Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0614
Vulnerability from csaf_certbund - Published: 2026-03-04 23:00 - Updated: 2026-03-04 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service-Bedingung führen oder eine Speicherbeschädigung verursachen können.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service-Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0614 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0614.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0614 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0614"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71238",
"url": "https://lore.kernel.org/linux-cve-announce/2026030437-CVE-2025-71238-76bc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23231",
"url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23231-1a96@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23232",
"url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23232-b24d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23233",
"url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23233-4413@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23234",
"url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23234-5cef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23235",
"url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23235-3b8d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23236",
"url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23236-b419@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23237",
"url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23237-f6fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23238",
"url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/"
},
{
"category": "external",
"summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2026-03-05",
"url": "https://msrc.microsoft.com/update-guide/"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-04T23:00:00.000+00:00",
"generator": {
"date": "2026-03-05T12:12:29.010+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0614",
"initial_release_date": "2026-03-04T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-03-04T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "azl3",
"product": {
"name": "Microsoft Azure Linux azl3",
"product_id": "T049210",
"product_identification_helper": {
"cpe": "cpe:/o:microsoft:azure_linux:azl3"
}
}
}
],
"category": "product_name",
"name": "Azure Linux"
}
],
"category": "vendor",
"name": "Microsoft"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T051452",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-71238",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2025-71238"
},
{
"cve": "CVE-2026-23231",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23231"
},
{
"cve": "CVE-2026-23232",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23232"
},
{
"cve": "CVE-2026-23233",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23233"
},
{
"cve": "CVE-2026-23234",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23234"
},
{
"cve": "CVE-2026-23235",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23235"
},
{
"cve": "CVE-2026-23236",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23236"
},
{
"cve": "CVE-2026-23237",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23237"
},
{
"cve": "CVE-2026-23238",
"product_status": {
"known_affected": [
"T049210",
"T051452"
]
},
"release_date": "2026-03-04T23:00:00.000+00:00",
"title": "CVE-2026-23238"
}
]
}
CVE-2026-23233 (GCVE-0-2026-23233)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-04 14:36
VLAI?
EPSS
Title
f2fs: fix to avoid mapping wrong physical block for swapfile
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid mapping wrong physical block for swapfile
Xiaolong Guo reported a f2fs bug in bugzilla [1]
[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951
Quoted:
"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,
the system experiences data corruption leading to either:
1 dm-verity corruption errors and device reboot
2 F2FS node corruption errors and boot hangs
The issue occurs specifically when:
1 Using F2FS filesystem (ext4 is unaffected)
2 Swapfile size is less than F2FS section size (2MB)
3 Swapfile has fragmented physical layout (multiple non-contiguous extents)
4 Kernel version is 6.6+ (6.1 is unaffected)
The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the
first extent of a small swapfile (< 2MB) is not aligned to section boundaries,
the function incorrectly treats it as the last extent, failing to map
subsequent extents. This results in incorrect swap_extent creation where only
the first extent is mapped, causing subsequent swap writes to overwrite wrong
physical locations (other files' data).
Steps to Reproduce
1 Setup a device with F2FS-formatted userdata partition
2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng
3 Run swap stress test: (Android devices)
adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60
--swap 0"
Log:
1 Ftrace shows in kernel 6.6, only first extent is mapped during second
f2fs_map_blocks call in check_swap_activate():
stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start
blkaddr=0x43143, len=0x1
(Only 4KB mapped, not the full swapfile)
2 in kernel 6.1, both extents are correctly mapped:
stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start
blkaddr=0x13cd4, len=0x1
stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start
blkaddr=0x60c84b, len=0xff
The problematic code is in check_swap_activate():
if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||
nr_pblocks % blks_per_sec ||
!f2fs_valid_pinned_area(sbi, pblock)) {
bool last_extent = false;
not_aligned++;
nr_pblocks = roundup(nr_pblocks, blks_per_sec);
if (cur_lblock + nr_pblocks > sis->max)
nr_pblocks -= blks_per_sec;
/* this extent is last one */
if (!nr_pblocks) {
nr_pblocks = last_lblock - cur_lblock;
last_extent = true;
}
ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);
if (ret) {
if (ret == -ENOENT)
ret = -EINVAL;
goto out;
}
if (!last_extent)
goto retry;
}
When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)
exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The
code then incorrectly assumes this is the last extent, sets nr_pblocks =
last_lblock - cur_lblock (entire swapfile), and performs migration. After
migration, it doesn't retry mapping, so subsequent extents are never processed.
