Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0790
Vulnerability from csaf_certbund - Published: 2026-03-18 23:00 - Updated: 2026-03-26 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einem Denial-of-Service-Zustand, einer Rechteausweitung oder einer Speicherbeschädigung führen können.
Betroffene Betriebssysteme: - Linux
References
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand, einer Rechteausweitung oder einer Speicherbesch\u00e4digung f\u00fchren k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0790 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0790.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0790 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0790"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71268",
"url": "https://lore.kernel.org/linux-cve-announce/2026031814-CVE-2025-71268-057a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71269",
"url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71269-b47d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71270",
"url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71270-19ac@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23249",
"url": "https://lore.kernel.org/linux-cve-announce/2026031843-CVE-2026-23249-c309@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23250",
"url": "https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23250-271e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23251",
"url": "https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23252",
"url": "https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23252-6bef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23253",
"url": "https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23253-b1c6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23254",
"url": "https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23254-6387@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23255",
"url": "https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23255-fc51@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23256",
"url": "https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23256-b93b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23257",
"url": "https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23257-bd18@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23258",
"url": "https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23258-d181@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23259",
"url": "https://lore.kernel.org/linux-cve-announce/2026031819-CVE-2026-23259-5bd7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23260",
"url": "https://lore.kernel.org/linux-cve-announce/2026031819-CVE-2026-23260-6464@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23261",
"url": "https://lore.kernel.org/linux-cve-announce/2026031819-CVE-2026-23261-f757@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23262",
"url": "https://lore.kernel.org/linux-cve-announce/2026031820-CVE-2026-23262-a421@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23263",
"url": "https://lore.kernel.org/linux-cve-announce/2026031820-CVE-2026-23263-5c88@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23264",
"url": "https://lore.kernel.org/linux-cve-announce/2026031820-CVE-2026-23264-fe5b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23265",
"url": "https://lore.kernel.org/linux-cve-announce/2026031853-CVE-2026-23265-6d01@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23266",
"url": "https://lore.kernel.org/linux-cve-announce/2026031853-CVE-2026-23266-b57b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23267",
"url": "https://lore.kernel.org/linux-cve-announce/2026031811-CVE-2026-23267-ff55@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23268",
"url": "https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23268-6be3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23269",
"url": "https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23269-2bf7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23270",
"url": "https://lore.kernel.org/linux-cve-announce/2026031847-CVE-2026-23270-cb9a@gregkh/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0961-1 vom 2026-03-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024805.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0962-1 vom 2026-03-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024803.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0984-1 vom 2026-03-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024841.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1003-1 vom 2026-03-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024925.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1041-1 vom 2026-03-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024928.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1078-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024954.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1077-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024956.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1081-1 vom 2026-03-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024953.html"
},
{
"category": "external",
"summary": "IGEL Security Notice ISN-2026-07 vom 2026-03-26",
"url": "https://kb.igel.com/en/security-safety/current/isn-2026-07-apparmor-vulnerabilities"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-26T23:00:00.000+00:00",
"generator": {
"date": "2026-03-27T09:01:23.025+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0790",
"initial_release_date": "2026-03-18T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-03-18T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-23T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-24T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-25T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-03-26T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE und IGEL aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IGEL OS",
"product": {
"name": "IGEL OS",
"product_id": "T017865",
"product_identification_helper": {
"cpe": "cpe:/o:igel:os:-"
}
}
}
],
"category": "vendor",
"name": "IGEL"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T051923",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-71268",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2025-71268"
},
{
"cve": "CVE-2025-71269",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2025-71269"
},
{
"cve": "CVE-2025-71270",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2025-71270"
},
{
"cve": "CVE-2026-23249",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23249"
},
{
"cve": "CVE-2026-23250",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23250"
},
{
"cve": "CVE-2026-23251",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23251"
},
{
"cve": "CVE-2026-23252",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23252"
},
{
"cve": "CVE-2026-23253",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23253"
},
{
"cve": "CVE-2026-23254",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23254"
},
{
"cve": "CVE-2026-23255",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23255"
},
{
"cve": "CVE-2026-23256",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23256"
},
{
"cve": "CVE-2026-23257",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23257"
},
{
"cve": "CVE-2026-23258",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23258"
},
{
"cve": "CVE-2026-23259",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23259"
},
{
"cve": "CVE-2026-23260",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23260"
},
{
"cve": "CVE-2026-23261",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23261"
},
{
"cve": "CVE-2026-23262",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23262"
},
{
"cve": "CVE-2026-23263",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23263"
},
{
"cve": "CVE-2026-23264",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23264"
},
{
"cve": "CVE-2026-23265",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23265"
},
{
"cve": "CVE-2026-23266",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23266"
},
{
"cve": "CVE-2026-23267",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23267"
},
{
"cve": "CVE-2026-23268",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23268"
},
{
"cve": "CVE-2026-23269",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23269"
},
{
"cve": "CVE-2026-23270",
"product_status": {
"known_affected": [
"T002207",
"T051923",
"T017865"
]
},
"release_date": "2026-03-18T23:00:00.000+00:00",
"title": "CVE-2026-23270"
}
]
}
CVE-2026-23267 (GCVE-0-2026-23267)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:46 – Updated: 2026-03-18 17:46
VLAI?
EPSS
Title
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
During SPO tests, when mounting F2FS, an -EINVAL error was returned from
f2fs_recover_inode_page. The issue occurred under the following scenario
Thread A Thread B
f2fs_ioc_commit_atomic_write
- f2fs_do_sync_file // atomic = true
- f2fs_fsync_node_pages
: last_folio = inode folio
: schedule before folio_lock(last_folio) f2fs_write_checkpoint
- block_operations// writeback last_folio
- schedule before f2fs_flush_nat_entries
: set_fsync_mark(last_folio, 1)
: set_dentry_mark(last_folio, 1)
: folio_mark_dirty(last_folio)
- __write_node_folio(last_folio)
: f2fs_down_read(&sbi->node_write)//block
- f2fs_flush_nat_entries
: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)
- unblock_operations
: f2fs_up_write(&sbi->node_write)
f2fs_write_checkpoint//return
: f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//return
SPO
Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
already been written once. However, the {struct nat_entry}->flag did not
have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
write last_folio again after Thread B finishes f2fs_write_checkpoint.
After SPO and reboot, it was detected that {struct node_info}->blk_addr
was not NULL_ADDR because Thread B successfully write the checkpoint.
This issue only occurs in atomic write scenarios. For regular file
fsync operations, the folio must be dirty. If
block_operations->f2fs_sync_node_pages successfully submit the folio
write, this path will not be executed. Otherwise, the
f2fs_write_checkpoint will need to wait for the folio write submission
to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
situation where f2fs_need_dentry_mark checks that the {struct
nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
already been submitted, will not occur.
Therefore, for atomic file fsync, sbi->node_write should be acquired
through __write_node_folio to ensure that the IS_CHECKPOINTED flag
correctly indicates that the checkpoint write has been completed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < 32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d
(git)
Affected: 608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < 75e19da068adf0dc5dd269dd157392434b9117d4 (git) Affected: 608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < 962c167b0f262b9962207fbeaa531721d55ea00e (git) Affected: 608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < bd66b4c487d5091d2a65d6089e0de36f0c26a4c7 (git) Affected: 608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < ed81bc5885460905f9160e7b463e5708fd056324 (git) Affected: 608514deba38c8611ad330d6a3c8e2b9a1f68e4b , < 7633a7387eb4d0259d6bea945e1d3469cd135bbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
},
{
"lessThan": "75e19da068adf0dc5dd269dd157392434b9117d4",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
},
{
"lessThan": "962c167b0f262b9962207fbeaa531721d55ea00e",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
},
{
"lessThan": "bd66b4c487d5091d2a65d6089e0de36f0c26a4c7",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
},
{
"lessThan": "ed81bc5885460905f9160e7b463e5708fd056324",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
},
{
"lessThan": "7633a7387eb4d0259d6bea945e1d3469cd135bbc",
"status": "affected",
"version": "608514deba38c8611ad330d6a3c8e2b9a1f68e4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes\n\nDuring SPO tests, when mounting F2FS, an -EINVAL error was returned from\nf2fs_recover_inode_page. The issue occurred under the following scenario\n\nThread A Thread B\nf2fs_ioc_commit_atomic_write\n - f2fs_do_sync_file // atomic = true\n - f2fs_fsync_node_pages\n : last_folio = inode folio\n : schedule before folio_lock(last_folio) f2fs_write_checkpoint\n - block_operations// writeback last_folio\n - schedule before f2fs_flush_nat_entries\n : set_fsync_mark(last_folio, 1)\n : set_dentry_mark(last_folio, 1)\n : folio_mark_dirty(last_folio)\n - __write_node_folio(last_folio)\n : f2fs_down_read(\u0026sbi-\u003enode_write)//block\n - f2fs_flush_nat_entries\n : {struct nat_entry}-\u003eflag |= BIT(IS_CHECKPOINTED)\n - unblock_operations\n : f2fs_up_write(\u0026sbi-\u003enode_write)\n f2fs_write_checkpoint//return\n : f2fs_do_write_node_page()\nf2fs_ioc_commit_atomic_write//return\n SPO\n\nThread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has\nalready been written once. However, the {struct nat_entry}-\u003eflag did not\nhave the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and\nwrite last_folio again after Thread B finishes f2fs_write_checkpoint.\n\nAfter SPO and reboot, it was detected that {struct node_info}-\u003eblk_addr\nwas not NULL_ADDR because Thread B successfully write the checkpoint.\n\nThis issue only occurs in atomic write scenarios. For regular file\nfsync operations, the folio must be dirty. If\nblock_operations-\u003ef2fs_sync_node_pages successfully submit the folio\nwrite, this path will not be executed. Otherwise, the\nf2fs_write_checkpoint will need to wait for the folio write submission\nto complete, as sbi-\u003enr_pages[F2FS_DIRTY_NODES] \u003e 0. Therefore, the\nsituation where f2fs_need_dentry_mark checks that the {struct\nnat_entry}-\u003eflag /wo the IS_CHECKPOINTED flag, but the folio write has\nalready been submitted, will not occur.\n\nTherefore, for atomic file fsync, sbi-\u003enode_write should be acquired\nthrough __write_node_folio to ensure that the IS_CHECKPOINTED flag\ncorrectly indicates that the checkpoint write has been completed."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:46:09.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d"
},
{
"url": "https://git.kernel.org/stable/c/75e19da068adf0dc5dd269dd157392434b9117d4"
},
{
"url": "https://git.kernel.org/stable/c/962c167b0f262b9962207fbeaa531721d55ea00e"
},
{
"url": "https://git.kernel.org/stable/c/bd66b4c487d5091d2a65d6089e0de36f0c26a4c7"
},
{
"url": "https://git.kernel.org/stable/c/ed81bc5885460905f9160e7b463e5708fd056324"
},
{
"url": "https://git.kernel.org/stable/c/7633a7387eb4d0259d6bea945e1d3469cd135bbc"
}
],
"title": "f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23267",
"datePublished": "2026-03-18T17:46:09.116Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-18T17:46:09.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23255 (GCVE-0-2026-23255)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
net: add proper RCU protection to /proc/net/ptype
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: add proper RCU protection to /proc/net/ptype
Yin Fengwei reported an RCU stall in ptype_seq_show() and provided
a patch.
