versionType": "git"
},
{
"lessThan": "9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af",
"status": "affected",
"version": "d54e4da98bbfa8c257bdca94c49652d81d18a4d8",
"versionType": "git"
},
{
"lessThan": "2f03dafea0a8096a2eb60f551218b360e5bab9a3",
"status": "affected",
"version": "350a6640fac4b53564ec20aa3f4a0922cb0ba5e6",
"versionType": "git"
},
{
"lessThan": "df5ffde9669314500809bc498ae73d6d3d9519ac",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "b9f915340f25cae1562f18e1eb52deafca328414",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"lessThan": "81c734dae203757fb3c9eee6f9896386940776bd",
"status": "affected",
"version": "8d975c15c0cd744000ca386247432d57b21f9df0",
"versionType": "git"
},
{
"status": "affected",
"version": "c835df3bcc14858ae9b27315dd7de76370b94f3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:55.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9c5c5b791d3850570796f9e067629474e613796"
},
{
"url": "https://git.kernel.org/stable/c/64c71d60a21a9ed0a802483dcd422b5b24eb1abe"
},
{
"url": "https://git.kernel.org/stable/c/9e1c8c2a33d0a7b1f637b5d0602fe56ed10166af"
},
{
"url": "https://git.kernel.org/stable/c/2f03dafea0a8096a2eb60f551218b360e5bab9a3"
},
{
"url": "https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac"
},
{
"url": "https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414"
},
{
"url": "https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd"
}
],
"title": "ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23003",
"datePublished": "2026-01-25T14:36:17.491Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:36:55.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71154 (GCVE-0-2025-71154)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:25 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < a4e2442d3c48355a84463342f397134f149936d7
(git)
Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 2f966186b99550e3c665dbfb87b8314e30acea02 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < db2244c580540306d60ce783ed340190720cd429 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 4bd4ea3eb326608ffc296db12c105f92dc2f2190 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 6492ad6439ff1a479fc94dc6052df3628faed8b6 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 151403e903840c9cf06754097b6732c14f26c532 (git) Affected: 4d12997a9bb3d217ad4b925ec3074ec89364bf95 , < 12cab1191d9890097171156d06bfa8d31f1e39c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4e2442d3c48355a84463342f397134f149936d7",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "2f966186b99550e3c665dbfb87b8314e30acea02",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "db2244c580540306d60ce783ed340190720cd429",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "4bd4ea3eb326608ffc296db12c105f92dc2f2190",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "6492ad6439ff1a479fc94dc6052df3628faed8b6",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "151403e903840c9cf06754097b6732c14f26c532",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
},
{
"lessThan": "12cab1191d9890097171156d06bfa8d31f1e39c8",
"status": "affected",
"version": "4d12997a9bb3d217ad4b925ec3074ec89364bf95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rtl8150.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:52.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7"
},
{
"url": "https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02"
},
{
"url": "https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429"
},
{
"url": "https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190"
},
{
"url": "https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6"
},
{
"url": "https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532"
},
{
"url": "https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8"
}
],
"title": "net: usb: rtl8150: fix memory leak on usb_submit_urb() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71154",
"datePublished": "2026-01-23T14:25:53.818Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:52.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71162 (GCVE-0-2025-71162)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
dmaengine: tegra-adma: Fix use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra-adma: Fix use-after-free
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f46b195799b5cb05338e7c44cb3617eacb56d755 , < 5f8d1d66a952d0396671e1f21ff8127a4d14fb4e
(git)
Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 76992310f80776b4d1f7f8915f59b92883a3e44c (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < ae3eed72de682ddbba507ed2d6b848c21a6b721e (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 59cb421b0902fbef2b9512ae8ba198a20f26b41f (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < be655c3736b3546f39bc8116ffbf2a3b6cac96c4 (git) Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 2efd07a7c36949e6fa36a69183df24d368bf9e96 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f8d1d66a952d0396671e1f21ff8127a4d14fb4e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "76992310f80776b4d1f7f8915f59b92883a3e44c",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "ae3eed72de682ddbba507ed2d6b848c21a6b721e",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "59cb421b0902fbef2b9512ae8ba198a20f26b41f",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "be655c3736b3546f39bc8116ffbf2a3b6cac96c4",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
