{"resultsPerPage":70,"startIndex":0,"totalResults":70,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-12T15:13:42.365","vulnerabilities":[{"cve":{"id":"CVE-2021-27033","sourceIdentifier":"psirt@autodesk.com","published":"2021-07-09T15:15:07.537","lastModified":"2026-06-19T14:16:20.473","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A maliciously crafted PDF file, when opened by a user in Autodesk Design Review, can trigger a Double Free vulnerability in the Autodesk Design Review application. A malicious actor may leverage this vulnerability to cause memory corruption and execute arbitrary code in the context of the current process."},{"lang":"es","value":"Una vulnerabilidad Double Free permite a los atacantes remotos ejecutar código arbitrario en archivos PDF dentro de las instalaciones afectadas de Autodesk Design Review 2018, 2017, 2013, 2012, 2011. Se requiere la interacción del usuario para explotar esta vulnerabilidad, ya que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso"}],"affected":[{"source":"psirt@autodesk.com","affectedData":[{"vendor":"Autodesk","product":"Design Review","defaultStatus":"unaffected","cpes":["cpe:2.3:a:autodesk:design_review:2018:*:*:*:*:*:*:*","cpe:2.3:a:autodesk:design_review:2017:*:*:*:*:*:*:*","cpe:2.3:a:autodesk:design_review:2013:*:*:*:*:*:*:*","cpe:2.3:a:autodesk:design_review:2012:*:*:*:*:*:*:*","cpe:2.3:a:autodesk:design_review:2011:*:*:*:*:*:*:*"],"versions":[{"version":"2018.0.0, 2017.0.0, 2013.0.0, 2012.0.0, 2011.0.0","lessThan":"2018.0.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"psirt@autodesk.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"psirt@autodesk.com","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]},{"source":"nvd@nist.gov","type":"Secondary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:autodesk:design_review:2011:*:*:*:*:*:*:*","matchCriteriaId":"83CF6CDF-806C-4DC5-B572-C1C2BC2C25F2"},{"vulnerable":true,"criteria":"cpe:2.3:a:autodesk:design_review:2012:*:*:*:*:*:*:*","matchCriteriaId":"2A78B6F8-DF84-4E6C-A247-0F6D2F8CA679"},{"vulnerable":true,"criteria":"cpe:2.3:a:autodesk:design_review:2013:*:*:*:*:*:*:*","matchCriteriaId":"DCD2CA9B-16E1-4BE7-A4E1-A9817A503958"},{"vulnerable":true,"criteria":"cpe:2.3:a:autodesk:design_review:2017:*:*:*:*:*:*:*","matchCriteriaId":"31F2529F-ECF0-4568-BBDC-82B396A52332"},{"vulnerable":true,"criteria":"cpe:2.3:a:autodesk:design_review:2018:*:*:*:*:*:*:*","matchCriteriaId":"7D07C55F-1D23-4E2B-AC1E-67D735F800B7"}]}]}],"references":[{"url":"https://www.autodesk.com/products/autodesk-access/overview","source":"psirt@autodesk.com"},{"url":"https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html","source":"psirt@autodesk.com"},{"url":"https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0004","source":"psirt@autodesk.com","tags":["Vendor Advisory"]},{"url":"https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0004","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2021-47211","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-04-10T19:15:48.547","lastModified":"2026-06-19T13:16:18.337","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\n\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: usb-audio: se corrige la desreferencia de puntero nulo en el puntero cs_desc El puntero cs_desc devuelto por snd_usb_find_clock_source podría ser nulo, por lo que existe un posible problema de desreferencia de puntero nulo. Solucione esto agregando una comprobación de nulo antes de la desreferencia."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["sound/usb/clock.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1dc669fed61a4ec4270a89e5fb3535802cc45668","lessThan":"3455984b16eeb6914caf8b59498ef24fcc1f0a78","versionType":"git","status":"affected"},{"version":"1dc669fed61a4ec4270a89e5fb3535802cc45668","lessThan":"58fa50de595f152900594c28ec9915c169643739","versionType":"git","status":"affected"},{"version":"1dc669fed61a4ec4270a89e5fb3535802cc45668","lessThan":"b97053df0f04747c3c1e021ecbe99db675342954","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["sound/usb/clock.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.5","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"5.16","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2024-06-21T16:04:02.891188Z","id":"CVE-2021-47211","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.5","matchCriteriaId":"B2845F69-264B-45BD-B7E7-D12B24338382"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3455984b16eeb6914caf8b59498ef24fcc1f0a78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/58fa50de595f152900594c28ec9915c169643739","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b97053df0f04747c3c1e021ecbe99db675342954","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/58fa50de595f152900594c28ec9915c169643739","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b97053df0f04747c3c1e021ecbe99db675342954","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-27012","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-01T06:15:19.743","lastModified":"2026-06-19T13:16:19.530","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS:  00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118]  <TASK>\n[43929.458121]  ? __warn+0x9f/0x1a0\n[43929.458127]  ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188]  ? report_bug+0x1b1/0x1e0\n[43929.458196]  ? handle_bug+0x3c/0x70\n[43929.458200]  ? exc_invalid_op+0x17/0x40\n[43929.458211]  ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271]  ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332]  nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392]  nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453]  ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512]  ? rb_insert_color+0x2e/0x280\n[43929.458520]  nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582]  ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642]  ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701]  ? __rcu_read_unlock+0x46/0x70\n[43929.458709]  nft_delset+0xff/0x110 [nf_tables]\n[43929.458769]  nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830]  nf_tables_deltable+0x501/0x580 [nf_tables]"},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: restaurar elementos del conjunto cuando falla la eliminación del conjunto Desde la ruta de cancelación, nft_mapelem_activate() necesita restaurar los contadores de referencia al estado original. Actualmente, utiliza set-&gt;ops-&gt;walk() para iterar sobre estos elementos del conjunto. El iterador de conjunto existente omite elementos inactivos en la próxima generación; esto no funciona desde la ruta de cancelación para restaurar el estado original ya que tiene que omitir elementos activos (no inactivos). Este parche mueve la verificación de elementos inactivos a la devolución de llamada del iterador establecido, luego invierte la lógica para el caso .activate que necesita omitir elementos activos. Cambie el bit de próxima generación para los elementos cuando se invoque el comando eliminar conjunto y llame a nft_clear() desde la ruta .activate (abortar) para restaurar el bit de próxima generación. El siguiente símbolo muestra un objeto en asignaciones memleak: [43929.457523] ------------[ cortar aquí ]------------ [43929.457532] ADVERTENCIA: CPU: 0 PID : 1139 en include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] ] Código: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 &lt;0f&gt; 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 000000000000000 0 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093 ] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 00000000000000003 R11: ffff0000ffff0000 R12: 4f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) 88390800000(0000) knlGS :0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 00000001236020 05 CR4: 00000000001706f0 [43929.458114] Seguimiento de llamadas: [43929.458118]  [43929.458121] ? __advertir+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] 53] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] 501/0x580 [nf_tables]"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nf_tables_api.c","net/netfilter/nft_set_bitmap.c","net/netfilter/nft_set_hash.c","net/netfilter/nft_set_pipapo.c","net/netfilter/nft_set_rbtree.