Real issue is that ptype_seq_next() and ptype_seq_show() violate
RCU rules.
ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev
to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure
(which is correctly freed after an RCU grace period) and clear pt->dev
without an RCU grace period.
Define ptype_iter_state to carry a dev pointer along seq_net_private:
struct ptype_iter_state {
struct seq_net_private p;
struct net_device *dev; // added in this patch
};
We need to record the device pointer in ptype_get_idx() and
ptype_seq_next() so that ptype_seq_show() is safe against
concurrent pt->dev changes.
We also need to add full RCU protection in ptype_seq_next().
(Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/net-procfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "589a530ae44d0c80f523fcfd1a15af8087f27d35",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f613e8b4afea0cd17c7168e8b00e25bc8d33175d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/net-procfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add proper RCU protection to /proc/net/ptype\n\nYin Fengwei reported an RCU stall in ptype_seq_show() and provided\na patch.\n\nReal issue is that ptype_seq_next() and ptype_seq_show() violate\nRCU rules.\n\nptype_seq_show() runs under rcu_read_lock(), and reads pt-\u003edev\nto get device name without any barrier.\n\nAt the same time, concurrent writers can remove a packet_type structure\n(which is correctly freed after an RCU grace period) and clear pt-\u003edev\nwithout an RCU grace period.\n\nDefine ptype_iter_state to carry a dev pointer along seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // added in this patch\n};\n\nWe need to record the device pointer in ptype_get_idx() and\nptype_seq_next() so that ptype_seq_show() is safe against\nconcurrent pt-\u003edev changes.\n\nWe also need to add full RCU protection in ptype_seq_next().\n(Missing READ_ONCE() when reading list.next values)\n\nMany thanks to Dong Chenchen for providing a repro."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:01.445Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35"
},
{
"url": "https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d"
}
],
"title": "net: add proper RCU protection to /proc/net/ptype",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23255",
"datePublished": "2026-03-18T17:41:01.445Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:01.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23268 (GCVE-0-2026-23268)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
apparmor: fix unprivileged local user can do privileged policy management
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix unprivileged local user can do privileged policy management
An unprivileged local user can load, replace, and remove profiles by
opening the apparmorfs interfaces, via a confused deputy attack, by
passing the opened fd to a privileged process, and getting the
privileged process to write to the interface.
This does require a privileged target that can be manipulated to do
the write for the unprivileged process, but once such access is
achieved full policy management is possible and all the possible
implications that implies: removing confinement, DoS of system or
target applications by denying all execution, by-passing the
unprivileged user namespace restriction, to exploiting kernel bugs for
a local privilege escalation.
The policy management interface can not have its permissions simply
changed from 0666 to 0600 because non-root processes need to be able
to load policy to different policy namespaces.
Instead ensure the task writing the interface has privileges that
are a subset of the task that opened the interface. This is already
done via policy for confined processes, but unconfined can delegate
access to the opened fd, by-passing the usual policy check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b7fd2c0340eacbee892425e9007647568b7f2a3c , < 17debf5586020790b5717f96e5e6a3ca5bb961ab
(git)
Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 0fc63dd9170643d15c25681fca792539e23f4640 (git) Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6 (git) Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < b6a94eeca9c6c8f7c55ad44c62c98324f51ec596 (git) Affected: b7fd2c0340eacbee892425e9007647568b7f2a3c , < 6601e13e82841879406bf9f369032656f441a425 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17debf5586020790b5717f96e5e6a3ca5bb961ab",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "0fc63dd9170643d15c25681fca792539e23f4640",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "b6a94eeca9c6c8f7c55ad44c62c98324f51ec596",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
},
{
"lessThan": "6601e13e82841879406bf9f369032656f441a425",
"status": "affected",
"version": "b7fd2c0340eacbee892425e9007647568b7f2a3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy.h",
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:39.838Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17debf5586020790b5717f96e5e6a3ca5bb961ab"
},
{
"url": "https://git.kernel.org/stable/c/0fc63dd9170643d15c25681fca792539e23f4640"
},
{
"url": "https://git.kernel.org/stable/c/b60b3f7a35c46b2e0ca934f9c988b8fca06d76c6"
},
{
"url": "https://git.kernel.org/stable/c/b6a94eeca9c6c8f7c55ad44c62c98324f51ec596"
},
{
"url": "https://git.kernel.org/stable/c/6601e13e82841879406bf9f369032656f441a425"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: fix unprivileged local user can do privileged policy management",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23268",
"datePublished": "2026-03-18T17:54:41.974Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-25T10:20:39.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23270 (GCVE-0-2026-23270)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b5b831122fc3789fff75be433ba3e4dd7b779d4 , < fb3c380a54e33d1fd272cc342faa906d787d7ef1
(git)
Affected: 73f7da5fd124f2cda9161e2e46114915e6e82e97 , < 5a110ddcc99bda77a28598b3555fe009eaab3828 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 524ce8b4ea8f64900b6c52b6a28df74f6bc0801e (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 9deda0fcda5c1f388c5e279541850b71a2ccfcf4 (git) Affected: 3f14b377d01d8357eba032b4cabc8c1149b458b6 , < 11cb63b0d1a0685e0831ae3c77223e002ef18189 (git) Affected: 172ba7d46c202e679f3ccb10264c67416aaeb1c4 (git) Affected: f5346df0591d10bc948761ca854b1fae6d2ef441 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_ct.c",
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb3c380a54e33d1fd272cc342faa906d787d7ef1",
"status": "affected",
"version": "0b5b831122fc3789fff75be433ba3e4dd7b779d4",
"versionType": "git"
},
{
"lessThan": "5a110ddcc99bda77a28598b3555fe009eaab3828",
"status": "affected",
"version": "73f7da5fd124f2cda9161e2e46114915e6e82e97",
"versionType": "git"
},
{
"lessThan": "524ce8b4ea8f64900b6c52b6a28df74f6bc0801e",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "9deda0fcda5c1f388c5e279541850b71a2ccfcf4",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"lessThan": "11cb63b0d1a0685e0831ae3c77223e002ef18189",
"status": "affected",
"version": "3f14b377d01d8357eba032b4cabc8c1149b458b6",
"versionType": "git"
},
{
"status": "affected",
"version": "172ba7d46c202e679f3ccb10264c67416aaeb1c4",
"versionType": "git"
},
{
"status": "affected",
"version": "f5346df0591d10bc948761ca854b1fae6d2ef441",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/act_api.h",
"net/sched/act_ct.c",
"net/sched/cls_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:43.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"
},
{
"url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"
},
{
"url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"
},
{
"url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"
},
{
"url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"
},
{
"url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"
}
],
"title": "net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23270",
"datePublished": "2026-03-18T17:54:43.803Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-25T10:20:43.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23260 (GCVE-0-2026-23260)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-19 16:01
VLAI?
EPSS
Title
regmap: maple: free entry on mas_store_gfp() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: maple: free entry on mas_store_gfp() failure
regcache_maple_write() allocates a new block ('entry') to merge
adjacent ranges and then stores it with mas_store_gfp().
When mas_store_gfp() fails, the new 'entry' remains allocated and
is never freed, leaking memory.
Free 'entry' on the failure path; on success continue freeing the
replaced neighbor blocks ('lower', 'upper').