"
In order to fix this issue, we need to lookup block mapping info after
we migrate all blocks in the tail of swapfile.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
40d76c393cca83938b11eb7ca8983aa3cd0ed69b , < d4534a7f6c92baaf7e12a45fc6e37332cafafc33
(git)
Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 1ff415eef513bf12deb058fc50d57788c46c48e6 (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < fee27b69dde1a05908b350eea42937af2387c4fe (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 607cb9d83838d2cd9f0406c2403ed61aadf0edff (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4534a7f6c92baaf7e12a45fc6e37332cafafc33",
"status": "affected",
"version": "40d76c393cca83938b11eb7ca8983aa3cd0ed69b",
"versionType": "git"
},
{
"lessThan": "1ff415eef513bf12deb058fc50d57788c46c48e6",
"status": "affected",
"version": "9703d69d9d153bb230711d0d577454552aeb13d4",
"versionType": "git"
},
{
"lessThan": "fee27b69dde1a05908b350eea42937af2387c4fe",
"status": "affected",
"version": "9703d69d9d153bb230711d0d577454552aeb13d4",
"versionType": "git"
},
{
"lessThan": "607cb9d83838d2cd9f0406c2403ed61aadf0edff",
"status": "affected",
"version": "9703d69d9d153bb230711d0d577454552aeb13d4",
"versionType": "git"
},
{
"lessThan": "5c145c03188bc9ba1c29e0bc4d527a5978fc47f9",
"status": "affected",
"version": "9703d69d9d153bb230711d0d577454552aeb13d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "6.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid mapping wrong physical block for swapfile\n\nXiaolong Guo reported a f2fs bug in bugzilla [1]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951\n\nQuoted:\n\n\"When using stress-ng\u0027s swap stress test on F2FS filesystem with kernel 6.6+,\nthe system experiences data corruption leading to either:\n1 dm-verity corruption errors and device reboot\n2 F2FS node corruption errors and boot hangs\n\nThe issue occurs specifically when:\n1 Using F2FS filesystem (ext4 is unaffected)\n2 Swapfile size is less than F2FS section size (2MB)\n3 Swapfile has fragmented physical layout (multiple non-contiguous extents)\n4 Kernel version is 6.6+ (6.1 is unaffected)\n\nThe root cause is in check_swap_activate() function in fs/f2fs/data.c. When the\nfirst extent of a small swapfile (\u003c 2MB) is not aligned to section boundaries,\nthe function incorrectly treats it as the last extent, failing to map\nsubsequent extents. This results in incorrect swap_extent creation where only\nthe first extent is mapped, causing subsequent swap writes to overwrite wrong\nphysical locations (other files\u0027 data).\n\nSteps to Reproduce\n1 Setup a device with F2FS-formatted userdata partition\n2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng\n3 Run swap stress test: (Android devices)\nadb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60\n--swap 0\"\n\nLog:\n1 Ftrace shows in kernel 6.6, only first extent is mapped during second\nf2fs_map_blocks call in check_swap_activate():\nstress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start\nblkaddr=0x43143, len=0x1\n(Only 4KB mapped, not the full swapfile)\n2 in kernel 6.1, both extents are correctly mapped:\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start\nblkaddr=0x13cd4, len=0x1\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start\nblkaddr=0x60c84b, len=0xff\n\nThe problematic code is in check_swap_activate():\nif ((pblock - SM_I(sbi)-\u003emain_blkaddr) % blks_per_sec ||\n nr_pblocks % blks_per_sec ||\n !f2fs_valid_pinned_area(sbi, pblock)) {\n bool last_extent = false;\n\n not_aligned++;\n\n nr_pblocks = roundup(nr_pblocks, blks_per_sec);\n if (cur_lblock + nr_pblocks \u003e sis-\u003emax)\n nr_pblocks -= blks_per_sec;\n\n /* this extent is last one */\n if (!nr_pblocks) {\n nr_pblocks = last_lblock - cur_lblock;\n last_extent = true;\n }\n\n ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);\n if (ret) {\n if (ret == -ENOENT)\n ret = -EINVAL;\n goto out;\n }\n\n if (!last_extent)\n goto retry;\n}\n\nWhen the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)\nexceeds sis-\u003emax, we subtract blks_per_sec resulting in nr_pblocks = 0. The\ncode then incorrectly assumes this is the last extent, sets nr_pblocks =\nlast_lblock - cur_lblock (entire swapfile), and performs migration. After\nmigration, it doesn\u0027t retry mapping, so subsequent extents are never processed.\n\"\n\nIn order to fix this issue, we need to lookup block mapping info after\nwe migrate all blocks in the tail of swapfile."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T14:36:38.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4534a7f6c92baaf7e12a45fc6e37332cafafc33"
},
{
"url": "https://git.kernel.org/stable/c/1ff415eef513bf12deb058fc50d57788c46c48e6"
},
{
"url": "https://git.kernel.org/stable/c/fee27b69dde1a05908b350eea42937af2387c4fe"
},
{
"url": "https://git.kernel.org/stable/c/607cb9d83838d2cd9f0406c2403ed61aadf0edff"
},
{
"url": "https://git.kernel.org/stable/c/5c145c03188bc9ba1c29e0bc4d527a5978fc47f9"
}
],
"title": "f2fs: fix to avoid mapping wrong physical block for swapfile",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23233",
"datePublished": "2026-03-04T14:36:38.076Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T14:36:38.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23235 (GCVE-0-2026-23235)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-04 14:36
VLAI?