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d60be2da67d172aecf866302c91ea11533eca4d9","lessThan":"faa0deee272128b95a838fe7c6ebf6a2a426df14","versionType":"git","status":"affected"},{"version":"628bd3e49cba1c066228e23d71a852c23e26da73","lessThan":"86658fc7414d4b9e25c2699d751034537503d637","versionType":"git","status":"affected"},{"version":"628bd3e49cba1c066228e23d71a852c23e26da73","lessThan":"e79b47a8615d42c68aaeb68971593333667382ed","versionType":"git","status":"affected"},{"version":"bc9f791d2593f17e39f87c6e2b3a36549a3705b1","versionType":"git","status":"affected"},{"version":"3c7ec098e3b588434a8b07ea9b5b36f04cef1f50","versionType":"git","status":"affected"},{"version":"a136b7942ad2a50de708f76ea299ccb45ac7a7f9","versionType":"git","status":"affected"},{"version":"25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8","versionType":"git","status":"affected"},{"version":"dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41","versionType":"git","status":"affected"},{"version":"6.1.36","lessThan":"6.1.176","versionType":"semver","status":"affected"},{"version":"4.19.316","lessThan":"4.20","versionType":"semver","status":"affected"},{"version":"5.4.262","lessThan":"5.5","versionType":"semver","status":"affected"},{"version":"5.10.188","lessThan":"5.11","versionType":"semver","status":"affected"},{"version":"5.15.121","lessThan":"5.16","versionType":"semver","status":"affected"},{"version":"6.3.10","lessThan":"6.4","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nf_tables_api.c","net/netfilter/nft_set_bitmap.c","net/netfilter/nft_set_hash.c","net/netfilter/nft_set_pipapo.c","net/netfilter/nft_set_rbtree.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.8.8","lessThanOrEqual":"6.8.*","versionType":"semver","status":"unaffected"},{"version":"6.9","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2024-06-14T18:56:10.473492Z","id":"CVE-2024-27012","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.8.8","matchCriteriaId":"ABBE8A9C-EB49-4236-B78E-D0771D521A7F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*","matchCriteriaId":"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*","matchCriteriaId":"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*","matchCriteriaId":"52048DDA-FC5A-4363-95A0-A6357B4D7F8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*","matchCriteriaId":"A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","matchCriteriaId":"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*","matchCriteriaId":"B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*","matchCriteriaId":"CA277A6C-83EC-4536-9125-97B84C4FAF59"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/faa0deee272128b95a838fe7c6ebf6a2a426df14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2025-21863","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-03-12T10:15:19.387","lastModified":"2026-06-19T13:16:20.273","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent opcode speculation\n\nsqe->opcode is used for different tables, make sure we santitise it\nagainst speculations."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: evita la especulación de código de operación. sqe-&gt;opcode se utiliza para diferentes tablas, asegúrese de que lo desinfectemos contra especulaciones."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["io_uring/io_uring.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"87e9eef43c758da267f6332678058a79764c7eba","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"18eae8420081ef8e043ad455937bfb470ef08607","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"d261ead565a080e3411b0dd04e6d58a52471cac8","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"b9826e3b26ec031e9063f64a7c735449c43955e4","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"506b9b5e8c2d2a411ea8fe361333f5081c56d23a","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"fdbfd52bd8b85ed6783365ff54c82ab7067bd61b","versionType":"git","status":"affected"},{"version":"d3656344fea0339fb0365c8df4d2beba4e0089cd","lessThan":"1e988c3fe1264708f4f92109203ac5b1d65de50b","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["io_uring/io_uring.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.6","status":"affected"},{"version":"0","lessThan":"5.6","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.80","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.17","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.13.5","lessThanOrEqual":"6.13.*","versionType":"semver","status":"unaffected"},{"version":"6.14","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-10-01T19:25:38.400104Z","id":"CVE-2025-21863","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.6.80","matchCriteriaId":"E3785293-6562-4D6B-B271-6DD83134CCC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.17","matchCriteriaId":"15370AEE-6D1C-49C3-8CB7-E889D5F92B6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.5","matchCriteriaId":"72E69ABB-9015-43A6-87E1-5150383CFFD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*","matchCriteriaId":"0D3E781C-403A-498F-9DA9-ECEE50F41E75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*","matchCriteriaId":"66619FB8-0AAF-4166-B2CF-67B24143261D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/18eae8420081ef8e043ad455937bfb470ef08607","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e988c3fe1264708f4f92109203ac5b1d65de50b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/506b9b5e8c2d2a411ea8fe361333f5081c56d23a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/87e9eef43c758da267f6332678058a79764c7eba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b9826e3b26ec031e9063f64a7c735449c43955e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d261ead565a080e3411b0dd04e6d58a52471cac8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdbfd52bd8b85ed6783365ff54c82ab7067bd61b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-22026","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T15:15:55.237","lastModified":"2026-06-19T13:16:20.970","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't ignore the return code of svc_proc_register()\n\nCurrently, nfsd_proc_stat_init() ignores the return value of\nsvc_proc_register(). If the procfile creation fails, then the kernel\nwill WARN when it tries to remove the entry later.\n\nFix nfsd_proc_stat_init() to return the same type of pointer as\nsvc_proc_register(), and fix up nfsd_net_init() to check that and fail\nthe nfsd_net construction if it occurs.\n\nsvc_proc_register() can fail if the dentry can't be allocated, or if an\nidentical dentry already exists. The second case is pretty unlikely in\nthe nfsd_net construction codepath, so if this happens, return -ENOMEM."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: no ignore el código de retorno de svc_proc_register() Actualmente, nfsd_proc_stat_init() ignora el valor de retorno de svc_proc_register(). Si la creación de procfile falla, el kernel emitirá una ADVERTENCIA cuando intente eliminar la entrada posteriormente. Corrija nfsd_proc_stat_init() para que devuelva el mismo tipo de puntero que svc_proc_register() y corrija nfsd_net_init() para que lo compruebe y falle la construcción de nfsd_net si ocurre. svc_proc_register() puede fallar si no se puede asignar la dentry o si ya existe una dentry idéntica. El segundo caso es bastante improbable en la ruta de código de construcción de nfsd_net, por lo que si esto sucede, devuelva -ENOMEM."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/nfsd/nfsctl.c","fs/nfsd/stats.c","fs/nfsd/stats.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5545496966631cd40ad3aa6450be56d0e5773d10","lessThan":"51107e768de6821b68aa34a136d07bc7a09cf6c3","versionType":"git","status":"affected"},{"version":"73c43bccf25cec9cdec62fc22a513c28a4b28390","lessThan":"e4316bd85e42b01125b2aab691769234a388b8a3","versionType":"git","status":"affected"},{"version":"10ece754df9a799131a1cf3197e9d26c04ddec22","lessThan":"51da899c209a9624e48be416bd30e7ed5cd6c3d8","versionType":"git","status":"affected"},{"version":"6f8d6ed3426a17f77628cebfb6a6e2c6f2b2496c","lessThan":"30405b23b4d5e2a596fb756d48119d7293194e75","versionType":"git","status":"affected"},{"version":"93483ac5fec62cc1de166051b219d953bb5e4ef4","lessThan":"6a59b70fe71ec66c0dd19e2c279c71846a3fb2f0","versionType":"git","status":"affected"},{"version":"93483ac5fec62cc1de166051b219d953bb5e4ef4","lessThan":"e31957a819e60cf0bc9a49408765e6095fd3d046","versionType":"git","status":"affected"},{"version":"93483ac5fec62cc1de166051b219d953bb5e4ef4","lessThan":"9d9456185fd5f1891c74354ee297f19538141ead","versionType":"git","status":"affected"},{"version":"93483ac5fec62cc1de166051b219d953bb5e4ef4","lessThan":"930b64ca0c511521f0abdd1d57ce52b2a6e3476b","versionType":"git","status":"affected"},{"version":"b7b05f98f3f06fea3986b46e5c7fe2928676b02d","versionType":"git","status":"affected"},{"version":"5.10.226","lessThan":"5.10.259","versionType":"semver","status":"affected"},{"version":"5.15.166","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.106","lessThan":"6.1.164","versionType":"semver","status":"affected"},{"version":"6.6.47","lessThan":"6.6.125","versionType":"semver","status":"affected"},{"version":"6.8.10","lessThan":"6.9","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/nfsd/nfsctl.c","fs/nfsd/stats.c","fs/nfsd/stats.