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f033c26de5a5734625d2dd1dc196745fae186f1b , < d61171cf097156030142643942c217759a9cc806
(git)
Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < 811b45e2d795d955bb7fd9c816b40036f4fde350 (git) Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < f08f2d2907675926ac5657b25f86d921f269602a (git) Affected: f033c26de5a5734625d2dd1dc196745fae186f1b , < f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regcache-maple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d61171cf097156030142643942c217759a9cc806",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "811b45e2d795d955bb7fd9c816b40036f4fde350",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "f08f2d2907675926ac5657b25f86d921f269602a",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
},
{
"lessThan": "f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8",
"status": "affected",
"version": "f033c26de5a5734625d2dd1dc196745fae186f1b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regcache-maple.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: maple: free entry on mas_store_gfp() failure\n\nregcache_maple_write() allocates a new block (\u0027entry\u0027) to merge\nadjacent ranges and then stores it with mas_store_gfp().\nWhen mas_store_gfp() fails, the new \u0027entry\u0027 remains allocated and\nis never freed, leaking memory.\n\nFree \u0027entry\u0027 on the failure path; on success continue freeing the\nreplaced neighbor blocks (\u0027lower\u0027, \u0027upper\u0027)."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:01:05.479Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d61171cf097156030142643942c217759a9cc806"
},
{
"url": "https://git.kernel.org/stable/c/811b45e2d795d955bb7fd9c816b40036f4fde350"
},
{
"url": "https://git.kernel.org/stable/c/f08f2d2907675926ac5657b25f86d921f269602a"
},
{
"url": "https://git.kernel.org/stable/c/f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8"
}
],
"title": "regmap: maple: free entry on mas_store_gfp() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23260",
"datePublished": "2026-03-18T17:41:06.738Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-19T16:01:05.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71270 (GCVE-0-2025-71270)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:40 – Updated: 2026-03-19 16:01
VLAI?
EPSS
Title
LoongArch: Enable exception fixup for specific ADE subcode
Summary
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Enable exception fixup for specific ADE subcode
This patch allows the LoongArch BPF JIT to handle recoverable memory
access errors generated by BPF_PROBE_MEM* instructions.
When a BPF program performs memory access operations, the instructions
it executes may trigger ADEM exceptions. The kernel’s built-in BPF
exception table mechanism (EX_TYPE_BPF) will generate corresponding
exception fixup entries in the JIT compilation phase; however, the
architecture-specific trap handling function needs to proactively call
the common fixup routine to achieve exception recovery.
do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs,
ensure safe execution.
Relevant test cases: illegal address access tests in module_attach and
subprogs_extable of selftests/bpf.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c , < 73ede654d9daa2ee41bdd17bc62946fc5a0258cb
(git)
Affected: dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c , < c49a28068363f3dca439aa5fe4d3b1f8159809fe (git) Affected: dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c , < c2ed4f71e9288f21d5c53ff790270758e60fa5f9 (git) Affected: dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c , < 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kernel/traps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73ede654d9daa2ee41bdd17bc62946fc5a0258cb",
"status": "affected",
"version": "dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c",
"versionType": "git"
},
{
"lessThan": "c49a28068363f3dca439aa5fe4d3b1f8159809fe",
"status": "affected",
"version": "dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c",
"versionType": "git"
},
{
"lessThan": "c2ed4f71e9288f21d5c53ff790270758e60fa5f9",
"status": "affected",
"version": "dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c",
"versionType": "git"
},
{
"lessThan": "9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0",
"status": "affected",
"version": "dbcd7f5fafea64dbe588c4ec18bc309fde5d1e1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/loongarch/kernel/traps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Enable exception fixup for specific ADE subcode\n\nThis patch allows the LoongArch BPF JIT to handle recoverable memory\naccess errors generated by BPF_PROBE_MEM* instructions.\n\nWhen a BPF program performs memory access operations, the instructions\nit executes may trigger ADEM exceptions. The kernel\u2019s built-in BPF\nexception table mechanism (EX_TYPE_BPF) will generate corresponding\nexception fixup entries in the JIT compilation phase; however, the\narchitecture-specific trap handling function needs to proactively call\nthe common fixup routine to achieve exception recovery.\n\ndo_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs,\nensure safe execution.\n\nRelevant test cases: illegal address access tests in module_attach and\nsubprogs_extable of selftests/bpf."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:01:01.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73ede654d9daa2ee41bdd17bc62946fc5a0258cb"
},
{
"url": "https://git.kernel.org/stable/c/c49a28068363f3dca439aa5fe4d3b1f8159809fe"
},
{
"url": "https://git.kernel.org/stable/c/c2ed4f71e9288f21d5c53ff790270758e60fa5f9"
},
{
"url": "https://git.kernel.org/stable/c/9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0"
}
],
"title": "LoongArch: Enable exception fixup for specific ADE subcode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71270",
"datePublished": "2026-03-18T17:40:59.838Z",
"dateReserved": "2026-03-17T09:08:18.458Z",
"dateUpdated": "2026-03-19T16:01:01.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23259 (GCVE-0-2026-23259)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-19 16:01
VLAI?
EPSS
Title
io_uring/rw: free potentially allocated iovec on cache put failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rw: free potentially allocated iovec on cache put failure
If a read/write request goes through io_req_rw_cleanup() and has an
allocated iovec attached and fails to put to the rw_cache, then it may
end up with an unaccounted iovec pointer. Have io_rw_recycle() return
whether it recycled the request or not, and use that to gauge whether to
free a potential iovec or not.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d5f2329ab4df65c2ee011b986d8a6e05ad0f67c",
"status": "affected",
"version": "a9165b83c1937eeed1f0c731468216d6371d647f",
"versionType": "git"
},
{
"lessThan": "4b9748055457ac3a0710bf210c229d01ea1b01b9",
"status": "affected",
"version": "a9165b83c1937eeed1f0c731468216d6371d647f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: free potentially allocated iovec on cache put failure\n\nIf a read/write request goes through io_req_rw_cleanup() and has an\nallocated iovec attached and fails to put to the rw_cache, then it may\nend up with an unaccounted iovec pointer. Have io_rw_recycle() return\nwhether it recycled the request or not, and use that to gauge whether to\nfree a potential iovec or not."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:01:03.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d5f2329ab4df65c2ee011b986d8a6e05ad0f67c"
},
{
"url": "https://git.kernel.org/stable/c/4b9748055457ac3a0710bf210c229d01ea1b01b9"
}
],
"title": "io_uring/rw: free potentially allocated iovec on cache put failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23259",
"datePublished": "2026-03-18T17:41:05.827Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-19T16:01:03.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23269 (GCVE-0-2026-23269)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:54 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
apparmor: validate DFA start states are in bounds in unpack_pdb
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ad5ff3db53c68c2f12936bc74ea5dfe0af943592 , < 07cf6320f40ea2ccfad63728cff34ecb309d03da
(git)
Affected: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 , < 15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c (git) Affected: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 , < 0baadb0eece2c4d939db10d3c323b4652ac79a58 (git) Affected: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 , < 3bb7db43e32190c973d4019037cedb7895920184 (git) Affected: ad5ff3db53c68c2f12936bc74ea5dfe0af943592 , < 9063d7e2615f4a7ab321de6b520e23d370e58816 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07cf6320f40ea2ccfad63728cff34ecb309d03da",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "3bb7db43e32190c973d4019037cedb7895920184",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
},
{
"lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816",
"status": "affected",
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa-\u003etables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:41.694Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07cf6320f40ea2ccfad63728cff34ecb309d03da"
},
{
"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"
},
{
"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"
},
{
"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"
},
{
"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"
},
{
"url": "https://www.qualys.com/2026/03/10/crack-armor.txt"
}
],
"title": "apparmor: validate DFA start states are in bounds in unpack_pdb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23269",
"datePublished": "2026-03-18T17:54:42.988Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-25T10:20:41.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23261 (GCVE-0-2026-23261)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-19 16:01
VLAI?
EPSS
Title
nvme-fc: release admin tagset if init fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: release admin tagset if init fails
nvme_fabrics creates an NVMe/FC controller in following path:
nvmf_dev_write()
-> nvmf_create_ctrl()
-> nvme_fc_create_ctrl()
-> nvme_fc_init_ctrl()
nvme_fc_init_ctrl() allocates the admin blk-mq resources right after
nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing
the controller state, scheduling connect work, etc.), we jump to the
fail_ctrl path, which tears down the controller references but never
frees the admin queue/tag set. The leaked blk-mq allocations match the
kmemleak report seen during blktests nvme/fc.
Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call
nvme_remove_admin_tag_set() when it is set so that all admin queue
allocations are reclaimed whenever controller setup aborts.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5fe335a80548e2eda5d51fab801108b323600e95 , < 7c54d3f5ebbc5982daaa004260242dc07ac943ea
(git)
Affected: 17c3a66d7ea2d303f783796d62f99e2e23b68c90 , < fa301aef50e3f3b5be6ee53457608beae5aa7a01 (git) Affected: ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 , < e810b290922c535feb34bc90ab549446fe94d2a3 (git) Affected: ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 , < d1877cc7270302081a315a81a0ee8331f19f95c8 (git) Affected: 0d1840b2dd8fe073c020c39bf8e8e89488070801 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c54d3f5ebbc5982daaa004260242dc07ac943ea",
"status": "affected",
"version": "5fe335a80548e2eda5d51fab801108b323600e95",
"versionType": "git"
},
{
"lessThan": "fa301aef50e3f3b5be6ee53457608beae5aa7a01",
"status": "affected",
"version": "17c3a66d7ea2d303f783796d62f99e2e23b68c90",
"versionType": "git"
},
{
"lessThan": "e810b290922c535feb34bc90ab549446fe94d2a3",
"status": "affected",
"version": "ea3442efabd0aa3930c5bab73c3901ef38ef6ac3",
"versionType": "git"
},
{
"lessThan": "d1877cc7270302081a315a81a0ee8331f19f95c8",
"status": "affected",
"version": "ea3442efabd0aa3930c5bab73c3901ef38ef6ac3",
"versionType": "git"
},
{
"status": "affected",
"version": "0d1840b2dd8fe073c020c39bf8e8e89488070801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: release admin tagset if init fails\n\nnvme_fabrics creates an NVMe/FC controller in following path:\n\n nvmf_dev_write()\n -\u003e nvmf_create_ctrl()\n -\u003e nvme_fc_create_ctrl()\n -\u003e nvme_fc_init_ctrl()\n\nnvme_fc_init_ctrl() allocates the admin blk-mq resources right after\nnvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing\nthe controller state, scheduling connect work, etc.), we jump to the\nfail_ctrl path, which tears down the controller references but never\nfrees the admin queue/tag set. The leaked blk-mq allocations match the\nkmemleak report seen during blktests nvme/fc.\n\nCheck ctrl-\u003ectrl.admin_tagset in the fail_ctrl path and call\nnvme_remove_admin_tag_set() when it is set so that all admin queue\nallocations are reclaimed whenever controller setup aborts."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:01:07.303Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c54d3f5ebbc5982daaa004260242dc07ac943ea"
},
{
"url": "https://git.kernel.org/stable/c/fa301aef50e3f3b5be6ee53457608beae5aa7a01"
},
{
"url": "https://git.kernel.org/stable/c/e810b290922c535feb34bc90ab549446fe94d2a3"
},
{
"url": "https://git.kernel.org/stable/c/d1877cc7270302081a315a81a0ee8331f19f95c8"
}
],
"title": "nvme-fc: release admin tagset if init fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23261",
"datePublished": "2026-03-18T17:41:07.478Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-19T16:01:07.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23265 (GCVE-0-2026-23265)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:44 – Updated: 2026-03-19 16:01
VLAI?