EPSS
Title
f2fs: fix out-of-bounds access in sysfs attribute read/write
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix out-of-bounds access in sysfs attribute read/write
Some f2fs sysfs attributes suffer from out-of-bounds memory access and
incorrect handling of integer values whose size is not 4 bytes.
For example:
vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
vm:~# cat /sys/fs/f2fs/vde/carve_out
65537
vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
1
carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
integer. However, the sysfs interface allows setting it to a value
larger than 255, resulting in an out-of-range update.
atgc_age_threshold maps to {struct atgc_management}->age_threshold,
which is a 64-bit integer, but its sysfs interface cannot correctly set
values larger than UINT_MAX.
The root causes are:
1. __sbi_store() treats all default values as unsigned int, which
prevents updating integers larger than 4 bytes and causes out-of-bounds
writes for integers smaller than 4 bytes.
2. f2fs_sbi_show() also assumes all default values are unsigned int,
leading to out-of-bounds reads and incorrect access to integers larger
than 4 bytes.
This patch introduces {struct f2fs_attr}->size to record the actual size
of the integer associated with each sysfs attribute. With this
information, sysfs read and write operations can correctly access and
update values according to their real data size, avoiding memory
corruption and truncation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b59d0bae6ca30c496f298881616258f9cde0d9c6 , < e85a99db9ab85dfc30d93b0ca0e9156f3127f55a
(git)
Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 438a405fbad6882df0e34b3e1a16839a71f04240 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 6a6c07a9b49e43f0df42d7118fc76aa555c73d98 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < eebd72cff518ac87e660aefb8a41224bd88c32ce (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 4ef30b9f1641c9e877792df6b049f1cf507d002d (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < d4a594dd952df123cbdcdee9b9640d9d55e4a954 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 3a905e183c047577b154f08a78ac3039e9454703 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e85a99db9ab85dfc30d93b0ca0e9156f3127f55a",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "438a405fbad6882df0e34b3e1a16839a71f04240",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "6a6c07a9b49e43f0df42d7118fc76aa555c73d98",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "eebd72cff518ac87e660aefb8a41224bd88c32ce",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "4ef30b9f1641c9e877792df6b049f1cf507d002d",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "d4a594dd952df123cbdcdee9b9640d9d55e4a954",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "3a905e183c047577b154f08a78ac3039e9454703",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
},
{
"lessThan": "98ea0039dbfdd00e5cc1b9a8afa40434476c0955",
"status": "affected",
"version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix out-of-bounds access in sysfs attribute read/write\n\nSome f2fs sysfs attributes suffer from out-of-bounds memory access and\nincorrect handling of integer values whose size is not 4 bytes.\n\nFor example:\nvm:~# echo 65537 \u003e /sys/fs/f2fs/vde/carve_out\nvm:~# cat /sys/fs/f2fs/vde/carve_out\n65537\nvm:~# echo 4294967297 \u003e /sys/fs/f2fs/vde/atgc_age_threshold\nvm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold\n1\n\ncarve_out maps to {struct f2fs_sb_info}-\u003ecarve_out, which is a 8-bit\ninteger. However, the sysfs interface allows setting it to a value\nlarger than 255, resulting in an out-of-range update.\n\natgc_age_threshold maps to {struct atgc_management}-\u003eage_threshold,\nwhich is a 64-bit integer, but its sysfs interface cannot correctly set\nvalues larger than UINT_MAX.\n\nThe root causes are:\n1. __sbi_store() treats all default values as unsigned int, which\nprevents updating integers larger than 4 bytes and causes out-of-bounds\nwrites for integers smaller than 4 bytes.\n\n2. f2fs_sbi_show() also assumes all default values are unsigned int,\nleading to out-of-bounds reads and incorrect access to integers larger\nthan 4 bytes.\n\nThis patch introduces {struct f2fs_attr}-\u003esize to record the actual size\nof the integer associated with each sysfs attribute. With this\ninformation, sysfs read and write operations can correctly access and\nupdate values according to their real data size, avoiding memory\ncorruption and truncation."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T14:36:39.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e85a99db9ab85dfc30d93b0ca0e9156f3127f55a"
},
{