},
{
"lessThan": "2efd07a7c36949e6fa36a69183df24d368bf9e96",
"status": "affected",
"version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra210-adma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n 1. DMA transfer completes, triggering an interrupt that schedules the\n completion tasklet (tasklet has not executed yet)\n 2. Audio playback stops, calling tegra_adma_terminate_all() which\n frees the DMA buffer memory via kfree()\n 3. The scheduled tasklet finally executes, calling vchan_complete()\n which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n vchan_synchronize() which kills any pending tasklets and frees any\n terminated descriptors.\n\nCrash logs:\n[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[ 337.427562] Call trace:\n[ 337.427564] dump_backtrace+0x0/0x320\n[ 337.427571] show_stack+0x20/0x30\n[ 337.427575] dump_stack_lvl+0x68/0x84\n[ 337.427584] print_address_description.constprop.0+0x74/0x2b8\n[ 337.427590] kasan_report+0x1f4/0x210\n[ 337.427598] __asan_load8+0xa0/0xd0\n[ 337.427603] vchan_complete+0x124/0x3b0\n[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0\n[ 337.427617] tasklet_action+0x30/0x40\n[ 337.427623] __do_softirq+0x1a0/0x5c4\n[ 337.427628] irq_exit+0x110/0x140\n[ 337.427633] handle_domain_irq+0xa4/0xe0\n[ 337.427640] gic_handle_irq+0x64/0x160\n[ 337.427644] call_on_irq_stack+0x20/0x4c\n[ 337.427649] do_interrupt_handler+0x7c/0x90\n[ 337.427654] el1_interrupt+0x30/0x80\n[ 337.427659] el1h_64_irq_handler+0x18/0x30\n[ 337.427663] el1h_64_irq+0x7c/0x80\n[ 337.427667] cpuidle_enter_state+0xe4/0x540\n[ 337.427674] cpuidle_enter+0x54/0x80\n[ 337.427679] do_idle+0x2e0/0x380\n[ 337.427685] cpu_startup_entry+0x2c/0x70\n[ 337.427690] rest_init+0x114/0x130\n[ 337.427695] arch_call_rest_init+0x18/0x24\n[ 337.427702] start_kernel+0x380/0x3b4\n[ 337.427706] __primary_switched+0xc0/0xc8"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:00.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"
},
{
"url": "https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c"
},
{
"url": "https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e"
},
{
"url": "https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f"
},
{
"url": "https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"
},
{
"url": "https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"
},
{
"url": "https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"
}
],
"title": "dmaengine: tegra-adma: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71162",
"datePublished": "2026-01-25T14:36:09.029Z",
"dateReserved": "2026-01-13T15:30:19.666Z",
"dateUpdated": "2026-02-09T08:36:00.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22978 (GCVE-0-2026-22978)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
wifi: avoid kernel-infoleak from struct iw_point
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: avoid kernel-infoleak from struct iw_point
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d943b5f592767b107ba8c12a902f17431350378c
(git)
Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < a3827e310b5a73535646ef4a552d53b3c8bf74f6 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 442ceac0393185e9982323f6682a52a53e8462b1 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 024f71a57d563fbe162e528c8bf2d27e9cac7c7b (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < e3c35177103ead4658b8a62f41e3080d45885464 (git) Affected: 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 , < 21cbf883d073abbfe09e3924466aa5e0449e7261 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d943b5f592767b107ba8c12a902f17431350378c",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "a3827e310b5a73535646ef4a552d53b3c8bf74f6",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "442ceac0393185e9982323f6682a52a53e8462b1",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "024f71a57d563fbe162e528c8bf2d27e9cac7c7b",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "e3c35177103ead4658b8a62f41e3080d45885464",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
},
{
"lessThan": "21cbf883d073abbfe09e3924466aa5e0449e7261",
"status": "affected",
"version": "87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/wext-core.c",
"net/wireless/wext-priv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:28.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c"
},
{
"url": "https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6"
},
{
"url": "https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1"
},
{
"url": "https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8"
},
{
"url": "https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b"
},
{
"url": "https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464"
},
{
"url": "https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261"