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.9","status":"affected"},{"version":"0","lessThan":"6.9","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.164","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.125","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.24","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.13.12","lessThanOrEqual":"6.13.*","versionType":"semver","status":"unaffected"},{"version":"6.14.2","lessThanOrEqual":"6.14.*","versionType":"semver","status":"unaffected"},{"version":"6.15","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-10T20:40:43.644362Z","id":"CVE-2025-22026","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-252"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.24","matchCriteriaId":"C87CF81F-5426-4E15-8A61-B8F0E6046484"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.12","matchCriteriaId":"4A475784-BF3B-4514-81EE-49C8522FB24A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.2","matchCriteriaId":"FADAE5D8-4808-442C-B218-77B2CE8780A0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/30405b23b4d5e2a596fb756d48119d7293194e75","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/51107e768de6821b68aa34a136d07bc7a09cf6c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/51da899c209a9624e48be416bd30e7ed5cd6c3d8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6a59b70fe71ec66c0dd19e2c279c71846a3fb2f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/930b64ca0c511521f0abdd1d57ce52b2a6e3476b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9d9456185fd5f1891c74354ee297f19538141ead","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e31957a819e60cf0bc9a49408765e6095fd3d046","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e4316bd85e42b01125b2aab691769234a388b8a3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-38129","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-03T09:15:27.170","lastModified":"2026-06-19T13:16:21.663","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(&r->producer_lock);\n    WRITE_ONCE(r->queue[r->producer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool->recycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(&r->producer_lock); //pool->ring uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: page_pool: Fix use-after-free en page_pool_recycle_in_ring syzbot informó un uaf en page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free en lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Lectura de tamaño 8 en la dirección ffff8880286045a0 por la tarea syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 No contaminado 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Rastreo de llamadas:   __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&amp;r-&gt;producer_lock); WRITE_ONCE(r-&gt;queue[r-&gt;producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool-&gt;recycle_stats); free(pool) //free spin_unlock(&amp;r-&gt;producer_lock); //pool-&gt;ring uaf read recycle_stat_inc(pool, ring); page_pool  puede estar libre mientras el grupo de páginas recicle la última página del anillo. Se ha añadido una barrera de bloqueo del productor a page_pool_release para evitar que el grupo de páginas esté libre antes de que se hayan reciclado todas las páginas. recycle_stat_inc() está vacío cuando CONFIG_PAGE_POOL_STATS no está habilitado, lo que activará la advertencia de compilación Wempty-body. Se ha añadido una definición para la macro de estadísticas del grupo para corregir la advertencia."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/core/page_pool.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"c2c906142293931e33ef4be79ebc36c25c4e21dd","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"1a8c0b61d4cb55c5440583ec9e7f86a730369e32","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"4914c0a166540e534a0c1d43affd329d95fb56fd","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"e869a85acc2e60dc554579b910826a4919d8cd98","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"4ab8c0f8905c9c4d05e7f437e65a9a365573ff02","versionType":"git","status":"affected"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"271683bb2cf32e5126c592b5d5e6a756fa374fd9","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/core/page_pool.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","versionType":"semver","status":"unaffected"},{"version":"6.16","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-10T20:41:54.789942Z","id":"CVE-2025-38129","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.12.34","matchCriteriaId":"D52CF84C-B143-4A91-B892-0DE244D504A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.3","matchCriteriaId":"0541C761-BD5E-4C1A-8432-83B375D7EB92"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2c906142293931e33ef4be79ebc36c25c4e21dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38250","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-09T11:15:27.193","lastModified":"2026-06-19T13:16:22.327","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix use-after-free in vhci_flush()\n\nsyzbot reported use-after-free in vhci_flush() without repro. [0]\n\nFrom the splat, a thread close()d a vhci file descriptor while\nits device was being used by iotcl() on another thread.\n\nOnce the last fd refcnt is released, vhci_release() calls\nhci_unregister_dev(), hci_free_dev(), and kfree() for struct\nvhci_data, which is set to hci_dev->dev->driver_data.\n\nThe problem is that there is no synchronisation after unlinking\nhdev from hci_dev_list in hci_unregister_dev().  There might be\nanother thread still accessing the hdev which was fetched before\nthe unlink operation.\n\nWe can use SRCU for such synchronisation.\n\nLet's run hci_dev_reset() under SRCU and wait for its completion\nin hci_unregister_dev().\n\nAnother option would be to restore hci_dev->destruct(), which was\nremoved in commit 587ae086f6e4 (\"Bluetooth: Remove unused\nhci-destruct cb\").  However, this would not be a good solution, as\nwe should not run hci_unregister_dev() while there are in-flight\nioctl() requests, which could lead to another data-race KCSAN splat.\n\nNote that other drivers seem to have the same problem, for exmaple,\nvirtbt_remove().\n\n[0]:\nBUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\nBUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\nRead of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718\n\nCPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n <TASK>\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\n skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\n skb_queue_purge include/linux/skbuff.h:3368 [inline]\n vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69\n hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]\n hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592\n sock_do_ioctl+0xd9/0x300 net/socket.c:1190\n sock_ioctl+0x576/0x790 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcf5b98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929\nRDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009\nRBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528\n </TASK>\n\nAllocated by task 6535:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635\n misc_open+0x2bc/0x330 drivers/char/misc.c:161\n chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414\n do_dentry_open+0xdf0/0x1970 fs/open.c:964\n vfs_open+0x3b/0x340 fs/open.c:1094\n do_open fs/namei.c:3887 [inline]\n path_openat+0x2ee5/0x3830 fs/name\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: hci_core: Se corrige el use-after-free en vhci_flush() syzbot informó use-after-free en vhci_flush() sin reproducción. [0] Desde el splat, un subproceso cierra() un descriptor de archivo