"url": "https://git.kernel.org/stable/c/438a405fbad6882df0e34b3e1a16839a71f04240"
},
{
"url": "https://git.kernel.org/stable/c/6a6c07a9b49e43f0df42d7118fc76aa555c73d98"
},
{
"url": "https://git.kernel.org/stable/c/eebd72cff518ac87e660aefb8a41224bd88c32ce"
},
{
"url": "https://git.kernel.org/stable/c/4ef30b9f1641c9e877792df6b049f1cf507d002d"
},
{
"url": "https://git.kernel.org/stable/c/d4a594dd952df123cbdcdee9b9640d9d55e4a954"
},
{
"url": "https://git.kernel.org/stable/c/3a905e183c047577b154f08a78ac3039e9454703"
},
{
"url": "https://git.kernel.org/stable/c/98ea0039dbfdd00e5cc1b9a8afa40434476c0955"
}
],
"title": "f2fs: fix out-of-bounds access in sysfs attribute read/write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23235",
"datePublished": "2026-03-04T14:36:39.537Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T14:36:39.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23238 (GCVE-0-2026-23238)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:38 – Updated: 2026-03-08 10:07
VLAI?
EPSS
Title
romfs: check sb_set_blocksize() return value
Summary
In the Linux kernel, the following vulnerability has been resolved:
romfs: check sb_set_blocksize() return value
romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail if the requested block size is incompatible with the block
device's configuration.
This can be triggered by setting a loop device's block size larger than
PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs
filesystem on that device.
When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the
device has logical_block_size=32768, bdev_validate_blocksize() fails
because the requested size is smaller than the device's logical block
size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and
continues mounting.
The superblock's block size remains at the device's logical block size
(32768). Later, when sb_bread() attempts I/O with this oversized block
size, it triggers a kernel BUG in folio_set_bh():
kernel BUG at fs/buffer.c:1582!
BUG_ON(size > PAGE_SIZE);
Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2521ab1f63a8c244f06a080319e5ff9a2e1bd95 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c5829cd8fbbc91568c520b666898f57cdcb8cf6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cbd9931e6456822067725354d83446c5bb813030 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9b203b8ddd7359270e8a694d0584743555128e2c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b71ad7676564a94ec5f7d18298f51e8ae53db73 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/romfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a381f0f61b35c8894b0bd0d6acef2d8f9b08b244",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2521ab1f63a8c244f06a080319e5ff9a2e1bd95",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c5829cd8fbbc91568c520b666898f57cdcb8cf6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cbd9931e6456822067725354d83446c5bb813030",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9b203b8ddd7359270e8a694d0584743555128e2c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4b71ad7676564a94ec5f7d18298f51e8ae53db73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/romfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nromfs: check sb_set_blocksize() return value\n\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice\u0027s configuration.\n\nThis can be triggered by setting a loop device\u0027s block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\n\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device\u0027s logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\n\nThe superblock\u0027s block size remains at the device\u0027s logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\n\n kernel BUG at fs/buffer.c:1582!\n BUG_ON(size \u003e PAGE_SIZE);\n\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T10:07:34.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244"
},
{
"url": "https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95"
},
{
"url": "https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6"
},
{
"url": "https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030"
},
{
"url": "https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c"
},
{
"url": "https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73"
},
{
"url": "https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0"
}
],
"title": "romfs: check sb_set_blocksize() return value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23238",
"datePublished": "2026-03-04T14:38:42.477Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-03-08T10:07:34.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23232 (GCVE-0-2026-23232)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-04 14:36
VLAI?