}
],
"title": "wifi: avoid kernel-infoleak from struct iw_point",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22978",
"datePublished": "2026-01-23T15:24:00.482Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-02-09T08:36:28.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71150 (GCVE-0-2025-71150)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
ksmbd: Fix refcount leak when invalid session is found on session lookup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix refcount leak when invalid session is found on session lookup
When a session is found but its state is not SMB2_SESSION_VALID, It
indicates that no valid session was found, but it is missing to decrement
the reference count acquired by the session lookup, which results in
a reference count leak. This patch fixes the issue by explicitly calling
ksmbd_user_session_put to release the reference to the session.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
37a0e2b362b3150317fb6e2139de67b1e29ae5ff , < 0fb87b28cafae71e9c8248432cc3a6a1fd759efc
(git)
Affected: 450a844c045ff0895d41b05a1cbe8febd1acfcfd , < e54fb2a4772545701766cba08aab20de5eace8cd (git) Affected: a39e31e22a535d47b14656a7d6a893c7f6cf758c , < 02e06785e85b4bd86ef3d23b7c8d87acc76773d5 (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < 8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 (git) Affected: b95629435b84b9ecc0c765995204a4d8a913ed52 , < cafb57f7bdd57abba87725eb4e82bbdca4959644 (git) Affected: 2107ab40629aeabbec369cf34b8cf0f288c3eb1b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fb87b28cafae71e9c8248432cc3a6a1fd759efc",
"status": "affected",
"version": "37a0e2b362b3150317fb6e2139de67b1e29ae5ff",
"versionType": "git"
},
{
"lessThan": "e54fb2a4772545701766cba08aab20de5eace8cd",
"status": "affected",
"version": "450a844c045ff0895d41b05a1cbe8febd1acfcfd",
"versionType": "git"
},
{
"lessThan": "02e06785e85b4bd86ef3d23b7c8d87acc76773d5",
"status": "affected",
"version": "a39e31e22a535d47b14656a7d6a893c7f6cf758c",
"versionType": "git"
},
{
"lessThan": "8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"lessThan": "cafb57f7bdd57abba87725eb4e82bbdca4959644",
"status": "affected",
"version": "b95629435b84b9ecc0c765995204a4d8a913ed52",
"versionType": "git"
},
{
"status": "affected",
"version": "2107ab40629aeabbec369cf34b8cf0f288c3eb1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.176",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix refcount leak when invalid session is found on session lookup\n\nWhen a session is found but its state is not SMB2_SESSION_VALID, It\nindicates that no valid session was found, but it is missing to decrement\nthe reference count acquired by the session lookup, which results in\na reference count leak. This patch fixes the issue by explicitly calling\nksmbd_user_session_put to release the reference to the session."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:47.327Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc"
},
{
"url": "https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd"
},
{
"url": "https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5"
},
{
"url": "https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7"
},
{
"url": "https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644"
}
],
"title": "ksmbd: Fix refcount leak when invalid session is found on session lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71150",
"datePublished": "2026-01-23T14:15:16.898Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:47.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22981 (GCVE-0-2026-22981)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-04-02 11:30
VLAI?
EPSS
Title
idpf: detach and close netdevs while handling a reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: detach and close netdevs while handling a reset
Protect the reset path from callbacks by setting the netdevs to detached
state and close any netdevs in UP state until the reset handling has
completed. During a reset, the driver will de-allocate resources for the
vport, and there is no guarantee that those will recover, which is why the
existing vport_ctrl_lock does not provide sufficient protection.
idpf_detach_and_close() is called right before reset handling. If the
reset handling succeeds, the netdevs state is recovered via call to
idpf_attach_and_open(). If the reset handling fails the netdevs remain
down. The detach/down calls are protected with RTNL lock to avoid racing
with callbacks. On the recovery side the attach can be done without
holding the RTNL lock as there are no callbacks expected at that point,
due to detach/close always being done first in that flow.
The previous logic restoring the netdevs state based on the
IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence
the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is
still being used to restore the state of the netdevs following the reset,
but has no use outside of the reset handling flow.
idpf_init_hard_reset() is converted to void, since it was used as such and
there is no error handling being done based on its return value.