vhci mientras su dispositivo estaba siendo usado por iotcl() en otro subproceso. Una vez que se libera el último fd refcnt, vhci_release() llama a hci_unregister_dev(), hci_free_dev() y kfree() para struct vhci_data, que está configurado en hci_dev-&gt;dev-&gt;driver_data. El problema es que no hay sincronización después de desvincular hdev de hci_dev_list en hci_unregister_dev(). Podría haber otro subproceso que aún acceda al hdev que se obtuvo antes de la operación de desvinculación. Podemos usar SRCU para dicha sincronización. Ejecutemos hci_dev_reset() en SRCU y esperemos a que se complete en hci_unregister_dev(). Otra opción sería restaurar hci_dev-&gt;destruct(), que se eliminó en el commit 587ae086f6e4 (\"Bluetooth: Eliminar el bloque de comandos hci-destruct no utilizado\"). Sin embargo, esta no sería una buena solución, ya que no deberíamos ejecutar hci_unregister_dev() mientras haya solicitudes ioctl() en curso, lo que podría provocar otro error de KCSAN en la ejecución de datos. Tenga en cuenta que otros controladores parecen tener el mismo problema, por ejemplo, virtbt_remove(). [0]: ERROR: KASAN: slab-use-after-free en skb_queue_empty_lockless include/linux/skbuff.h:1891 [en línea] ERROR: KASAN: slab-use-after-free en skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Lectura de tamaño 8 en la dirección ffff88807cb8d858 por la tarea syz.1.219/6718 CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 No contaminado 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Rastreo de llamadas:  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 skb_queue_purge include/linux/skbuff.h:3368 [inline] vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 sock_do_ioctl+0xd9/0x300 net/socket.c:1190 sock_ioctl+0x576/0x790 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528  Allocated by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 misc_open+0x2bc/0x330 drivers/char/misc.c:161 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 do_dentry_open+0xdf0/0x1970 fs/open.c:964 vfs_open+0x3b/0x340 fs/open.c:1094  ---truncado---"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/bluetooth/hci_core.h","net/bluetooth/hci_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"dd4becd3fd4102696e1c15e6d260a1712a2d8685","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"90dee0a0ff84fac8accd5be98412b3819f667149","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"c56b177efce8b62798e4d96bdb9867106cb7c4a0","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"bc0819a25e04cd68ef3568cfa51b63118fea39a7","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"ce23b73f0f27e2dbeb81734a79db710f05aa33c6","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"0e5c144c557df910ab64d9c25d06399a9a735e65","versionType":"git","status":"affected"},{"version":"bf18c7118cf83ad4b9aa476354b4a06bcb9d0c4f","lessThan":"1d6123102e9fbedc8d25bf4731da6d513173e49e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/bluetooth/hci_core.h","net/bluetooth/hci_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.4","status":"affected"},{"version":"0","lessThan":"3.4","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.97","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.36","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.15.5","lessThanOrEqual":"6.15.*","versionType":"semver","status":"unaffected"},{"version":"6.16","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.6.97","matchCriteriaId":"B7D2126A-0CD0-4115-A75E-37D8FA8907ED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.36","matchCriteriaId":"2BD88DEC-018F-4F40-8E29-A2CA89813EBA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.5","matchCriteriaId":"0CC768E2-3BBC-4A6E-9C2F-ECB27A703C2D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0e5c144c557df910ab64d9c25d06399a9a735e65","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1d6123102e9fbedc8d25bf4731da6d513173e49e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/90dee0a0ff84fac8accd5be98412b3819f667149","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc0819a25e04cd68ef3568cfa51b63118fea39a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c56b177efce8b62798e4d96bdb9867106cb7c4a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce23b73f0f27e2dbeb81734a79db710f05aa33c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dd4becd3fd4102696e1c15e6d260a1712a2d8685","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-39863","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-09-19T16:15:45.310","lastModified":"2026-06-19T13:16:22.500","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(&bt_local->work) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0                           | CPU1\nbrcmf_btcoex_detach            | brcmf_btcoex_timerfunc\n                               |   bt_local->timer_on = false;\n  if (cfg->btcoex->timer_on)   |\n    ...                        |\n  cancel_work_sync();          |\n  ...                          |\n  kfree(cfg->btcoex); // FREE  |\n                               |   schedule_work(&bt_local->work); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() — such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0                            | CPU1\nbrcmf_btcoex_detach             | brcmf_btcoex_timerfunc\n                                |   bt_local->timer_on = false;\n  if (cfg->btcoex->timer_on)    |\n    ...                         |\n  cancel_work_sync();           |\n  ...                           |   schedule_work(); // Reschedule\n                                |\n  kfree(cfg->btcoex); // FREE   |   brcmf_btcoex_handler() // Worker\n  /*                            |     btci = container_of(....); // USE\n   The kfree() above could      |     ...\n   also occur at any point      |     btci-> // USE\n   during the worker's execution|\n   */                           |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"c75600e69e66a751cc046cd9c407b942f298d852","versionType":"git","status":"affected"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"ae58f70bde0433f27ef4b388ab50634736607bf6","versionType":"git","status":"affected"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"f1150153c4e5940fe49ab51136343c5b4fe49d63","versionType":"git","status":"affected"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"3e789f8475f6c857c88de5c5bf4b24b11a477dd7","versionType":"git","status":"affected"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"2f6fbc8e04ca1d1d5c560be694199f847229c625","versionType":"git","status":"affected"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"9cb83d4be0b9b697eae93d321e0da999f9cdfcfc","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.105","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.16.6","lessThanOrEqual":"6.16.*","versionType":"semver","status":"unaffected"},{"version":"6.17","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-14T19:23:53.735650Z","id":"CVE-2025-39863","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.6.105","matchCriteriaId":"D5818F4E-9CA3-4FE9-8A75-A6ACE2B108FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.46","matchCriteriaId":"F7E2B332-E920-4CAC-B400-288602DB6F16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.16.6","matchCriteriaId":"548F104C-0F08-438B-9C97-64C903F0C678"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*","matchCriteriaId":"327D22EF-390B-454C-BD31-2ED23C998A1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*","matchCriteriaId":"C730CD9A-D969-4A8E-9522-162AAF7C0EE9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*","matchCriteriaId":"39982C4B-716E-4B2F-8196-FA301F47807D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*","matchCriteriaId":"340BEEA9-D70D-4290-B502-FBB1032353B1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ae58f70bde0433f27ef4b388ab50634736607bf6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c75600e69e66a751cc046cd9c407b942f298d852","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-39929","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T08:15:44.620","lastModified":"2026-06-19T13:16:23.207","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path\n\nDuring tests of another unrelated patch I was able to trigger this\nerror: Objects remaining on __kmem_cache_shutdown()"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/client/smbdirect.