EPSS
Title
Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()"
This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a.
Original patch may cause below deadlock, revert it.
write remount
- write_begin
- lock_page --- lock A
- prepare_write_begin
- f2fs_map_lock
- f2fs_enable_checkpoint
- down_write(cp_enable_rwsem) --- lock B
- sync_inode_sb
- writepages
- lock_page --- lock A
- down_read(cp_enable_rwsem) --- lock A
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6382273801bc7c778545dd8004c9a9d750b4f62",
"status": "affected",
"version": "196c81fdd438f7ac429d5639090a9816abb9760a",
"versionType": "git"
},
{
"lessThan": "3996b70209f145bfcf2afc7d05dd92c27b233b48",
"status": "affected",
"version": "196c81fdd438f7ac429d5639090a9816abb9760a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: block cache/dio write during f2fs_enable_checkpoint()\"\n\nThis reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a.\n\nOriginal patch may cause below deadlock, revert it.\n\nwrite\t\t\t\tremount\n- write_begin\n - lock_page --- lock A\n - prepare_write_begin\n - f2fs_map_lock\n\t\t\t\t- f2fs_enable_checkpoint\n\t\t\t\t - down_write(cp_enable_rwsem) --- lock B\n\t\t\t\t - sync_inode_sb\n\t\t\t\t - writepages\n\t\t\t\t - lock_page\t\t\t--- lock A\n - down_read(cp_enable_rwsem) --- lock A"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T14:36:37.323Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6382273801bc7c778545dd8004c9a9d750b4f62"
},
{
"url": "https://git.kernel.org/stable/c/3996b70209f145bfcf2afc7d05dd92c27b233b48"
}
],
"title": "Revert \"f2fs: block cache/dio write during f2fs_enable_checkpoint()\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23232",
"datePublished": "2026-03-04T14:36:37.323Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T14:36:37.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23231 (GCVE-0-2026-23231)
Vulnerability from cvelistv5 – Published: 2026-03-04 12:58 – Updated: 2026-03-04 13:16
VLAI?
EPSS
Title
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2a6586ecfa4ce1413daaafee250d2590e05f1a33
(git)
Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 7017745068a9068904e1e7a1b170a5785647cc81 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < f3fe58ce37926a10115ede527d59b91bcc05400a (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < dbd0af8083dd201f07c49110b2ee93710abdff28 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 71e99ee20fc3f662555118cf1159443250647533 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a6586ecfa4ce1413daaafee250d2590e05f1a33",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "7017745068a9068904e1e7a1b170a5785647cc81",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "f3fe58ce37926a10115ede527d59b91bcc05400a",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "dbd0af8083dd201f07c49110b2ee93710abdff28",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
},
{
"lessThan": "71e99ee20fc3f662555118cf1159443250647533",
"status": "affected",
"version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain-\u003eblob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T13:16:12.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33"
},
{
"url": "https://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81"
},
{
"url": "https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400a"
},
{
"url": "https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28"
},
{
"url": "https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b"
},
{
"url": "https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533"
}
],
"title": "netfilter: nf_tables: fix use-after-free in nf_tables_addchain()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23231",
"datePublished": "2026-03-04T12:58:42.029Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T13:16:12.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23234 (GCVE-0-2026-23234)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-04 14:36
VLAI?
EPSS
Title
f2fs: fix to avoid UAF in f2fs_write_end_io()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid UAF in f2fs_write_end_io()
As syzbot reported an use-after-free issue in f2fs_write_end_io().
It is caused by below race condition:
loop device umount
- worker_thread
- loop_process_work
- do_req_filebacked
- lo_rw_aio
- lo_rw_aio_complete
- blk_mq_end_request
- blk_update_request
- f2fs_write_end_io
- dec_page_count
- folio_end_writeback
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: free(sbi)
: get_pages(, F2FS_WB_CP_DATA)
accessed sbi which is freed
In kill_f2fs_super(), we will drop all page caches of f2fs inodes before
call free(sbi), it guarantee that all folios should end its writeback, so
it should be safe to access sbi before last folio_end_writeback().