Before this change, invoking hard and soft resets simultaneously will
cause the driver to lose the vport state:
ip -br a
<inf> UP
echo 1 > /sys/class/net/ens801f0/device/reset& \
ethtool -L ens801f0 combined 8
ip -br a
<inf> DOWN
ip link set <inf> up
ip -br a
<inf> DOWN
Also in case of a failure in the reset path, the netdev is left
exposed to external callbacks, while vport resources are not
initialized, leading to a crash on subsequent ifup/down:
[408471.398966] idpf 0000:83:00.0: HW reset detected
[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated
[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2
[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078
[408508.126112] #PF: supervisor read access in kernel mode
[408508.126687] #PF: error_code(0x0000) - not-present page
[408508.127256] PGD 2aae2f067 P4D 0
[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI
...
[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]
...
[408508.139193] Call Trace:
[408508.139637] <TASK>
[408508.140077] __dev_close_many+0xbb/0x260
[408508.140533] __dev_change_flags+0x1cf/0x280
[408508.140987] netif_change_flags+0x26/0x70
[408508.141434] dev_change_flags+0x3d/0xb0
[408508.141878] devinet_ioctl+0x460/0x890
[408508.142321] inet_ioctl+0x18e/0x1d0
[408508.142762] ? _copy_to_user+0x22/0x70
[408508.143207] sock_do_ioctl+0x3d/0xe0
[408508.143652] sock_ioctl+0x10e/0x330
[408508.144091] ? find_held_lock+0x2b/0x80
[408508.144537] __x64_sys_ioctl+0x96/0xe0
[408508.144979] do_syscall_64+0x79/0x3d0
[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[408508.145860] RIP: 0033:0x7f3e0bb4caff
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97
(git)
Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < ac122f5fb050903b3d262001562c452be95eaf70 (git) Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "ac122f5fb050903b3d262001562c452be95eaf70",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "2e281e1155fc476c571c0bd2ffbfe28ab829a5c3",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n\u003cinf\u003e\tUP\necho 1 \u003e /sys/class/net/ens801f0/device/reset\u0026 \\\nethtool -L ens801f0 combined 8\nip -br a\n\u003cinf\u003e\tDOWN\nip link set \u003cinf\u003e up\nip -br a\n\u003cinf\u003e\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device\u0027s firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637] \u003cTASK\u003e\n[408508.140077] __dev_close_many+0xbb/0x260\n[408508.140533] __dev_change_flags+0x1cf/0x280\n[408508.140987] netif_change_flags+0x26/0x70\n[408508.141434] dev_change_flags+0x3d/0xb0\n[408508.141878] devinet_ioctl+0x460/0x890\n[408508.142321] inet_ioctl+0x18e/0x1d0\n[408508.142762] ? _copy_to_user+0x22/0x70\n[408508.143207] sock_do_ioctl+0x3d/0xe0\n[408508.143652] sock_ioctl+0x10e/0x330\n[408508.144091] ? find_held_lock+0x2b/0x80\n[408508.144537] __x64_sys_ioctl+0x96/0xe0\n[408508.144979] do_syscall_64+0x79/0x3d0\n[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:47.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97"
},
{
"url": "https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70"
},
{
"url": "https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3"
}
],
"title": "idpf: detach and close netdevs while handling a reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22981",
"datePublished": "2026-01-23T15:24:03.772Z",
"dateReserved": "2026-01-13T15:37:45.936Z",
"dateUpdated": "2026-04-02T11:30:47.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22995 (GCVE-0-2026-22995)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
ublk: fix use-after-free in ublk_partition_scan_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix use-after-free in ublk_partition_scan_work
A race condition exists between the async partition scan work and device
teardown that can lead to a use-after-free of ub->ub_disk:
1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()
2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:
- del_gendisk(ub->ub_disk)
- ublk_detach_disk() sets ub->ub_disk = NULL
- put_disk() which may free the disk
3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk
leading to UAF
Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold
a reference to the disk during the partition scan. The spinlock in
ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker
either gets a valid reference or sees NULL and exits early.