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"5aa69aabcb275a8012265233c7694076ce1d9102","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"aa4cf7615328eae44f3b4bf5f4fde3fb390c27c6","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"3d7c075c878ac844e33c43e506c2fa27ac7e9689","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"e7b7a93879558e77d950f1ff9a6f3daa385b33df","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"922338efaad63cfe30d459dfc59f9d69ff93ded4","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"0991418bf98f191d0c320bd25245fcffa1998c7e","versionType":"git","status":"affected"},{"version":"f198186aa9bbd60fae7a2061f4feec614d880299","lessThan":"daac51c7032036a0ca5f1aa419ad1b0471d1c6e0","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/client/smbdirect.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.16","status":"affected"},{"version":"0","lessThan":"4.16","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.154","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.108","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.49","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.16.9","lessThanOrEqual":"6.16.*","versionType":"semver","status":"unaffected"},{"version":"6.17","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]},{"source":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","affectedData":[{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.1.154","matchCriteriaId":"0F31848E-0ABB-4DCA-8DBD-F87E2F0E43DE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.108","matchCriteriaId":"A7E8EAEE-7731-4996-9578-696255D61EA2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.49","matchCriteriaId":"CAA033E9-A2C5-4976-A83E-9804D8FB827F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.16.9","matchCriteriaId":"638DD910-1189-4F5E-98BF-2D436B695112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*","matchCriteriaId":"327D22EF-390B-454C-BD31-2ED23C998A1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*","matchCriteriaId":"C730CD9A-D969-4A8E-9522-162AAF7C0EE9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*","matchCriteriaId":"39982C4B-716E-4B2F-8196-FA301F47807D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*","matchCriteriaId":"340BEEA9-D70D-4290-B502-FBB1032353B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*","matchCriteriaId":"47E4C5C0-079F-4838-971B-8C503D48FCC2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*","matchCriteriaId":"5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0991418bf98f191d0c320bd25245fcffa1998c7e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d7c075c878ac844e33c43e506c2fa27ac7e9689","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5aa69aabcb275a8012265233c7694076ce1d9102","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/922338efaad63cfe30d459dfc59f9d69ff93ded4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aa4cf7615328eae44f3b4bf5f4fde3fb390c27c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/daac51c7032036a0ca5f1aa419ad1b0471d1c6e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e7b7a93879558e77d950f1ff9a6f3daa385b33df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","source":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}},{"cve":{"id":"CVE-2025-40164","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-11-12T11:15:46.660","lastModified":"2026-06-19T13:16:23.357","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/usb/usbnet.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"6635e52bc4165793aefd686962d912d73d323afe","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"65d04291adf7c59338f87aab9c6fe0bfa9993e64","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"f45fffae5e2549bd0a4670cc52a15ad54c9f121e","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"17fbad93879e87a334062882b45fa727ba1b3dd7","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"d1944bab8e0c1511f0cbf364aa06547735bb0ddb","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"0134c7bff14bd50314a4f92b182850ddfc38e255","versionType":"git","status":"affected"},{"version":"43daa96b166c3cf5ff30dfac0c5efa2620e4beab","lessThan":"327cd4b68b4398b6c24f10eb2b2533ffbfc10185","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/usb/usbnet.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.7","status":"affected"},{"version":"0","lessThan":"4.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.17.5","lessThanOrEqual":"6.17.*","versionType":"semver","status":"unaffected"},{"version":"6.18","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-10T20:42:05.458823Z","id":"CVE-2025-40164","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7.1","versionEndExcluding":"5.15.199","matchCriteriaId":"D4DD7644-2E94-47D1-9469-934F9D74FA42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.162","matchCriteriaId":"6579E0D4-0641-479D-A4C3-0EF618798C55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.122","matchCriteriaId":"8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.64","matchCriteriaId":"32BF4A52-377C-44ED-B5E6-7EA5D896E98B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.17.5","matchCriteriaId":"E6A22BA4-0CDF-4955-9D80-068DBE5A9C7E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.7:-:*:*:*:*:*:*","matchCriteriaId":"2F890998-2B89-4DE8-BA87-5B3D9A5E8E11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.7:rc7:*:*:*:*:*:*","matchCriteriaId":"45FA346F-1039-4607-871B-B9F236A30C16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc1:*:*:*:*:*:*","matchCriteriaId":"DD01661D-DFC8-4B6D-80E7-46D203CC4565"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/17fbad93879e87a334062882b45fa727ba1b3dd7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/65d04291adf7c59338f87aab9c6fe0bfa9993e64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6635e52bc4165793aefd686962d912d73d323afe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d1944bab8e0c1511f0cbf364aa06547735bb0ddb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f45fffae5e2549bd0a4670cc52a15ad54c9f121e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-68296","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T16:16:08.540","lastModified":"2026-06-19T13:16:24.050","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup\n\nProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOB\naccess in fbcon_remap_all(). Without holding the console lock the call\nraces with switching outputs.\n\nVGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon\nfunction uses struct fb_info.node, which is set by register_framebuffer().\nAs the fb-helper code currently sets up VGA switcheroo before registering\nthe framebuffer, the value of node is -1 and therefore not a legal value.\nFor example, fbcon uses the value within set_con2fb_map() [1] as an index\ninto an array.\n\nMoving vga_switcheroo_client_fb_set() after register_framebuffer() can\nresult in VGA switching that does not switch fbcon correctly.\n\nTherefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),\nwhich already holds the console lock. Fbdev calls fbcon_fb_registered()\nfrom within register_framebuffer(). Serializes the helper with VGA\nswitcheroo's call to fbcon_remap_all().\n\nAlthough vga_switcheroo_client_fb_set() takes an instance of struct fb_info\nas parameter, it really only needs the contained fbcon state. Moving the\ncall to fbcon initialization is therefore cleaner than before. Only amdgpu,\ni915, nouveau and radeon support vga_switcheroo. For all other drivers,\nthis change does nothing."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/drm_fb_helper.c","drivers/video/fbdev/core/fbcon.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6a9ee8af344e3bd7dbd61e67037096cdf7f83289","lessThan":"711ebd961190def4c69ea24b2f0be75e995af24a","versionType":"git","status":"affected"},{"version":"6a9ee8af344e3bd7dbd61e67037096cdf7f83289","lessThan":"482330f8261b4bea8146d9bd69c1199e5dfcbb5c","versionType":"git","status":"affected"},{"version":"6a9ee8af344e3bd7dbd61e67037096cdf7f83289","lessThan":"05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a","versionType":"git","status":"affected"},{"version":"6a9ee8af344e3bd7dbd61e67037096cdf7f83289","lessThan":"eb76d0f5553575599561010f24c277cc5b31d003","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/drm_fb_helper.c","drivers/video/fbdev/core/fbcon.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.61","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.17.11","lessThanOrEqual":"6.17.