Let's relocate ckpt thread wakeup flow before folio_end_writeback() to
resolve this issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 0fb58aff0dafd6837cc91f4154f3ed6e020358fa
(git)
Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 505e1c0530db6152cab3feef8e3e4da3d3e358c9 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < acc2c97fc0005846e5cf11b5ba3189fef130c9b3 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 995030be4ce6338c6ff814583c14166446a64008 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < a42f99be8a16b32a0bb91bb6dda212a6ad61be5d (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < ce2739e482bce8d2c014d76c4531c877f382aa54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fb58aff0dafd6837cc91f4154f3ed6e020358fa",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "505e1c0530db6152cab3feef8e3e4da3d3e358c9",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "acc2c97fc0005846e5cf11b5ba3189fef130c9b3",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "995030be4ce6338c6ff814583c14166446a64008",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "a42f99be8a16b32a0bb91bb6dda212a6ad61be5d",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
},
{
"lessThan": "ce2739e482bce8d2c014d76c4531c877f382aa54",
"status": "affected",
"version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_write_end_io()\n\nAs syzbot reported an use-after-free issue in f2fs_write_end_io().\n\nIt is caused by below race condition:\n\nloop device\t\t\t\tumount\n- worker_thread\n - loop_process_work\n - do_req_filebacked\n - lo_rw_aio\n - lo_rw_aio_complete\n - blk_mq_end_request\n - blk_update_request\n - f2fs_write_end_io\n - dec_page_count\n - folio_end_writeback\n\t\t\t\t\t- kill_f2fs_super\n\t\t\t\t\t - kill_block_super\n\t\t\t\t\t - f2fs_put_super\n\t\t\t\t\t : free(sbi)\n : get_pages(, F2FS_WB_CP_DATA)\n accessed sbi which is freed\n\nIn kill_f2fs_super(), we will drop all page caches of f2fs inodes before\ncall free(sbi), it guarantee that all folios should end its writeback, so\nit should be safe to access sbi before last folio_end_writeback().\n\nLet\u0027s relocate ckpt thread wakeup flow before folio_end_writeback() to\nresolve this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T14:36:38.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fb58aff0dafd6837cc91f4154f3ed6e020358fa"
},
{
"url": "https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9"
},
{
"url": "https://git.kernel.org/stable/c/505e1c0530db6152cab3feef8e3e4da3d3e358c9"
},
{
"url": "https://git.kernel.org/stable/c/acc2c97fc0005846e5cf11b5ba3189fef130c9b3"
},
{
"url": "https://git.kernel.org/stable/c/cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42"
},
{
"url": "https://git.kernel.org/stable/c/995030be4ce6338c6ff814583c14166446a64008"
},
{
"url": "https://git.kernel.org/stable/c/a42f99be8a16b32a0bb91bb6dda212a6ad61be5d"
},
{
"url": "https://git.kernel.org/stable/c/ce2739e482bce8d2c014d76c4531c877f382aa54"
}
],
"title": "f2fs: fix to avoid UAF in f2fs_write_end_io()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23234",
"datePublished": "2026-03-04T14:36:38.843Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T14:36:38.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23237 (GCVE-0-2026-23237)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:38 – Updated: 2026-03-08 10:07
VLAI?
EPSS
Title
platform/x86: classmate-laptop: Add missing NULL pointer checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: classmate-laptop: Add missing NULL pointer checks
In a few places in the Classmate laptop driver, code using the accel
object may run before that object's address is stored in the driver
data of the input device using it.
For example, cmpc_accel_sensitivity_store_v4() is the "show" method
of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),
before calling dev_set_drvdata() for inputdev->dev. If the sysfs
attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev)
call in in cmpc_accel_sensitivity_store_v4() returns NULL which
leads to a NULL pointer dereference going forward.
Moreover, sysfs attributes using the input device are added before
initializing that device by cmpc_add_acpi_notify_device() and if one
of them is accessed before running that function, a NULL pointer
dereference will occur.
For example, cmpc_accel_sensitivity_attr_v4 is added before calling
cmpc_add_acpi_notify_device() and if it is read prematurely, the
dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4()
returns NULL which leads to a NULL pointer dereference going forward.