Also change flush_work() to cancel_work_sync() to avoid running the
partition scan work unnecessarily when the disk is already detached.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72e28774e9644c2bdbb4920842fbf77103a15a85",
"status": "affected",
"version": "63dfbcd59b4b823eac4441efff10b1c303c8f49f",
"versionType": "git"
},
{
"lessThan": "f0d385f6689f37a2828c686fb279121df006b4cb",
"status": "affected",
"version": "7fc4da6a304bdcd3de14fc946dc2c19437a9cc5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.6",
"status": "affected",
"version": "6.18.4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.18.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix use-after-free in ublk_partition_scan_work\n\nA race condition exists between the async partition scan work and device\nteardown that can lead to a use-after-free of ub-\u003eub_disk:\n\n1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()\n2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:\n - del_gendisk(ub-\u003eub_disk)\n - ublk_detach_disk() sets ub-\u003eub_disk = NULL\n - put_disk() which may free the disk\n3. The worker ublk_partition_scan_work() then dereferences ub-\u003eub_disk\n leading to UAF\n\nFix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold\na reference to the disk during the partition scan. The spinlock in\nublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker\neither gets a valid reference or sees NULL and exits early.\n\nAlso change flush_work() to cancel_work_sync() to avoid running the\npartition scan work unnecessarily when the disk is already detached."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:46.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85"
},
{
"url": "https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb"
}
],
"title": "ublk: fix use-after-free in ublk_partition_scan_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22995",
"datePublished": "2026-01-23T15:24:15.684Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:46.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23000 (GCVE-0-2026-23000)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/mlx5e: Fix crash on profile change rollback failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix crash on profile change rollback failure
mlx5e_netdev_change_profile can fail to attach a new profile and can
fail to rollback to old profile, in such case, we could end up with a
dangling netdev with a fully reset netdev_priv. A retry to change
profile, e.g. another attempt to call mlx5e_netdev_change_profile via
switchdev mode change, will crash trying to access the now NULL
priv->mdev.
This fix allows mlx5e_netdev_change_profile() to handle previous
failures and an empty priv, by not assuming priv is valid.
Pass netdev and mdev to all flows requiring
mlx5e_netdev_change_profile() and avoid passing priv.
In mlx5e_netdev_change_profile() check if current priv is valid, and if
not, just attach the new profile without trying to access the old one.
This fixes the following oops, when enabling switchdev mode for the 2nd
time after first time failure:
## Enabling switchdev mode first time:
mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
^^^^^^^^
mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
## retry: Enabling switchdev mode 2nd time:
mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_detach_netdev+0x3c/0x90
Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07
RSP: 0018:ffffc90000673890 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000
RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000
R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000
FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_netdev_change_profile+0x45/0xb0
mlx5e_vport_rep_load+0x27b/0x2d0
mlx5_esw_offloads_rep_load+0x72/0xf0
esw_offloads_enable+0x5d0/0x970
mlx5_eswitch_enable_locked+0x349/0x430
? is_mp_supported+0x57/0xb0
mlx5_devlink_eswitch_mode_set+0x26b/0x430
devlink_nl_eswitch_set_doit+0x6f/0xf0
genl_family_rcv_msg_doit+0xe8/0x140
genl_rcv_msg+0x18b/0x290
? __pfx_devlink_nl_pre_doit+0x10/0x10
? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10
? __pfx_devlink_nl_post_doit+0x10/0x10
? __pfx_genl_rcv_msg+0x10/0x10
netlink_rcv_skb+0x52/0x100
genl_rcv+0x28/0x40
netlink_unicast+0x282/0x3e0
? __alloc_skb+0xd6/0x190
netlink_sendmsg+0x1f7/0x430
__sys_sendto+0x213/0x220
? __sys_recvmsg+0x6a/0xd0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x50/0x1f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fdfb8495047
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c4d7eb57687f358cd498ea3624519236af8db97e , < dad52950b409d6923880d65a4cddb383286e17d2
(git)
Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < e05b8084a20f6bd5827d338c928e5e0fcbafa496 (git) Affected: c4d7eb57687f358cd498ea3624519236af8db97e , < 4dadc4077e3f77d6d31e199a925fc7a705e7adeb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dad52950b409d6923880d65a4cddb383286e17d2",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "e05b8084a20f6bd5827d338c928e5e0fcbafa496",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
},
{
"lessThan": "4dadc4077e3f77d6d31e199a925fc7a705e7adeb",
"status": "affected",