*","versionType":"semver","status":"unaffected"},{"version":"6.18","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/711ebd961190def4c69ea24b2f0be75e995af24a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68340","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-23T14:16:40.580","lastModified":"2026-06-19T13:16:24.157","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops->create of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n  - If port_dev is not the same type as dev, dev takes mtu from port_dev\n  - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev->mtu = dev->mtu and instead\nletting team_dev_type_check_change assign dev->mtu = port_dev->mtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n  - team device driver in-tree selftests\n  - Add/remove various devices as slaves of team device\n  - syzbot"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/team/team_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"f82d1fb65549de241fe312fcb2bcb8e0ad7b424d","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"a74ab1b532ecc5f9106621a8f75b4c3d04466b35","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"e26235840fd961e4ebe5568f11a2a078cf726663","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"4040b5e8963982a00aa821300cb746efc9f2947e","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"e3eed4f038214494af62c7d2d64749e5108ce6ca","versionType":"git","status":"affected"},{"version":"1d76efe1577b4323609b1bcbfafa8b731eda071a","lessThan":"0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/team/team_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.7","status":"affected"},{"version":"0","lessThan":"3.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.123","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.61","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.17.11","lessThanOrEqual":"6.17.*","versionType":"semver","status":"unaffected"},{"version":"6.18","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"5.15.199","matchCriteriaId":"E5067FF3-398F-4DBC-A811-0FE8B82E8F38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.162","matchCriteriaId":"6579E0D4-0641-479D-A4C3-0EF618798C55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.123","matchCriteriaId":"316D8D4E-FE44-4C76-8403-63CAF51EEFC2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.61","matchCriteriaId":"6670FFDE-DE38-4ACA-9797-0E90908AC5D2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.17.11","matchCriteriaId":"D7C7E97D-F3F8-4E05-99B6-0650C54C6303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc1:*:*:*:*:*:*","matchCriteriaId":"DD01661D-DFC8-4B6D-80E7-46D203CC4565"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*","matchCriteriaId":"A8A65C5A-918F-4E0B-8E98-08A29FFBA58A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*","matchCriteriaId":"26CA425A-E44F-49D2-92D9-1DDD56398440"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*","matchCriteriaId":"BEEBB43A-4C9F-46BE-AA6D-9DBFD2244E55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*","matchCriteriaId":"2545FB83-C4A6-4F62-9ED1-09F75D2E3C78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*","matchCriteriaId":"E955EC5D-4684-4B5D-AE4D-F2BF9ADDBA1D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc7:*:*:*:*:*:*","matchCriteriaId":"38C4D89F-9A13-4D29-8645-C9785C142C07"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75b4c3d04466b35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a2a078cf726663","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f82d1fb65549de241fe312fcb2bcb8e0ad7b424d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-54125","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-24T13:16:14.473","lastModified":"2026-06-19T13:16:19.063","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Return error for inconsistent extended attributes\n\nntfs_read_ea is called when we want to read extended attributes. There\nare some sanity checks for the validity of the EAs. However, it fails to\nreturn a proper error code for the inconsistent attributes, which might\nlead to unpredicted memory accesses after return.\n\n[  138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\n[  138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\n[  138.931132]\n[  138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\n[  138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[  138.947327] Call Trace:\n[  138.949557]  <TASK>\n[  138.951539]  dump_stack_lvl+0x4d/0x67\n[  138.956834]  print_report+0x16f/0x4a6\n[  138.960798]  ? ntfs_set_ea+0x453/0xbf0\n[  138.964437]  ? kasan_complete_mode_report_info+0x7d/0x200\n[  138.969793]  ? ntfs_set_ea+0x453/0xbf0\n[  138.973523]  kasan_report+0xb8/0x140\n[  138.976740]  ? ntfs_set_ea+0x453/0xbf0\n[  138.980578]  __asan_store4+0x76/0xa0\n[  138.984669]  ntfs_set_ea+0x453/0xbf0\n[  138.988115]  ? __pfx_ntfs_set_ea+0x10/0x10\n[  138.993390]  ? kernel_text_address+0xd3/0xe0\n[  138.998270]  ? __kernel_text_address+0x16/0x50\n[  139.002121]  ? unwind_get_return_address+0x3e/0x60\n[  139.005659]  ? __pfx_stack_trace_consume_entry+0x10/0x10\n[  139.010177]  ? arch_stack_walk+0xa2/0x100\n[  139.013657]  ? filter_irq_stacks+0x27/0x80\n[  139.017018]  ntfs_setxattr+0x405/0x440\n[  139.022151]  ? __pfx_ntfs_setxattr+0x10/0x10\n[  139.026569]  ? kvmalloc_node+0x2d/0x120\n[  139.030329]  ? kasan_save_stack+0x41/0x60\n[  139.033883]  ? kasan_save_stack+0x2a/0x60\n[  139.037338]  ? kasan_set_track+0x29/0x40\n[  139.040163]  ? kasan_save_alloc_info+0x1f/0x30\n[  139.043588]  ? __kasan_kmalloc+0x8b/0xa0\n[  139.047255]  ? __kmalloc_node+0x68/0x150\n[  139.051264]  ? kvmalloc_node+0x2d/0x120\n[  139.055301]  ? vmemdup_user+0x2b/0xa0\n[  139.058584]  __vfs_setxattr+0x121/0x170\n[  139.062617]  ? __pfx___vfs_setxattr+0x10/0x10\n[  139.066282]  __vfs_setxattr_noperm+0x97/0x300\n[  139.070061]  __vfs_setxattr_locked+0x145/0x170\n[  139.073580]  vfs_setxattr+0x137/0x2a0\n[  139.076641]  ? __pfx_vfs_setxattr+0x10/0x10\n[  139.080223]  ? __kasan_check_write+0x18/0x20\n[  139.084234]  do_setxattr+0xce/0x150\n[  139.087768]  setxattr+0x126/0x140\n[  139.091250]  ? __pfx_setxattr+0x10/0x10\n[  139.094948]  ? __virt_addr_valid+0xcb/0x140\n[  139.097838]  ? __call_rcu_common.constprop.0+0x1c7/0x330\n[  139.102688]  ? debug_smp_processor_id+0x1b/0x30\n[  139.105985]  ? kasan_quarantine_put+0x5b/0x190\n[  139.109980]  ? putname+0x84/0xa0\n[  139.113886]  ? __kasan_slab_free+0x11e/0x1b0\n[  139.117961]  ? putname+0x84/0xa0\n[  139.121316]  ? preempt_count_sub+0x1c/0xd0\n[  139.124427]  ? __mnt_want_write+0xae/0x100\n[  139.127836]  ? mnt_want_write+0x8f/0x150\n[  139.130954]  path_setxattr+0x164/0x180\n[  139.133998]  ? __pfx_path_setxattr+0x10/0x10\n[  139.137853]  ? __pfx_ksys_pwrite64+0x10/0x10\n[  139.141299]  ? debug_smp_processor_id+0x1b/0x30\n[  139.145714]  ? fpregs_assert_state_consistent+0x6b/0x80\n[  139.150796]  __x64_sys_setxattr+0x71/0x90\n[  139.155407]  do_syscall_64+0x3f/0x90\n[  139.159035]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[  139.163843] RIP: 0033:0x7f108cae4469\n[  139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[  139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\n[  139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\n[  139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\n[  139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\n[  139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\n[  139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\n---truncated---"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/ntfs3/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"333feb7ba84f69f9b423422417aaac54fd9e7c84","lessThan":"6557c4504c5a1bbbbac25d14d7dcf2a4912d1508","versionType":"git","status":"affected"},{"version":"000a9a72efa4a9df289bab9c9e8ba1639c72e0d6","lessThan":"486666c2c2714788705d02d98d0332c8a2328575","versionType":"git","status":"affected"},{"version":"0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b","lessThan":"1474098b590a426d90f27bb992f17c326e0b60c1","versionType":"git","status":"affected"},{"version":"0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b","lessThan":"c9db0ff04649aa0b45f497183c957fe260f229f6","versionType":"git","status":"affected"},{"version":"5.15.121","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.40","lessThan":"6.1.176","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/ntfs3/xattr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.4.12","lessThanOrEqual":"6.4.