Fix this by adding NULL pointer checks in all of the relevant places.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
529aa8cb0a59367d08883f818e8c47028e819d0d , < 993708fc18d0d0919db438361b4e8c1f980a8d1b
(git)
Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < af673209d43b46257540997aba042b90ef3258c0 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < eb214804f03c829decf10998e9b7dd26f4c8ab9e (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < 9cf4b9b8ad09d6e05307abc4e951cabdff4be652 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < da6e06a5fdbabea3870d18c227734b5dea5b3be6 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < 97528b1622b8f129574d29a571c32a3c85eafa3c (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < fe747d7112283f47169e9c16e751179a9b38611e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/classmate-laptop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "993708fc18d0d0919db438361b4e8c1f980a8d1b",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "af673209d43b46257540997aba042b90ef3258c0",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "eb214804f03c829decf10998e9b7dd26f4c8ab9e",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "9cf4b9b8ad09d6e05307abc4e951cabdff4be652",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "da6e06a5fdbabea3870d18c227734b5dea5b3be6",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "97528b1622b8f129574d29a571c32a3c85eafa3c",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
},
{
"lessThan": "fe747d7112283f47169e9c16e751179a9b38611e",
"status": "affected",
"version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/classmate-laptop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: classmate-laptop: Add missing NULL pointer checks\n\nIn a few places in the Classmate laptop driver, code using the accel\nobject may run before that object\u0027s address is stored in the driver\ndata of the input device using it.\n\nFor example, cmpc_accel_sensitivity_store_v4() is the \"show\" method\nof cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),\nbefore calling dev_set_drvdata() for inputdev-\u003edev. If the sysfs\nattribute is accessed prematurely, the dev_get_drvdata(\u0026inputdev-\u003edev)\ncall in in cmpc_accel_sensitivity_store_v4() returns NULL which\nleads to a NULL pointer dereference going forward.\n\nMoreover, sysfs attributes using the input device are added before\ninitializing that device by cmpc_add_acpi_notify_device() and if one\nof them is accessed before running that function, a NULL pointer\ndereference will occur.\n\nFor example, cmpc_accel_sensitivity_attr_v4 is added before calling\ncmpc_add_acpi_notify_device() and if it is read prematurely, the\ndev_get_drvdata(\u0026acpi-\u003edev) call in cmpc_accel_sensitivity_show_v4()\nreturns NULL which leads to a NULL pointer dereference going forward.\n\nFix this by adding NULL pointer checks in all of the relevant places."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T10:07:33.737Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b"
},
{
"url": "https://git.kernel.org/stable/c/af673209d43b46257540997aba042b90ef3258c0"
},
{
"url": "https://git.kernel.org/stable/c/eb214804f03c829decf10998e9b7dd26f4c8ab9e"
},
{
"url": "https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05307abc4e951cabdff4be652"
},
{
"url": "https://git.kernel.org/stable/c/da6e06a5fdbabea3870d18c227734b5dea5b3be6"
},
{
"url": "https://git.kernel.org/stable/c/97528b1622b8f129574d29a571c32a3c85eafa3c"
},
{
"url": "https://git.kernel.org/stable/c/fe747d7112283f47169e9c16e751179a9b38611e"
}
],
"title": "platform/x86: classmate-laptop: Add missing NULL pointer checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23237",
"datePublished": "2026-03-04T14:38:41.815Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-08T10:07:33.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71238 (GCVE-0-2025-71238)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-08 10:07
VLAI?
EPSS
Title
scsi: qla2xxx: Fix bsg_done() causing double free
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix bsg_done() causing double free
Kernel panic observed on system,
[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
[5353358.825194] #PF: supervisor write access in kernel mode
[5353358.825195] #PF: error_code(0x0002) - not-present page
[5353358.825196] PGD 100006067 P4D 0
[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
[5353358.825221] PKRU: 55555554
[5353358.825222] Call Trace:
[5353358.825223] <TASK>
[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825232] ? sg_copy_buffer+0xc8/0x110
[5353358.825236] ? __die_body.cold+0x8/0xd
[5353358.825238] ? page_fault_oops+0x134/0x170
[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
[5353358.825244] ? exc_page_fault+0xa8/0x150
[5353358.825247] ? asm_exc_page_fault+0x22/0x30
[5353358.825252] ? memcpy_erms+0x6/0x10
[5353358.825253] sg_copy_buffer+0xc8/0x110
[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
Most routines in qla_bsg.c call bsg_done() only for success cases.