"version": "c4d7eb57687f358cd498ea3624519236af8db97e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en.h",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash on profile change rollback failure\n\nmlx5e_netdev_change_profile can fail to attach a new profile and can\nfail to rollback to old profile, in such case, we could end up with a\ndangling netdev with a fully reset netdev_priv. A retry to change\nprofile, e.g. another attempt to call mlx5e_netdev_change_profile via\nswitchdev mode change, will crash trying to access the now NULL\npriv-\u003emdev.\n\nThis fix allows mlx5e_netdev_change_profile() to handle previous\nfailures and an empty priv, by not assuming priv is valid.\n\nPass netdev and mdev to all flows requiring\nmlx5e_netdev_change_profile() and avoid passing priv.\nIn mlx5e_netdev_change_profile() check if current priv is valid, and if\nnot, just attach the new profile without trying to access the old one.\n\nThis fixes the following oops, when enabling switchdev mode for the 2nd\ntime after first time failure:\n\n ## Enabling switchdev mode first time:\n\nmlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n ^^^^^^^^\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\n\n ## retry: Enabling switchdev mode 2nd time:\n\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nBUG: kernel NULL pointer dereference, address: 0000000000000038\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_detach_netdev+0x3c/0x90\nCode: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 \u003c48\u003e 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07\nRSP: 0018:ffffc90000673890 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000\nRDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000\nR10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000\nR13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000\nFS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n mlx5e_netdev_change_profile+0x45/0xb0\n mlx5e_vport_rep_load+0x27b/0x2d0\n mlx5_esw_offloads_rep_load+0x72/0xf0\n esw_offloads_enable+0x5d0/0x970\n mlx5_eswitch_enable_locked+0x349/0x430\n ? is_mp_supported+0x57/0xb0\n mlx5_devlink_eswitch_mode_set+0x26b/0x430\n devlink_nl_eswitch_set_doit+0x6f/0xf0\n genl_family_rcv_msg_doit+0xe8/0x140\n genl_rcv_msg+0x18b/0x290\n ? __pfx_devlink_nl_pre_doit+0x10/0x10\n ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n ? __pfx_devlink_nl_post_doit+0x10/0x10\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x52/0x100\n genl_rcv+0x28/0x40\n netlink_unicast+0x282/0x3e0\n ? __alloc_skb+0xd6/0x190\n netlink_sendmsg+0x1f7/0x430\n __sys_sendto+0x213/0x220\n ? __sys_recvmsg+0x6a/0xd0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdfb8495047"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:52.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2"
},
{
"url": "https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496"
},
{
"url": "https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb"
}
],
"title": "net/mlx5e: Fix crash on profile change rollback failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23000",
"datePublished": "2026-01-25T14:36:14.854Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:52.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23007 (GCVE-0-2026-23007)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
block: zero non-PI portion of auto integrity buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: zero non-PI portion of auto integrity buffer
The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bio-integrity-auto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6072557b90e0c557df319a56f4a9dc482706d2c",
"status": "affected",
"version": "c546d6f438338017480d105ab597292da67f6f6a",
"versionType": "git"
},
{
"lessThan": "ca22c566b89164f6e670af56ecc45f47ef3df819",
"status": "affected",
"version": "c546d6f438338017480d105ab597292da67f6f6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bio-integrity-auto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: zero non-PI portion of auto integrity buffer\n\nThe auto-generated integrity buffer for writes needs to be fully\ninitialized before being passed to the underlying block device,\notherwise the uninitialized memory can be read back by userspace or\nanyone with physical access to the storage device. If protection\ninformation is generated, that portion of the integrity buffer is\nalready initialized. The integrity data is also zeroed if PI generation\nis disabled via sysfs or the PI tuple size is 0. However, this misses\nthe case where PI is generated and the PI tuple size is nonzero, but the\nmetadata size is larger than the PI tuple. In this case, the remainder\n(\"opaque\") of the metadata is left uninitialized.\nGeneralize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the\nmetadata is larger than just the PI tuple."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:59.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c"
},
{
"url": "https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819"
}
],
"title": "block: zero non-PI portion of auto integrity buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23007",
"datePublished": "2026-01-25T14:36:20.731Z",
"dateReserved": "2026-01-13T15:37:45.939Z",
"dateUpdated": "2026-02-09T08:36:59.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71149 (GCVE-0-2025-71149)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
io_uring/poll: correctly handle io_poll_add() return value on update
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: correctly handle io_poll_add() return value on update
When the core of io_uring was updated to handle completions
consistently and with fixed return codes, the POLL_REMOVE opcode
with updates got slightly broken. If a POLL_ADD is pending and
then POLL_REMOVE is used to update the events of that request, if that
update causes the POLL_ADD to now trigger, then that completion is lost
and a CQE is never posted.