EPSS
Title
f2fs: fix to do sanity check on node footer in {read,write}_end_io
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on node footer in {read,write}_end_io
-----------[ cut here ]------------
kernel BUG at fs/f2fs/data.c:358!
Call Trace:
<IRQ>
blk_update_request+0x5eb/0xe70 block/blk-mq.c:987
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149
blk_complete_reqs block/blk-mq.c:1224 [inline]
blk_done_softirq+0x107/0x160 block/blk-mq.c:1229
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
In f2fs_write_end_io(), it detects there is inconsistency in between
node page index (nid) and footer.nid of node page.
If footer of node page is corrupted in fuzzed image, then we load corrupted
node page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(),
in where we won't do sanity check on node footer, once node page becomes
dirty, we will encounter this bug after node page writeback.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e05df3b115e7308afbca652769b54e4549fcc723 , < 855c54f1803e3ebc613677b4f389c7f92656a1fc
(git)
Affected: e05df3b115e7308afbca652769b54e4549fcc723 , < c386753db52b3a80afa6612bfdcb925aa5ca260f (git) Affected: e05df3b115e7308afbca652769b54e4549fcc723 , < 50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/node.c",
"fs/f2fs/node.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "855c54f1803e3ebc613677b4f389c7f92656a1fc",
"status": "affected",
"version": "e05df3b115e7308afbca652769b54e4549fcc723",
"versionType": "git"
},
{
"lessThan": "c386753db52b3a80afa6612bfdcb925aa5ca260f",
"status": "affected",
"version": "e05df3b115e7308afbca652769b54e4549fcc723",
"versionType": "git"
},
{
"lessThan": "50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4",
"status": "affected",
"version": "e05df3b115e7308afbca652769b54e4549fcc723",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/node.c",
"fs/f2fs/node.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node footer in {read,write}_end_io\n\n-----------[ cut here ]------------\nkernel BUG at fs/f2fs/data.c:358!\nCall Trace:\n \u003cIRQ\u003e\n blk_update_request+0x5eb/0xe70 block/blk-mq.c:987\n blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149\n blk_complete_reqs block/blk-mq.c:1224 [inline]\n blk_done_softirq+0x107/0x160 block/blk-mq.c:1229\n handle_softirqs+0x283/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050\n \u003c/IRQ\u003e\n\nIn f2fs_write_end_io(), it detects there is inconsistency in between\nnode page index (nid) and footer.nid of node page.\n\nIf footer of node page is corrupted in fuzzed image, then we load corrupted\nnode page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(),\nin where we won\u0027t do sanity check on node footer, once node page becomes\ndirty, we will encounter this bug after node page writeback."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:01:08.887Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/855c54f1803e3ebc613677b4f389c7f92656a1fc"
},
{
"url": "https://git.kernel.org/stable/c/c386753db52b3a80afa6612bfdcb925aa5ca260f"
},
{
"url": "https://git.kernel.org/stable/c/50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4"
}
],
"title": "f2fs: fix to do sanity check on node footer in {read,write}_end_io",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23265",
"datePublished": "2026-03-18T17:44:48.031Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-19T16:01:08.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71269 (GCVE-0-2025-71269)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:40 – Updated: 2026-03-19 16:00
VLAI?
EPSS
Title
btrfs: do not free data reservation in fallback from inline due to -ENOSPC
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not free data reservation in fallback from inline due to -ENOSPC
If we fail to create an inline extent due to -ENOSPC, we will attempt to
go through the normal COW path, reserve an extent, create an ordered
extent, etc. However we were always freeing the reserved qgroup data,
which is wrong since we will use data. Fix this by freeing the reserved
qgroup data in __cow_file_range_inline() only if we are not doing the
fallback (ret is <= 0).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6de3a371a8b9fd095198b1aa68c22cc10a4c6961",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "f8da41de0bff9eb1d774a7253da0c9f637c4470a",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not free data reservation in fallback from inline due to -ENOSPC\n\nIf we fail to create an inline extent due to -ENOSPC, we will attempt to\ngo through the normal COW path, reserve an extent, create an ordered\nextent, etc. However we were always freeing the reserved qgroup data,\nwhich is wrong since we will use data. Fix this by freeing the reserved\nqgroup data in __cow_file_range_inline() only if we are not doing the\nfallback (ret is \u003c= 0)."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:00:59.321Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961"
},
{
"url": "https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a"
}
],
"title": "btrfs: do not free data reservation in fallback from inline due to -ENOSPC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71269",
"datePublished": "2026-03-18T17:40:58.949Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-03-19T16:00:59.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71268 (GCVE-0-2025-71268)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:40 – Updated: 2026-03-19 16:00
VLAI?
EPSS
Title
btrfs: fix reservation leak in some error paths when inserting inline extent
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix reservation leak in some error paths when inserting inline extent
If we fail to allocate a path or join a transaction, we return from
__cow_file_range_inline() without freeing the reserved qgroup data,
resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()
in such cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
94ed938aba557aa798acf496f09afb289b619fcd , < f7156512c8166d385f574b9ec030479aa7b1e8c9
(git)
Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 28b97fcbbf523779688e8de5fe55bf2dae3859f6 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913 (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < 28768bd3abf9995a93f6e01bfce01c60622964dd (git) Affected: 94ed938aba557aa798acf496f09afb289b619fcd , < c1c050f92d8f6aac4e17f7f2230160794fceef0c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7156512c8166d385f574b9ec030479aa7b1e8c9",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "28b97fcbbf523779688e8de5fe55bf2dae3859f6",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "28768bd3abf9995a93f6e01bfce01c60622964dd",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
},
{
"lessThan": "c1c050f92d8f6aac4e17f7f2230160794fceef0c",
"status": "affected",
"version": "94ed938aba557aa798acf496f09afb289b619fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix reservation leak in some error paths when inserting inline extent\n\nIf we fail to allocate a path or join a transaction, we return from\n__cow_file_range_inline() without freeing the reserved qgroup data,\nresulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()\nin such cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:00:57.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7156512c8166d385f574b9ec030479aa7b1e8c9"
},
{
"url": "https://git.kernel.org/stable/c/28b97fcbbf523779688e8de5fe55bf2dae3859f6"
},
{
"url": "https://git.kernel.org/stable/c/f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913"
},
{
"url": "https://git.kernel.org/stable/c/28768bd3abf9995a93f6e01bfce01c60622964dd"
},
{
"url": "https://git.kernel.org/stable/c/c1c050f92d8f6aac4e17f7f2230160794fceef0c"
}
],
"title": "btrfs: fix reservation leak in some error paths when inserting inline extent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71268",
"datePublished": "2026-03-18T17:40:58.080Z",
"dateReserved": "2026-03-17T09:08:18.457Z",
"dateUpdated": "2026-03-19T16:00:57.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23263 (GCVE-0-2026-23263)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
io_uring/zcrx: fix page array leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zcrx: fix page array leak
d9f595b9a65e ("io_uring/zcrx: fix leaking pages on sg init fail") fixed
a page leakage but didn't free the page array, release it as well.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/zcrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64cf3016234ce8a6e4195ed1b2d9e2a1ae41b57d",
"status": "affected",
"version": "b84621d96ee0221e0bfbf9f477bbec7a5077c464",
"versionType": "git"
},
{
"lessThan": "0ae91d8ab70922fb74c22c20bedcb69459579b1c",
"status": "affected",
"version": "b84621d96ee0221e0bfbf9f477bbec7a5077c464",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/zcrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix page array leak\n\nd9f595b9a65e (\"io_uring/zcrx: fix leaking pages on sg init fail\") fixed\na page leakage but didn\u0027t free the page array, release it as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:09.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64cf3016234ce8a6e4195ed1b2d9e2a1ae41b57d"
},
{
"url": "https://git.kernel.org/stable/c/0ae91d8ab70922fb74c22c20bedcb69459579b1c"
}
],
"title": "io_uring/zcrx: fix page array leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23263",
"datePublished": "2026-03-18T17:41:09.330Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:09.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23251 (GCVE-0-2026-23251)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-03-18 17:01
VLAI?