However a few invoke it for failure case as well leading to a double
free. Validate before calling bsg_done().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b81e7f3019d632a707e07927e946ffbbc102910 , < 057a5bdc481e58ab853117254867ffb22caf9f6e
(git)
Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 27ac9679c43a09e54e2d9aae9980ada045b428e0 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 74e7458537cd9349cf019862e51491f670871707 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 871f6236da96c4a9712b8a29d7f555f767a47e95 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 31f33b856d2324d86bcaef295f4d210477a1c018 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 708003e1bc857dd014d4c44278d7d77c26f91b1c (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "057a5bdc481e58ab853117254867ffb22caf9f6e",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "27ac9679c43a09e54e2d9aae9980ada045b428e0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "74e7458537cd9349cf019862e51491f670871707",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "871f6236da96c4a9712b8a29d7f555f767a47e95",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "31f33b856d2324d86bcaef295f4d210477a1c018",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "708003e1bc857dd014d4c44278d7d77c26f91b1c",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
},
{
"lessThan": "c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0",
"status": "affected",
"version": "1b81e7f3019d632a707e07927e946ffbbc102910",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix bsg_done() causing double free\n\nKernel panic observed on system,\n\n[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000\n[5353358.825194] #PF: supervisor write access in kernel mode\n[5353358.825195] #PF: error_code(0x0002) - not-present page\n[5353358.825196] PGD 100006067 P4D 0\n[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1\n[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025\n[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10\n[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246\n[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000\n[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000\n[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000\n[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090\n[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000\n[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000\n[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0\n[5353358.825221] PKRU: 55555554\n[5353358.825222] Call Trace:\n[5353358.825223] \u003cTASK\u003e\n[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825232] ? sg_copy_buffer+0xc8/0x110\n[5353358.825236] ? __die_body.cold+0x8/0xd\n[5353358.825238] ? page_fault_oops+0x134/0x170\n[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110\n[5353358.825244] ? exc_page_fault+0xa8/0x150\n[5353358.825247] ? asm_exc_page_fault+0x22/0x30\n[5353358.825252] ? memcpy_erms+0x6/0x10\n[5353358.825253] sg_copy_buffer+0xc8/0x110\n[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]\n[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]\n\nMost routines in qla_bsg.c call bsg_done() only for success cases.\nHowever a few invoke it for failure case as well leading to a double\nfree. Validate before calling bsg_done()."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T10:07:31.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e"
},
{
"url": "https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720"
},
{
"url": "https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0"
},
{
"url": "https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707"
},
{
"url": "https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95"
},
{
"url": "https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018"
},
{
"url": "https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c"
},
{
"url": "https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0"
}
],
"title": "scsi: qla2xxx: Fix bsg_done() causing double free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71238",
"datePublished": "2026-03-04T14:36:36.579Z",
"dateReserved": "2026-02-18T14:25:13.845Z",
"dateUpdated": "2026-03-08T10:07:31.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23236 (GCVE-0-2026-23236)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-08 10:07
VLAI?
EPSS
Title
fbdev: smscufx: properly copy ioctl memory to kernelspace
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: smscufx: properly copy ioctl memory to kernelspace
The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
userspace to kernelspace, and instead directly references the memory,
which can cause problems if invalid data is passed from userspace. Fix
this all up by correctly copying the memory before accessing it within
the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 061cfeb560aa3ddc174153dbe5be9d0b55eb7248
(git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 6167af934f956d3ae1e06d61f45cd0d1004bbe1a (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < a0321e6e58facb39fe191caa0e52ed9aab6a48fe (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 0634e8d650993602fc5b389ff7ac525f6542e141 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 52917e265aa5f848212f60fc50fc504d8ef12866 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 1c008ad0f0d1c1523902b9cdb08e404129677bfc (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 120adae7b42faa641179270c067864544a50ab69 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "061cfeb560aa3ddc174153dbe5be9d0b55eb7248",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "6167af934f956d3ae1e06d61f45cd0d1004bbe1a",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "a0321e6e58facb39fe191caa0e52ed9aab6a48fe",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "0634e8d650993602fc5b389ff7ac525f6542e141",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "52917e265aa5f848212f60fc50fc504d8ef12866",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "1c008ad0f0d1c1523902b9cdb08e404129677bfc",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "120adae7b42faa641179270c067864544a50ab69",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace. Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T10:07:32.631Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248"
},
{
"url": "https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a"
},
{
"url": "https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe"
},
{
"url": "https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141"
},
{
"url": "https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866"
},
{
"url": "https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc"
},
{
"url": "https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02"
},
{
"url": "https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69"
}
],
"title": "fbdev: smscufx: properly copy ioctl memory to kernelspace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23236",
"datePublished": "2026-03-04T14:36:40.162Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-08T10:07:32.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…