Additionally, ensure that if an update does cause an existing POLL_ADD
to complete, that the completion value isn't always overwritten with
-ECANCELED. For that case, whatever io_poll_add() set the value to
should just be retained.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
97b388d70b53fd7d286ac1b81e5a88bd6af98209 , < 8b777ab48441b153502772ecfc78c107d4353f29
(git)
Affected: 97b388d70b53fd7d286ac1b81e5a88bd6af98209 , < 0126560370ed5217958b85657b590ad25e8b9c00 (git) Affected: 97b388d70b53fd7d286ac1b81e5a88bd6af98209 , < c1669c03bfbc2a9b5ebff4428eecebe734c646fe (git) Affected: 97b388d70b53fd7d286ac1b81e5a88bd6af98209 , < 13a8f7b88c2d40c6b33f6216190478dda95d385f (git) Affected: 97b388d70b53fd7d286ac1b81e5a88bd6af98209 , < 84230ad2d2afbf0c44c32967e525c0ad92e26b4e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/poll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b777ab48441b153502772ecfc78c107d4353f29",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "0126560370ed5217958b85657b590ad25e8b9c00",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "c1669c03bfbc2a9b5ebff4428eecebe734c646fe",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "13a8f7b88c2d40c6b33f6216190478dda95d385f",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
},
{
"lessThan": "84230ad2d2afbf0c44c32967e525c0ad92e26b4e",
"status": "affected",
"version": "97b388d70b53fd7d286ac1b81e5a88bd6af98209",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/poll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: correctly handle io_poll_add() return value on update\n\nWhen the core of io_uring was updated to handle completions\nconsistently and with fixed return codes, the POLL_REMOVE opcode\nwith updates got slightly broken. If a POLL_ADD is pending and\nthen POLL_REMOVE is used to update the events of that request, if that\nupdate causes the POLL_ADD to now trigger, then that completion is lost\nand a CQE is never posted.\n\nAdditionally, ensure that if an update does cause an existing POLL_ADD\nto complete, that the completion value isn\u0027t always overwritten with\n-ECANCELED. For that case, whatever io_poll_add() set the value to\nshould just be retained."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:46.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29"
},
{
"url": "https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00"
},
{
"url": "https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe"
},
{
"url": "https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f"
},
{
"url": "https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e"
}
],
"title": "io_uring/poll: correctly handle io_poll_add() return value on update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71149",
"datePublished": "2026-01-23T14:15:15.878Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:46.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71159 (GCVE-0-2025-71159)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:23 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()
Previously, btrfs_get_or_create_delayed_node() set the delayed_node's
refcount before acquiring the root->delayed_nodes lock.
Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes")
moved refcount_set inside the critical section, which means there is
no longer a memory barrier between setting the refcount and setting
btrfs_inode->delayed_node.
Without that barrier, the stores to node->refs and
btrfs_inode->delayed_node may become visible out of order. Another
thread can then read btrfs_inode->delayed_node and attempt to
increment a refcount that hasn't been set yet, leading to a
refcounting bug and a use-after-free warning.
The fix is to move refcount_set back to where it was to take
advantage of the implicit memory barrier provided by lock
acquisition.