*","versionType":"semver","status":"unaffected"},{"version":"6.5","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/486666c2c2714788705d02d98d0332c8a2328575","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6557c4504c5a1bbbbac25d14d7dcf2a4912d1508","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-54129","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-24T13:16:14.887","lastModified":"2026-06-19T13:16:19.260","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation for lmac type\n\nUpon physical link change, firmware reports to the kernel about the\nchange along with the details like speed, lmac_type_id, etc.\nKernel derives lmac_type based on lmac_type_id received from firmware.\n\nIn a few scenarios, firmware returns an invalid lmac_type_id, which\nis resulting in below kernel panic. This patch adds the missing\nvalidation of the lmac_type_id field.\n\nInternal error: Oops: 96000005 [#1] PREEMPT SMP\n[   35.321595] Modules linked in:\n[   35.328982] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted\n5.4.210-g2e3169d8e1bc-dirty #17\n[   35.337014] Hardware name: Marvell CN103XX board (DT)\n[   35.344297] Workqueue: events work_for_cpu_fn\n[   35.352730] pstate: 40400089 (nZcv daIf +PAN -UAO)\n[   35.360267] pc : strncpy+0x10/0x30\n[   35.366595] lr : cgx_link_change_handler+0x90/0x180"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/marvell/octeontx2/af/cgx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"61071a871ea6eb2125ece91c1a0dbb124a318c8a","lessThan":"4392454c694b13d78c84165c0964729772cd3b73","versionType":"git","status":"affected"},{"version":"61071a871ea6eb2125ece91c1a0dbb124a318c8a","lessThan":"83a7f27c5b94e43f29f8216a32790751139aa61e","versionType":"git","status":"affected"},{"version":"61071a871ea6eb2125ece91c1a0dbb124a318c8a","lessThan":"afd7660c766c4d317feae004e5cd829390bbc4b0","versionType":"git","status":"affected"},{"version":"61071a871ea6eb2125ece91c1a0dbb124a318c8a","lessThan":"5c0268b141ad612b6fca13d3a66cfda111716dbb","versionType":"git","status":"affected"},{"version":"61071a871ea6eb2125ece91c1a0dbb124a318c8a","lessThan":"cb5edce271764524b88b1a6866b3e626686d9a33","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/marvell/octeontx2/af/cgx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"6.1.32","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.2.16","lessThanOrEqual":"6.2.*","versionType":"semver","status":"unaffected"},{"version":"6.3.3","lessThanOrEqual":"6.3.*","versionType":"semver","status":"unaffected"},{"version":"6.4","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/4392454c694b13d78c84165c0964729772cd3b73","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5c0268b141ad612b6fca13d3a66cfda111716dbb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/83a7f27c5b94e43f29f8216a32790751139aa61e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/afd7660c766c4d317feae004e5cd829390bbc4b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cb5edce271764524b88b1a6866b3e626686d9a33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68736","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-24T13:16:28.550","lastModified":"2026-06-19T13:16:24.303","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix handling of disconnected directories\n\nDisconnected files or directories can appear when they are visible and\nopened from a bind mount, but have been renamed or moved from the source\nof the bind mount in a way that makes them inaccessible from the mount\npoint (i.e. out of scope).\n\nPreviously, access rights tied to files or directories opened through a\ndisconnected directory were collected by walking the related hierarchy\ndown to the root of the filesystem, without taking into account the\nmount point because it couldn't be found. This could lead to\ninconsistent access results, potential access right widening, and\nhard-to-debug renames, especially since such paths cannot be printed.\n\nFor a sandboxed task to create a disconnected directory, it needs to\nhave write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to\nthe underlying source of the bind mount, and read access to the related\nmount point.   Because a sandboxed task cannot acquire more access\nrights than those defined by its Landlock domain, this could lead to\ninconsistent access rights due to missing permissions that should be\ninherited from the mount point hierarchy, while inheriting permissions\nfrom the filesystem hierarchy hidden by this mount point instead.\n\nLandlock now handles files and directories opened from disconnected\ndirectories by taking into account the filesystem hierarchy when the\nmount point is not found in the hierarchy walk, and also always taking\ninto account the mount point from which these disconnected directories\nwere opened.  This ensures that a rename is not allowed if it would\nwiden access rights [1].\n\nThe rationale is that, even if disconnected hierarchies might not be\nvisible or accessible to a sandboxed task, relying on the collected\naccess rights from them improves the guarantee that access rights will\nnot be widened during a rename because of the access right comparison\nbetween the source and the destination (see LANDLOCK_ACCESS_FS_REFER).\nIt may look like this would grant more access on disconnected files and\ndirectories, but the security policies are always enforced for all the\nevaluated hierarchies.  This new behavior should be less surprising to\nusers and safer from an access control perspective.\n\nRemove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and\nfix the related comment.\n\nBecause opened files have their access rights stored in the related file\nsecurity properties, there is no impact for disconnected or unlinked\nfiles."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["security/landlock/errata/abi-1.h","security/landlock/fs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"cb2c7d1a1776057c9a1f48ed1250d85e94d4850d","lessThan":"fbf718d5afe21057694a0c0223a18b0c7a5960b6","versionType":"git","status":"affected"},{"version":"cb2c7d1a1776057c9a1f48ed1250d85e94d4850d","lessThan":"426d5b681b2f3339ff04da39b81d71176dc8c87c","versionType":"git","status":"affected"},{"version":"cb2c7d1a1776057c9a1f48ed1250d85e94d4850d","lessThan":"cadb28f8b3fd6908e3051e86158c65c3a8e1c907","versionType":"git","status":"affected"},{"version":"cb2c7d1a1776057c9a1f48ed1250d85e94d4850d","lessThan":"49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["security/landlock/errata/abi-1.h","security/landlock/fs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.2","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/426d5b681b2f3339ff04da39b81d71176dc8c87c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fbf718d5afe21057694a0c0223a18b0c7a5960b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-54271","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-30T13:16:16.000","lastModified":"2026-06-19T13:16:19.390","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init\n\nblk-iocost sometimes causes the following crash:\n\n  BUG: kernel NULL pointer dereference, address: 00000000000000e0\n  ...\n  RIP: 0010:_raw_spin_lock+0x17/0x30\n  Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00\n  RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046\n  RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001\n  RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0\n  RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003\n  R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000\n  R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600\n  FS:  00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0\n  Call Trace:\n   <TASK>\n   ioc_weight_write+0x13d/0x410\n   cgroup_file_write+0x7a/0x130\n   kernfs_fop_write_iter+0xf5/0x170\n   vfs_write+0x298/0x370\n   ksys_write+0x5f/0xb0\n   __x64_sys_write+0x1b/0x20\n   do_syscall_64+0x3d/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis happens because iocg->ioc is NULL. The field is initialized by\nioc_pd_init() and never cleared. The NULL deref is caused by\nblkcg_activate_policy() installing blkg_policy_data before initializing it.\n\nblkcg_activate_policy() was doing the following:\n\n1. Allocate pd's for all existing blkg's and install them in blkg->pd[].\n2. Initialize all pd's.\n3. Online all pd's.