EPSS
Title
xfs: only call xf{array,blob}_destroy if we have a valid pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: only call xf{array,blob}_destroy if we have a valid pointer
Only call the xfarray and xfblob destructor if we have a valid pointer,
and be sure to null out that pointer afterwards. Note that this patch
fixes a large number of commits, most of which were merged between 6.9
and 6.10.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab97f4b1c030750f2475bf4da8a9554d02206640 , < 5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202
(git)
Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < c9ccefacae0d8091683447bc338bd7741417039d (git) Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < d827612c81a26cc1dd83a211cfcb5ad8765da0c4 (git) Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < ba408d299a3bb3c5309f40c5326e4fb83ead4247 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/agheader_repair.c",
"fs/xfs/scrub/attr_repair.c",
"fs/xfs/scrub/dir_repair.c",
"fs/xfs/scrub/dirtree.c",
"fs/xfs/scrub/nlinks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "c9ccefacae0d8091683447bc338bd7741417039d",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "d827612c81a26cc1dd83a211cfcb5ad8765da0c4",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "ba408d299a3bb3c5309f40c5326e4fb83ead4247",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/agheader_repair.c",
"fs/xfs/scrub/attr_repair.c",
"fs/xfs/scrub/dir_repair.c",
"fs/xfs/scrub/dirtree.c",
"fs/xfs/scrub/nlinks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: only call xf{array,blob}_destroy if we have a valid pointer\n\nOnly call the xfarray and xfblob destructor if we have a valid pointer,\nand be sure to null out that pointer afterwards. Note that this patch\nfixes a large number of commits, most of which were merged between 6.9\nand 6.10."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:01:42.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202"
},
{
"url": "https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d"
},
{
"url": "https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4"
},
{
"url": "https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247"
}
],
"title": "xfs: only call xf{array,blob}_destroy if we have a valid pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23251",
"datePublished": "2026-03-18T17:01:42.483Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:01:42.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23253 (GCVE-0-2026-23253)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.
Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.
The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.
Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34731df288a5ffe4b0c396caf8cd24c6a710a222 , < f1e520ca2e83ece6731af6167c9e5e16931ecba0
(git)
Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < af050ab44fa1b1897a940d7d756e512232f5e5df (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < d71781bad59b1c9d60d7068004581f9bf19c0c9d (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < cfd94642025e6f71c8f754bdec0800ee95e4f3dd (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < 32eb8e4adc207ef31bc6e5ae56bab940b0176066 (git) Affected: 34731df288a5ffe4b0c396caf8cd24c6a710a222 , < bfbc0b5b32a8f28ce284add619bf226716a59bc0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dmxdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1e520ca2e83ece6731af6167c9e5e16931ecba0",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "af050ab44fa1b1897a940d7d756e512232f5e5df",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "d71781bad59b1c9d60d7068004581f9bf19c0c9d",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "cfd94642025e6f71c8f754bdec0800ee95e4f3dd",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "32eb8e4adc207ef31bc6e5ae56bab940b0176066",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
},
{
"lessThan": "bfbc0b5b32a8f28ce284add619bf226716a59bc0",
"status": "affected",
"version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dmxdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc2",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\n\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\n\nSince dmxdev-\u003edvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\n\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init(). The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\n\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:38.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0"
},
{
"url": "https://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df"
},
{
"url": "https://git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9d"
},
{
"url": "https://git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3dd"
},
{
"url": "https://git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066"
},
{
"url": "https://git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0"
}
],
"title": "media: dvb-core: fix wrong reinitialization of ringbuffer on reopen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23253",
"datePublished": "2026-03-18T17:01:44.126Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-25T10:20:38.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23258 (GCVE-0-2026-23258)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
net: liquidio: Initialize netdev pointer before queue setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Initialize netdev pointer before queue setup
In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().
However, the pointer to this structure is stored in oct->props[i].netdev
only after the calls to netif_set_real_num_rx_queues() and
netif_set_real_num_tx_queues().
If either of these functions fails, setup_nic_devices() returns an error
without freeing the allocated netdev. Since oct->props[i].netdev is still
NULL at this point, the cleanup function liquidio_destroy_nic_device()
will fail to find and free the netdev, resulting in a memory leak.
Fix this by initializing oct->props[i].netdev before calling the queue
setup functions. This ensures that the netdev is properly accessible for
cleanup in case of errors.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c33c997346c34ea7b89aec99524ad9632a2f1e0c , < be109646cdaecab262f6276303b1763468c94378
(git)
Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < c81a8515fb8c8fb5d0dbc21f48337494bf1d60df (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < c0ed6c77ec34050971fd0df2a94dfdea66d09331 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < 1d4590fde856cb94bd9a46e795c29d8288c238fc (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < d028147ae06407cb355245db1774793600670169 (git) Affected: c33c997346c34ea7b89aec99524ad9632a2f1e0c , < 926ede0c85e1e57c97d64d9612455267d597bb2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be109646cdaecab262f6276303b1763468c94378",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "c81a8515fb8c8fb5d0dbc21f48337494bf1d60df",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "c0ed6c77ec34050971fd0df2a94dfdea66d09331",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "1d4590fde856cb94bd9a46e795c29d8288c238fc",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "d028147ae06407cb355245db1774793600670169",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
},
{
"lessThan": "926ede0c85e1e57c97d64d9612455267d597bb2c",
"status": "affected",
"version": "c33c997346c34ea7b89aec99524ad9632a2f1e0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Initialize netdev pointer before queue setup\n\nIn setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().\nHowever, the pointer to this structure is stored in oct-\u003eprops[i].netdev\nonly after the calls to netif_set_real_num_rx_queues() and\nnetif_set_real_num_tx_queues().\n\nIf either of these functions fails, setup_nic_devices() returns an error\nwithout freeing the allocated netdev. Since oct-\u003eprops[i].netdev is still\nNULL at this point, the cleanup function liquidio_destroy_nic_device()\nwill fail to find and free the netdev, resulting in a memory leak.\n\nFix this by initializing oct-\u003eprops[i].netdev before calling the queue\nsetup functions. This ensures that the netdev is properly accessible for\ncleanup in case of errors.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:05.080Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be109646cdaecab262f6276303b1763468c94378"
},
{
"url": "https://git.kernel.org/stable/c/c81a8515fb8c8fb5d0dbc21f48337494bf1d60df"
},
{
"url": "https://git.kernel.org/stable/c/a0e57c0b68c9e6f9a8fd7c1167861a5a730eb2f4"
},
{
"url": "https://git.kernel.org/stable/c/c0ed6c77ec34050971fd0df2a94dfdea66d09331"
},
{
"url": "https://git.kernel.org/stable/c/1d4590fde856cb94bd9a46e795c29d8288c238fc"
},
{
"url": "https://git.kernel.org/stable/c/d028147ae06407cb355245db1774793600670169"
},
{
"url": "https://git.kernel.org/stable/c/926ede0c85e1e57c97d64d9612455267d597bb2c"
}
],
"title": "net: liquidio: Initialize netdev pointer before queue setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23258",
"datePublished": "2026-03-18T17:41:05.080Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:05.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23252 (GCVE-0-2026-23252)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-03-25 10:20
VLAI?
EPSS
Title
xfs: get rid of the xchk_xfile_*_descr calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: get rid of the xchk_xfile_*_descr calls
The xchk_xfile_*_descr macros call kasprintf, which can fail to allocate
memory if the formatted string is larger than 16 bytes (or whatever the
nofail guarantees are nowadays). Some of them could easily exceed that,
and Jiaming Zhang found a few places where that can happen with syzbot.
The descriptions are debugging aids and aren't required to be unique, so
let's just pass in static strings and eliminate this path to failure.
Note this patch touches a number of commits, most of which were merged
between 6.6 and 6.14.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab97f4b1c030750f2475bf4da8a9554d02206640 , < 695455fbc49053cbf555f2f302a5dcd600f412ff
(git)
Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < 18e9cf2259b4157fd282b323514375f2f6a59edb (git) Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < 2d8afee89262762fe0e5547772708c75f320c957 (git) Affected: ab97f4b1c030750f2475bf4da8a9554d02206640 , < 60382993a2e18041f88c7969f567f168cd3b4de3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/agheader_repair.c",
"fs/xfs/scrub/alloc_repair.c",
"fs/xfs/scrub/attr_repair.c",
"fs/xfs/scrub/bmap_repair.c",
"fs/xfs/scrub/common.h",
"fs/xfs/scrub/dir.c",
"fs/xfs/scrub/dir_repair.c",
"fs/xfs/scrub/dirtree.c",
"fs/xfs/scrub/ialloc_repair.c",
"fs/xfs/scrub/nlinks.c",
"fs/xfs/scrub/parent.c",
"fs/xfs/scrub/parent_repair.c",
"fs/xfs/scrub/quotacheck.c",
"fs/xfs/scrub/refcount_repair.c",
"fs/xfs/scrub/rmap_repair.c",
"fs/xfs/scrub/rtbitmap_repair.c",
"fs/xfs/scrub/rtrefcount_repair.c",
"fs/xfs/scrub/rtrmap_repair.c",
"fs/xfs/scrub/rtsummary.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "695455fbc49053cbf555f2f302a5dcd600f412ff",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "18e9cf2259b4157fd282b323514375f2f6a59edb",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "2d8afee89262762fe0e5547772708c75f320c957",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
},
{
"lessThan": "60382993a2e18041f88c7969f567f168cd3b4de3",
"status": "affected",
"version": "ab97f4b1c030750f2475bf4da8a9554d02206640",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/agheader_repair.c",
"fs/xfs/scrub/alloc_repair.c",
"fs/xfs/scrub/attr_repair.c",
"fs/xfs/scrub/bmap_repair.c",
"fs/xfs/scrub/common.h",
"fs/xfs/scrub/dir.c",
"fs/xfs/scrub/dir_repair.c",
"fs/xfs/scrub/dirtree.c",
"fs/xfs/scrub/ialloc_repair.c",
"fs/xfs/scrub/nlinks.c",
"fs/xfs/scrub/parent.c",
"fs/xfs/scrub/parent_repair.c",
"fs/xfs/scrub/quotacheck.c",
"fs/xfs/scrub/refcount_repair.c",
"fs/xfs/scrub/rmap_repair.c",
"fs/xfs/scrub/rtbitmap_repair.c",
"fs/xfs/scrub/rtrefcount_repair.c",
"fs/xfs/scrub/rtrmap_repair.c",
"fs/xfs/scrub/rtsummary.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: get rid of the xchk_xfile_*_descr calls\n\nThe xchk_xfile_*_descr macros call kasprintf, which can fail to allocate\nmemory if the formatted string is larger than 16 bytes (or whatever the\nnofail guarantees are nowadays). Some of them could easily exceed that,\nand Jiaming Zhang found a few places where that can happen with syzbot.\n\nThe descriptions are debugging aids and aren\u0027t required to be unique, so\nlet\u0027s just pass in static strings and eliminate this path to failure.\nNote this patch touches a number of commits, most of which were merged\nbetween 6.6 and 6.14."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:20:37.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/695455fbc49053cbf555f2f302a5dcd600f412ff"
},
{
"url": "https://git.kernel.org/stable/c/18e9cf2259b4157fd282b323514375f2f6a59edb"
},
{
"url": "https://git.kernel.org/stable/c/2d8afee89262762fe0e5547772708c75f320c957"
},
{
"url": "https://git.kernel.org/stable/c/60382993a2e18041f88c7969f567f168cd3b4de3"
}
],
"title": "xfs: get rid of the xchk_xfile_*_descr calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23252",
"datePublished": "2026-03-18T17:01:43.223Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-25T10:20:37.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23250 (GCVE-0-2026-23250)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-03-18 17:01
VLAI?