Because the allocations now happen outside of the lock's critical
section, they can use GFP_NOFS instead of GFP_ATOMIC.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8385851a5435f4006281828d428e5d0b0bbf8af",
"status": "affected",
"version": "e8513c012de75fd65e2df5499572bc6ef3f6e409",
"versionType": "git"
},
{
"lessThan": "83f59076a1ae6f5c6845d6f7ed3a1a373d883684",
"status": "affected",
"version": "e8513c012de75fd65e2df5499572bc6ef3f6e409",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()\n\nPreviously, btrfs_get_or_create_delayed_node() set the delayed_node\u0027s\nrefcount before acquiring the root-\u003edelayed_nodes lock.\nCommit e8513c012de7 (\"btrfs: implement ref_tracker for delayed_nodes\")\nmoved refcount_set inside the critical section, which means there is\nno longer a memory barrier between setting the refcount and setting\nbtrfs_inode-\u003edelayed_node.\n\nWithout that barrier, the stores to node-\u003erefs and\nbtrfs_inode-\u003edelayed_node may become visible out of order. Another\nthread can then read btrfs_inode-\u003edelayed_node and attempt to\nincrement a refcount that hasn\u0027t been set yet, leading to a\nrefcounting bug and a use-after-free warning.\n\nThe fix is to move refcount_set back to where it was to take\nadvantage of the implicit memory barrier provided by lock\nacquisition.\n\nBecause the allocations now happen outside of the lock\u0027s critical\nsection, they can use GFP_NOFS instead of GFP_ATOMIC."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:57.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af"
},
{
"url": "https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684"
}
],
"title": "btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71159",
"datePublished": "2026-01-23T15:23:57.824Z",
"dateReserved": "2026-01-13T15:30:19.665Z",
"dateUpdated": "2026-02-09T08:35:57.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71151 (GCVE-0-2025-71151)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:15 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
cifs: Fix memory and information leak in smb3_reconfigure()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix memory and information leak in smb3_reconfigure()
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
880a661e67648a3ffe85405e8de5f50650a3c0b2 , < bc390b2737205163e48cc1655f6a0c8cd55b02fc
(git)
Affected: 0e4145774c016530bf99afb3675a1a0593c35642 , < 5679cc90bb5415801fa29041da0319d9e15d295d (git) Affected: 0f0e357902957fba28ed31bde0d6921c6bd1485d , < bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 (git) Affected: 0f0e357902957fba28ed31bde0d6921c6bd1485d , < cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d (git) Affected: 674ba43944dab8e8f87434e25d9d10c5152584bc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc390b2737205163e48cc1655f6a0c8cd55b02fc",
"status": "affected",
"version": "880a661e67648a3ffe85405e8de5f50650a3c0b2",
"versionType": "git"
},
{
"lessThan": "5679cc90bb5415801fa29041da0319d9e15d295d",
"status": "affected",
"version": "0e4145774c016530bf99afb3675a1a0593c35642",
"versionType": "git"
},
{
"lessThan": "bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"lessThan": "cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d",
"status": "affected",
"version": "0f0e357902957fba28ed31bde0d6921c6bd1485d",
"versionType": "git"
},
{
"status": "affected",
"version": "674ba43944dab8e8f87434e25d9d10c5152584bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory and information leak in smb3_reconfigure()\n\nIn smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the\nfunction returns immediately without freeing and erasing the newly\nallocated new_password and new_password2. This causes both a memory leak\nand a potential information leak.\n\nFix this by calling kfree_sensitive() on both password buffers before\nreturning in this error case."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:48.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc"
},
{
"url": "https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d"
},
{
"url": "https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6"
},
{
"url": "https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d"
}
],
"title": "cifs: Fix memory and information leak in smb3_reconfigure()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71151",
"datePublished": "2026-01-23T14:15:17.916Z",
"dateReserved": "2026-01-13T15:30:19.662Z",
"dateUpdated": "2026-02-09T08:35:48.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22987 (GCVE-0-2026-22987)
Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
syzbot reported a crash in tc_act_in_hw() during netns teardown where
tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action
pointer, leading to an invalid dereference.
Guard against ERR_PTR entries when iterating the action IDR so teardown
does not call tc_act_in_hw() on an error pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67550a1130b647bb0d093c9c0a810c69aa6a30a8",
"status": "affected",
"version": "84a7d6797e6a03705e6b48c613fa424662049d87",
"versionType": "git"
},
{
"lessThan": "adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c",
"status": "affected",
"version": "84a7d6797e6a03705e6b48c613fa424662049d87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy\n\nsyzbot reported a crash in tc_act_in_hw() during netns teardown where\ntcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action\npointer, leading to an invalid dereference.\n\nGuard against ERR_PTR entries when iterating the action IDR so teardown\ndoes not call tc_act_in_hw() on an error pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:37.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8"
},
{
"url": "https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c"
}
],
"title": "net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22987",
"datePublished": "2026-01-23T15:24:08.865Z",
"dateReserved": "2026-01-13T15:37:45.937Z",
"dateUpdated": "2026-02-09T08:36:37.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…