EPSS
Title
xfs: check return value of xchk_scrub_create_subord
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: check return value of xchk_scrub_create_subord
Fix this function to return NULL instead of a mangled ENOMEM, then fix
the callers to actually check for a null pointer and return ENOMEM.
Most of the corrections here are for code merged between 6.2 and 6.10.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a5f6e08d4e379a23da5be974aee50b26a20c5b0 , < d6f3f7d4dd8a179394cef03c00993d57f5f68601
(git)
Affected: 1a5f6e08d4e379a23da5be974aee50b26a20c5b0 , < 2b658d1249666cc55af9484dcf5f45ca438d4ecc (git) Affected: 1a5f6e08d4e379a23da5be974aee50b26a20c5b0 , < b2df809edd8cb7d1c3e19d9f6aabc2bd55d2bfb6 (git) Affected: 1a5f6e08d4e379a23da5be974aee50b26a20c5b0 , < ca27313fb3f23e4ac18532ede4ec1c7cc5814c4a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/common.c",
"fs/xfs/scrub/repair.c",
"fs/xfs/scrub/scrub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6f3f7d4dd8a179394cef03c00993d57f5f68601",
"status": "affected",
"version": "1a5f6e08d4e379a23da5be974aee50b26a20c5b0",
"versionType": "git"
},
{
"lessThan": "2b658d1249666cc55af9484dcf5f45ca438d4ecc",
"status": "affected",
"version": "1a5f6e08d4e379a23da5be974aee50b26a20c5b0",
"versionType": "git"
},
{
"lessThan": "b2df809edd8cb7d1c3e19d9f6aabc2bd55d2bfb6",
"status": "affected",
"version": "1a5f6e08d4e379a23da5be974aee50b26a20c5b0",
"versionType": "git"
},
{
"lessThan": "ca27313fb3f23e4ac18532ede4ec1c7cc5814c4a",
"status": "affected",
"version": "1a5f6e08d4e379a23da5be974aee50b26a20c5b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/common.c",
"fs/xfs/scrub/repair.c",
"fs/xfs/scrub/scrub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check return value of xchk_scrub_create_subord\n\nFix this function to return NULL instead of a mangled ENOMEM, then fix\nthe callers to actually check for a null pointer and return ENOMEM.\nMost of the corrections here are for code merged between 6.2 and 6.10."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:01:41.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6f3f7d4dd8a179394cef03c00993d57f5f68601"
},
{
"url": "https://git.kernel.org/stable/c/2b658d1249666cc55af9484dcf5f45ca438d4ecc"
},
{
"url": "https://git.kernel.org/stable/c/b2df809edd8cb7d1c3e19d9f6aabc2bd55d2bfb6"
},
{
"url": "https://git.kernel.org/stable/c/ca27313fb3f23e4ac18532ede4ec1c7cc5814c4a"
}
],
"title": "xfs: check return value of xchk_scrub_create_subord",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23250",
"datePublished": "2026-03-18T17:01:41.563Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:01:41.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23254 (GCVE-0-2026-23254)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
net: gro: fix outer network offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: fix outer network offset
The udp GRO complete stage assumes that all the packets inserted the RX
have the `encapsulation` flag zeroed. Such assumption is not true, as a
few H/W NICs can set such flag when H/W offloading the checksum for
an UDP encapsulated traffic, the tun driver can inject GSO packets with
UDP encapsulation and the problematic layout can also be created via
a veth based setup.
Due to the above, in the problematic scenarios, udp4_gro_complete() uses
the wrong network offset (inner instead of outer) to compute the outer
UDP header pseudo checksum, leading to csum validation errors later on
in packet processing.
Address the issue always clearing the encapsulation flag at GRO completion
time. Such flag will be set again as needed for encapsulated packets by
udp_gro_complete().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
af276a5ac8e938c8b058e3e124073cc1e322d98b , < 9d40a85138568696387ef04cd004c64612a70874
(git)
Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < b83557bc6f560433fe5d727e241069f8db5ba709 (git) Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < 2e5edb69e5d0e23ef248c56fc977039268c77a7b (git) Affected: 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 , < 5c2c3c38be396257a6a2e55bd601a12bb9781507 (git) Affected: dbd9466d323a72e22efe09151253d195d36d3bf6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d40a85138568696387ef04cd004c64612a70874",
"status": "affected",
"version": "af276a5ac8e938c8b058e3e124073cc1e322d98b",
"versionType": "git"
},
{
"lessThan": "b83557bc6f560433fe5d727e241069f8db5ba709",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"lessThan": "2e5edb69e5d0e23ef248c56fc977039268c77a7b",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"lessThan": "5c2c3c38be396257a6a2e55bd601a12bb9781507",
"status": "affected",
"version": "5ef31ea5d053a8f493a772ebad3f3ce82c35d845",
"versionType": "git"
},
{
"status": "affected",
"version": "dbd9466d323a72e22efe09151253d195d36d3bf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: fix outer network offset\n\nThe udp GRO complete stage assumes that all the packets inserted the RX\nhave the `encapsulation` flag zeroed. Such assumption is not true, as a\nfew H/W NICs can set such flag when H/W offloading the checksum for\nan UDP encapsulated traffic, the tun driver can inject GSO packets with\nUDP encapsulation and the problematic layout can also be created via\na veth based setup.\n\nDue to the above, in the problematic scenarios, udp4_gro_complete() uses\nthe wrong network offset (inner instead of outer) to compute the outer\nUDP header pseudo checksum, leading to csum validation errors later on\nin packet processing.\n\nAddress the issue always clearing the encapsulation flag at GRO completion\ntime. Such flag will be set again as needed for encapsulated packets by\nudp_gro_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:00.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d40a85138568696387ef04cd004c64612a70874"
},
{
"url": "https://git.kernel.org/stable/c/b83557bc6f560433fe5d727e241069f8db5ba709"
},
{
"url": "https://git.kernel.org/stable/c/2e5edb69e5d0e23ef248c56fc977039268c77a7b"
},
{
"url": "https://git.kernel.org/stable/c/5c2c3c38be396257a6a2e55bd601a12bb9781507"
}
],
"title": "net: gro: fix outer network offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23254",
"datePublished": "2026-03-18T17:41:00.591Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:00.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23249 (GCVE-0-2026-23249)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:01 – Updated: 2026-03-18 17:01
VLAI?
EPSS
Title
xfs: check for deleted cursors when revalidating two btrees
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: check for deleted cursors when revalidating two btrees
The free space and inode btree repair functions will rebuild both btrees
at the same time, after which it needs to evaluate both btrees to
confirm that the corruptions are gone.
However, Jiaming Zhang ran syzbot and produced a crash in the second
xchk_allocbt call. His root-cause analysis is as follows (with minor
corrections):
In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first
for BNOBT, second for CNTBT). The cause of this issue is that the
first call nullified the cursor required by the second call.
Let's first enter xrep_revalidate_allocbt() via following call chain:
xfs_file_ioctl() ->
xfs_ioc_scrubv_metadata() ->
xfs_scrub_metadata() ->
`sc->ops->repair_eval(sc)` ->
xrep_revalidate_allocbt()
xchk_allocbt() is called twice in this function. In the first call:
/* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */
xchk_allocbt() ->
xchk_btree() ->
`bs->scrub_rec(bs, recp)` ->
xchk_allocbt_rec() ->
xchk_allocbt_xref() ->
xchk_allocbt_xref_other()
since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.
Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call
chain:
xfs_alloc_get_rec() ->
xfs_btree_get_rec() ->
xfs_btree_check_block() ->
(XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter
is true, return -EFSCORRUPTED. This should be caused by
ioctl$XFS_IOC_ERROR_INJECTION I guess.
Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from
xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this
function, *curpp (points to sc->sa.cnt_cur) is nullified.
Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been
nullified, it then triggered null-ptr-deref via xchk_allocbt() (second
call) -> xchk_btree().
So. The bnobt revalidation failed on a cross-reference attempt, so we
deleted the cntbt cursor, and then crashed when we tried to revalidate
the cntbt. Therefore, check for a null cntbt cursor before that
revalidation, and mark the repair incomplete. Also we can ignore the
second tree entirely if the first tree was rebuilt but is already
corrupt.
Apply the same fix to xrep_revalidate_iallocbt because it has the same
problem.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dbfbf3bdf639a20da7d5fb390cd2e197d25aa418 , < d69de525bc7ab27713342080bf50826df3f6a68f
(git)
Affected: dbfbf3bdf639a20da7d5fb390cd2e197d25aa418 , < b04baa848c0543b240b1bd8aecff470382f6f154 (git) Affected: dbfbf3bdf639a20da7d5fb390cd2e197d25aa418 , < 5991e96f2ae82df60a3e4ed00f3432d9f3502a99 (git) Affected: dbfbf3bdf639a20da7d5fb390cd2e197d25aa418 , < 55e03b8cbe2783ec9acfb88e8adb946ed504e117 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/alloc_repair.c",
"fs/xfs/scrub/ialloc_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d69de525bc7ab27713342080bf50826df3f6a68f",
"status": "affected",
"version": "dbfbf3bdf639a20da7d5fb390cd2e197d25aa418",
"versionType": "git"
},
{
"lessThan": "b04baa848c0543b240b1bd8aecff470382f6f154",
"status": "affected",
"version": "dbfbf3bdf639a20da7d5fb390cd2e197d25aa418",
"versionType": "git"
},
{
"lessThan": "5991e96f2ae82df60a3e4ed00f3432d9f3502a99",
"status": "affected",
"version": "dbfbf3bdf639a20da7d5fb390cd2e197d25aa418",
"versionType": "git"
},
{
"lessThan": "55e03b8cbe2783ec9acfb88e8adb946ed504e117",
"status": "affected",
"version": "dbfbf3bdf639a20da7d5fb390cd2e197d25aa418",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/alloc_repair.c",
"fs/xfs/scrub/ialloc_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check for deleted cursors when revalidating two btrees\n\nThe free space and inode btree repair functions will rebuild both btrees\nat the same time, after which it needs to evaluate both btrees to\nconfirm that the corruptions are gone.\n\nHowever, Jiaming Zhang ran syzbot and produced a crash in the second\nxchk_allocbt call. His root-cause analysis is as follows (with minor\ncorrections):\n\n In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first\n for BNOBT, second for CNTBT). The cause of this issue is that the\n first call nullified the cursor required by the second call.\n\n Let\u0027s first enter xrep_revalidate_allocbt() via following call chain:\n\n xfs_file_ioctl() -\u003e\n xfs_ioc_scrubv_metadata() -\u003e\n xfs_scrub_metadata() -\u003e\n `sc-\u003eops-\u003erepair_eval(sc)` -\u003e\n xrep_revalidate_allocbt()\n\n xchk_allocbt() is called twice in this function. In the first call:\n\n /* Note that sc-\u003esm-\u003esm_type is XFS_SCRUB_TYPE_BNOPT now */\n xchk_allocbt() -\u003e\n xchk_btree() -\u003e\n `bs-\u003escrub_rec(bs, recp)` -\u003e\n xchk_allocbt_rec() -\u003e\n xchk_allocbt_xref() -\u003e\n xchk_allocbt_xref_other()\n\n since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to \u0026sc-\u003esa.cnt_cur.\n Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call\n chain:\n\n xfs_alloc_get_rec() -\u003e\n xfs_btree_get_rec() -\u003e\n xfs_btree_check_block() -\u003e\n (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter\n is true, return -EFSCORRUPTED. This should be caused by\n ioctl$XFS_IOC_ERROR_INJECTION I guess.\n\n Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from\n xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this\n function, *curpp (points to sc-\u003esa.cnt_cur) is nullified.\n\n Back to xrep_revalidate_allocbt(), since sc-\u003esa.cnt_cur has been\n nullified, it then triggered null-ptr-deref via xchk_allocbt() (second\n call) -\u003e xchk_btree().\n\nSo. The bnobt revalidation failed on a cross-reference attempt, so we\ndeleted the cntbt cursor, and then crashed when we tried to revalidate\nthe cntbt. Therefore, check for a null cntbt cursor before that\nrevalidation, and mark the repair incomplete. Also we can ignore the\nsecond tree entirely if the first tree was rebuilt but is already\ncorrupt.\n\nApply the same fix to xrep_revalidate_iallocbt because it has the same\nproblem."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:01:40.653Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d69de525bc7ab27713342080bf50826df3f6a68f"
},
{
"url": "https://git.kernel.org/stable/c/b04baa848c0543b240b1bd8aecff470382f6f154"
},
{
"url": "https://git.kernel.org/stable/c/5991e96f2ae82df60a3e4ed00f3432d9f3502a99"
},
{
"url": "https://git.kernel.org/stable/c/55e03b8cbe2783ec9acfb88e8adb946ed504e117"
}
],
"title": "xfs: check for deleted cursors when revalidating two btrees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23249",
"datePublished": "2026-03-18T17:01:40.653Z",
"dateReserved": "2026-01-13T15:37:45.989Z",
"dateUpdated": "2026-03-18T17:01:40.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23256 (GCVE-0-2026-23256)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i
down to 0.
Compile tested only. Issue found using code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < bd680e56e316be92c01568be98d85d7a6c9bd92c
(git)
Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 01fbca1e93ec3f39f76c31a8f9afa32ce00da48a (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 71a56b89203ec7e5670d94a61a9b4ae617eca804 (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 3bf519e39b51cb08a93c0599870b35a23db1031e (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 52b19b3a22306fe452ec9e8ff96063f4bfb77b99 (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd (git) Affected: 846b46873eeb3baf40f7e6d8fe8f98aec95e7727 , < 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd680e56e316be92c01568be98d85d7a6c9bd92c",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "01fbca1e93ec3f39f76c31a8f9afa32ce00da48a",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "71a56b89203ec7e5670d94a61a9b4ae617eca804",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "3bf519e39b51cb08a93c0599870b35a23db1031e",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "52b19b3a22306fe452ec9e8ff96063f4bfb77b99",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
},
{
"lessThan": "6cbba46934aefdfb5d171e0a95aec06c24f7ca30",
"status": "affected",
"version": "846b46873eeb3baf40f7e6d8fe8f98aec95e7727",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_vf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nCompile tested only. Issue found using code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:02.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd680e56e316be92c01568be98d85d7a6c9bd92c"
},
{
"url": "https://git.kernel.org/stable/c/01fbca1e93ec3f39f76c31a8f9afa32ce00da48a"
},
{
"url": "https://git.kernel.org/stable/c/71a56b89203ec7e5670d94a61a9b4ae617eca804"
},
{
"url": "https://git.kernel.org/stable/c/3bf519e39b51cb08a93c0599870b35a23db1031e"
},
{
"url": "https://git.kernel.org/stable/c/52b19b3a22306fe452ec9e8ff96063f4bfb77b99"
},
{
"url": "https://git.kernel.org/stable/c/4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd"
},
{
"url": "https://git.kernel.org/stable/c/6cbba46934aefdfb5d171e0a95aec06c24f7ca30"
}
],
"title": "net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23256",
"datePublished": "2026-03-18T17:41:02.964Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:02.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23262 (GCVE-0-2026-23262)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
gve: Fix stats report corruption on queue count change
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: Fix stats report corruption on queue count change
The driver and the NIC share a region in memory for stats reporting.
The NIC calculates its offset into this region based on the total size
of the stats region and the size of the NIC's stats.
When the number of queues is changed, the driver's stats region is
resized. If the queue count is increased, the NIC can write past
the end of the allocated stats region, causing memory corruption.
If the queue count is decreased, there is a gap between the driver
and NIC stats, leading to incorrect stats reporting.
This change fixes the issue by allocating stats region with maximum
size, and the offset calculation for NIC stats is changed to match
with the calculation of the NIC.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < f432f7613c220db32c2c6942420daf7b3f2e7d7e
(git)
Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 9d93332397405b62a3300b22d04ac65d990b91ff (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 837c662f47dac43efa1aef2dd433c6b4b4c073af (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < df54838ab61826ecc1a562ffa5e280c3ab7289a7 (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 9fa0a755db3e1945fe00f73fe27d85ef6c8818b7 (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 11f8311f69e4c361717371b4901ff92daeb76e9c (git) Affected: 24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c , < 7b9ebcce0296e104a0d82a6b09d68564806158ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f432f7613c220db32c2c6942420daf7b3f2e7d7e",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9d93332397405b62a3300b22d04ac65d990b91ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "837c662f47dac43efa1aef2dd433c6b4b4c073af",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "df54838ab61826ecc1a562ffa5e280c3ab7289a7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "9fa0a755db3e1945fe00f73fe27d85ef6c8818b7",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "11f8311f69e4c361717371b4901ff92daeb76e9c",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
},
{
"lessThan": "7b9ebcce0296e104a0d82a6b09d68564806158ff",
"status": "affected",
"version": "24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/google/gve/gve_ethtool.c",
"drivers/net/ethernet/google/gve/gve_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Fix stats report corruption on queue count change\n\nThe driver and the NIC share a region in memory for stats reporting.\nThe NIC calculates its offset into this region based on the total size\nof the stats region and the size of the NIC\u0027s stats.\n\nWhen the number of queues is changed, the driver\u0027s stats region is\nresized. If the queue count is increased, the NIC can write past\nthe end of the allocated stats region, causing memory corruption.\nIf the queue count is decreased, there is a gap between the driver\nand NIC stats, leading to incorrect stats reporting.\n\nThis change fixes the issue by allocating stats region with maximum\nsize, and the offset calculation for NIC stats is changed to match\nwith the calculation of the NIC."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:08.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f432f7613c220db32c2c6942420daf7b3f2e7d7e"
},
{
"url": "https://git.kernel.org/stable/c/9d93332397405b62a3300b22d04ac65d990b91ff"
},
{
"url": "https://git.kernel.org/stable/c/837c662f47dac43efa1aef2dd433c6b4b4c073af"
},
{
"url": "https://git.kernel.org/stable/c/df54838ab61826ecc1a562ffa5e280c3ab7289a7"
},
{
"url": "https://git.kernel.org/stable/c/9fa0a755db3e1945fe00f73fe27d85ef6c8818b7"
},
{
"url": "https://git.kernel.org/stable/c/11f8311f69e4c361717371b4901ff92daeb76e9c"
},
{
"url": "https://git.kernel.org/stable/c/7b9ebcce0296e104a0d82a6b09d68564806158ff"
}
],
"title": "gve: Fix stats report corruption on queue count change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23262",
"datePublished": "2026-03-18T17:41:08.380Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:08.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23257 (GCVE-0-2026-23257)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label
setup_nic_dev_free on failure. The current cleanup loop while(i--)
skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i
down to 0.
Also, decrement i in the devlink_alloc failure path to point to the
last successfully allocated index.
Compile tested only. Issue found using code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d
(git)
Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < d86c58eb005eb99da402452f3db7a6e0eae32815 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < f1216b80c9040a904d2ad7c8cd24ca0ff1f36932 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < a0d2389c8cdc1f05de5eb8663bffe9ed05dca769 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < f86bd16280a0f88b538394e0565c56ce4756da99 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < 293eaad0d6d6b2a37a458c7deb7be345349cd963 (git) Affected: f21fb3ed364bb83533c5efe19354e337ea9ecda9 , < 8558aef4e8a1a83049ab906d21d391093cfa7e7f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "d86c58eb005eb99da402452f3db7a6e0eae32815",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "f1216b80c9040a904d2ad7c8cd24ca0ff1f36932",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "a0d2389c8cdc1f05de5eb8663bffe9ed05dca769",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "f86bd16280a0f88b538394e0565c56ce4756da99",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "293eaad0d6d6b2a37a458c7deb7be345349cd963",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
},
{
"lessThan": "8558aef4e8a1a83049ab906d21d391093cfa7e7f",
"status": "affected",
"version": "f21fb3ed364bb83533c5efe19354e337ea9ecda9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cavium/liquidio/lio_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nAlso, decrement i in the devlink_alloc failure path to point to the\nlast successfully allocated index.\n\nCompile tested only. Issue found using code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:04.078Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d"
},
{
"url": "https://git.kernel.org/stable/c/d86c58eb005eb99da402452f3db7a6e0eae32815"
},
{
"url": "https://git.kernel.org/stable/c/f1216b80c9040a904d2ad7c8cd24ca0ff1f36932"
},
{
"url": "https://git.kernel.org/stable/c/a0d2389c8cdc1f05de5eb8663bffe9ed05dca769"
},
{
"url": "https://git.kernel.org/stable/c/f86bd16280a0f88b538394e0565c56ce4756da99"
},
{
"url": "https://git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963"
},
{
"url": "https://git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7f"
}
],
"title": "net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23257",
"datePublished": "2026-03-18T17:41:04.078Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:04.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23264 (GCVE-0-2026-23264)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:41 – Updated: 2026-03-18 17:41
VLAI?
EPSS
Title
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
This reverts commit 7294863a6f01248d72b61d38478978d638641bee.
This commit was erroneously applied again after commit 0ab5d711ec74
("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device")
removed it, leading to very hard to debug crashes, when used with a system with two
AMD GPUs of which only one supports ASPM.
(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0ab5d711ec74d9e60673900974806b7688857947 , < f02c9052aaa031ef3c2285d86a155d4263180ddd
(git)
Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < d2bddc2da2b3ba5d738877c476bf97932dba32e8 (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 5b794951541e84d2968980a68dd1ac38420f75f3 (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 5f645222eb30c91135119e12eccfd1b8ea88140e (git) Affected: 0ab5d711ec74d9e60673900974806b7688857947 , < 243b467dea1735fed904c2e54d248a46fa417a2d (git) Affected: 0a9a60dcedaacde4b903337b7445cb431b4dd119 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f02c9052aaa031ef3c2285d86a155d4263180ddd",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "d2bddc2da2b3ba5d738877c476bf97932dba32e8",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "5b794951541e84d2968980a68dd1ac38420f75f3",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "5f645222eb30c91135119e12eccfd1b8ea88140e",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"lessThan": "243b467dea1735fed904c2e54d248a46fa417a2d",
"status": "affected",
"version": "0ab5d711ec74d9e60673900974806b7688857947",
"versionType": "git"
},
{
"status": "affected",
"version": "0a9a60dcedaacde4b903337b7445cb431b4dd119",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: Check if ASPM is enabled from PCIe subsystem\"\n\nThis reverts commit 7294863a6f01248d72b61d38478978d638641bee.\n\nThis commit was erroneously applied again after commit 0ab5d711ec74\n(\"drm/amd: Refactor `amdgpu_aspm` to be evaluated per device\")\nremoved it, leading to very hard to debug crashes, when used with a system with two\nAMD GPUs of which only one supports ASPM.\n\n(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:41:10.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f02c9052aaa031ef3c2285d86a155d4263180ddd"
},
{
"url": "https://git.kernel.org/stable/c/d2bddc2da2b3ba5d738877c476bf97932dba32e8"
},
{
"url": "https://git.kernel.org/stable/c/5b794951541e84d2968980a68dd1ac38420f75f3"
},
{
"url": "https://git.kernel.org/stable/c/5f645222eb30c91135119e12eccfd1b8ea88140e"
},
{
"url": "https://git.kernel.org/stable/c/243b467dea1735fed904c2e54d248a46fa417a2d"
}
],
"title": "Revert \"drm/amd: Check if ASPM is enabled from PCIe subsystem\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23264",
"datePublished": "2026-03-18T17:41:10.208Z",
"dateReserved": "2026-01-13T15:37:45.990Z",
"dateUpdated": "2026-03-18T17:41:10.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23266 (GCVE-0-2026-23266)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:44 – Updated: 2026-03-18 17:44
VLAI?
EPSS
Title
fbdev: rivafb: fix divide error in nv3_arb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: rivafb: fix divide error in nv3_arb()
A userspace program can trigger the RIVA NV3 arbitration code by calling
the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
first.
In a normal setup, state->mclk_khz is provided by the real hardware and is
non-zero. However, an attacker can construct a malicious or misconfigured
device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
configuration, causing state->mclk_khz to become zero. Once
nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
calculation causes a divide error and crashes the kernel.
Fix this by checking whether state->mclk_khz is zero and bailing out before
doing the division.
The following log reveals it:
rivafb: setting virtual Y resolution to 2184
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
Call Trace:
nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
__x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec5a58f4fd581875593ea92a65485e1906a53c0f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 52916878db2b8e3769743a94484729f0844352df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 526460a96c5443e2fc0fd231edd1f9c49d2de26b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 78daf5984d96edec3b920c72a93bd6821b8710b7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9efa0dc46270a8723c158c64afbcf1dead72b28c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73f0391e92d404da68f7484e57c106c5e673dc7e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/riva/riva_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec5a58f4fd581875593ea92a65485e1906a53c0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52916878db2b8e3769743a94484729f0844352df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "526460a96c5443e2fc0fd231edd1f9c49d2de26b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "78daf5984d96edec3b920c72a93bd6821b8710b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9efa0dc46270a8723c158c64afbcf1dead72b28c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73f0391e92d404da68f7484e57c106c5e673dc7e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0209e21e3c372fa2da04c39214bec0b64e4eb5f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/riva/riva_hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: rivafb: fix divide error in nv3_arb()\n\nA userspace program can trigger the RIVA NV3 arbitration code by calling\nthe FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver\nrecomputes FIFO arbitration parameters in nv3_arb(), using state-\u003emclk_khz\n(derived from the PRAMDAC MCLK PLL) as a divisor without validating it\nfirst.\n\nIn a normal setup, state-\u003emclk_khz is provided by the real hardware and is\nnon-zero. However, an attacker can construct a malicious or misconfigured\ndevice (e.g. a crafted/emulated PCI device) that exposes a bogus PLL\nconfiguration, causing state-\u003emclk_khz to become zero. Once\nnv3_get_param() calls nv3_arb(), the division by state-\u003emclk_khz in the gns\ncalculation causes a divide error and crashes the kernel.\n\nFix this by checking whether state-\u003emclk_khz is zero and bailing out before\ndoing the division.\n\nThe following log reveals it:\n\nrivafb: setting virtual Y resolution to 2184\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]\nRIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546\nCall Trace:\n nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603\n nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]\n CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246\n riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779\n rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188\n __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:44:48.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f"
},
{
"url": "https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df"
},
{
"url": "https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b"
},
{
"url": "https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7"
},
{
"url": "https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c"
},
{
"url": "https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a"
},
{
"url": "https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e"
},
{
"url": "https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4"
}
],
"title": "fbdev: rivafb: fix divide error in nv3_arb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23266",
"datePublished": "2026-03-18T17:44:48.715Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"dateUpdated": "2026-03-18T17:44:48.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…