\n\nblkcg_activate_policy() only grabs the queue_lock and may release and\nre-acquire the lock as allocation may need to sleep. ioc_weight_write()\ngrabs blkcg->lock and iterates all its blkg's. The two can race and if\nioc_weight_write() runs during #1 or between #1 and #2, it can encounter a\npd which is not initialized yet, leading to crash.\n\nThe crash can be reproduced with the following script:\n\n  #!/bin/bash\n\n  echo +io > /sys/fs/cgroup/cgroup.subtree_control\n  systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct\n  echo 100 > /sys/fs/cgroup/system.slice/io.weight\n  bash -c \"echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos\" &\n  sleep .2\n  echo 100 > /sys/fs/cgroup/system.slice/io.weight\n\nwith the following patch applied:\n\n> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c\n> index fc49be622e05..38d671d5e10c 100644\n> --- a/block/blk-cgroup.c\n> +++ b/block/blk-cgroup.c\n> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)\n> \t\tpd->online = false;\n> \t}\n>\n> +       if (system_state == SYSTEM_RUNNING) {\n> +               spin_unlock_irq(&q->queue_lock);\n> +               ssleep(1);\n> +               spin_lock_irq(&q->queue_lock);\n> +       }\n> +\n> \t/* all allocated, init in the same order */\n> \tif (pol->pd_init_fn)\n> \t\tlist_for_each_entry_reverse(blkg, &q->blkg_list, q_node)\n\nI don't see a reason why all pd's should be allocated, initialized and\nonlined together. The only ordering requirement is that parent blkgs to be\ninitialized and onlined before children, which is guaranteed from the\nwalking order. Let's fix the bug by allocating, initializing and onlining pd\nfor each blkg and holding blkcg->lock over initialization and onlining. This\nensures that an installed blkg is always fully initialized and onlined\nremoving the the race window."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nblk-cgroup: Corrección de desreferencia NULL causada por la instalación de blkg_policy_data antes de la inicialización\n\nblk-iocost a veces causa el siguiente fallo:\n\n  BUG: desreferencia de puntero NULL del kernel, dirección: 00000000000000e0\n  ...\n  RIP: 0010:_raw_spin_lock+0x17/0x30\n  Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0  0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00\n  RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046\n  RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001\n  RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0\n  RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003\n  R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000\n  R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600\n  FS:  00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0\n  Call Trace:\n   \n   ioc_weight_write+0x13d/0x410\n   cgroup_file_write+0x7a/0x130\n   kernfs_fop_write_iter+0xf5/0x170\n   vfs_write+0x298/0x370\n   ksys_write+0x5f/0xb0\n   __x64_sys_write+0x1b/0x20\n   do_syscall_64+0x3d/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nEsto ocurre porque iocg-&gt;ioc es NULL. El campo es inicializado por ioc_pd_init() y nunca se borra. La desreferencia NULL es causada por blkcg_activate_policy() al instalar blkg_policy_data antes de inicializarlo.\n\nblkcg_activate_policy() estaba haciendo lo siguiente:\n\n1. Asignar pd's para todos los blkg's existentes e instalarlos en blkg-&gt;pd[].\n2. Inicializar todos los pd's.\n3. Poner en línea todos los pd's.\n\nblkcg_activate_policy() solo toma el queue_lock y puede liberar y volver a adquirir el bloqueo ya que la asignación puede necesitar dormir. ioc_weight_write() toma blkcg-&gt;lock e itera sobre todos sus blkg's. Los dos pueden competir y si ioc_weight_write() se ejecuta durante el #1 o entre el #1 y el #2, puede encontrar un pd que aún no está inicializado, lo que lleva a un fallo.\n\nEl fallo puede ser reproducido con el siguiente script:\n\n  #!/bin/bash\n\n  echo +io &gt; /sys/fs/cgroup/cgroup.subtree_control\n  systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct\n  echo 100 &gt; /sys/fs/cgroup/system.slice/io.weight\n  bash -c \"echo '8:0 enable=1' &gt; /sys/fs/cgroup/io.cost.qos\" &amp;\n  sleep .2\n  echo 100 &gt; /sys/fs/cgroup/system.slice/io.weight\n\ncon el siguiente parche aplicado:\n\n&gt; diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c\n&gt; index fc49be622e05..38d671d5e10c 100644\n&gt; --- a/block/blk-cgroup.c\n&gt; +++ b/block/blk-cgroup.c\n&gt; @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)\n&gt; \t\tpd-&gt;online = false;\n&gt; \t}\n&gt;\n&gt; +       if (system_state == SYSTEM_RUNNING) {\n&gt; +               spin_unlock_irq(&amp;q-&gt;queue_lock);\n&gt; +               ssleep(1);\n&gt; +               spin_lock_irq(&amp;q-&gt;queue_lock);\n&gt; +       }\n&gt; +\n&gt; \t/* all allocated, init in the same order */\n&gt; \tif (pol-&gt;pd_init_fn)\n&gt; \t\tlist_for_each_entry_reverse(blkg, &amp;q-&gt;blkg_list, q_node)\n\nNo veo una razón por la cual todos los pd's deban ser asignados, inicializados y puestos en línea juntos. El único requisito de orden es que los blkg's padre sean inicializados y puestos en línea antes que los hijos, lo cual está garantizado por el orden de recorrido. Corrijamos el error al asignar, inicializar y poner en línea el pd para cada blkg y manteniendo blkcg-&gt;lock durante la inicialización y la puesta en línea. Esto asegura que un blkg instalado esté siempre completamente inicializado y puesto en línea, eliminando la ventana de carrera."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["block/blk-cgroup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"9d179b865449b351ad5cb76dbea480c9170d4a27","lessThan":"da6cc648c1f570290af1ddbe6b7ca3d91b1d6db9","versionType":"git","status":"affected"},{"version":"9d179b865449b351ad5cb76dbea480c9170d4a27","lessThan":"33f0370bb7ce15a59d72a4d8a05421d334a04add","versionType":"git","status":"affected"},{"version":"9d179b865449b351ad5cb76dbea480c9170d4a27","lessThan":"e39ef7880d1057b2ebcdb013405f4d84a257db23","versionType":"git","status":"affected"},{"version":"9d179b865449b351ad5cb76dbea480c9170d4a27","lessThan":"7d63c6f9765339dcfc34b7365ced7c518012e4fe","versionType":"git","status":"affected"},{"version":"9d179b865449b351ad5cb76dbea480c9170d4a27","lessThan":"ec14a87ee1999b19d8b7ed0fa95fea80644624ae","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["block/blk-cgroup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.4","status":"affected"},{"version":"0","lessThan":"5.4","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.4.16","lessThanOrEqual":"6.4.*","versionType":"semver","status":"unaffected"},{"version":"6.5.3","lessThanOrEqual":"6.5.*","versionType":"semver","status":"unaffected"},{"version":"6.6","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/33f0370bb7ce15a59d72a4d8a05421d334a04add","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d63c6f9765339dcfc34b7365ced7c518012e4fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da6cc648c1f570290af1ddbe6b7ca3d91b1d6db9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e39ef7880d1057b2ebcdb013405f4d84a257db23","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ec14a87ee1999b19d8b7ed0fa95fea80644624ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68768","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-13T16:15:56.247","lastModified":"2026-06-19T13:16:24.413","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn't obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack's netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir->dead\nis set, in case packet sneaks in while we're running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ninet: frags: vaciar skbs pendientes en fqdir_pre_exit()\n\nHemos estado viendo interbloqueos ocasionales en pernet_ops_rwsem desde septiembre en NIPA. La tarea atascada era usualmente modprobe (a menudo cargando un controlador como ipvlan), intentando tomar el bloqueo como un Escritor. lockdep no rastrea lectores para rwsems por lo que la lectura no era obvia de los informes.\n\nEn una inspección más cercana, el Lector que mantenía el bloqueo era conntrack haciendo un bucle para siempre en nf_conntrack_cleanup_net_list(). Basado en la experiencia pasada con fallos ocasionales de NIPA, revisé las pruebas que se ejecutan antes del fallo y noté que el fallo sigue a ip_defrag.sh. Una bandera roja inmediata. Revisar a fondo las colas de (des)fragmentación revela skbs que permanecen, manteniendo referencias de conntrack.\n\nEl problema es que, dado que conntrack depende de nf_defrag_ipv6, nf_defrag_ipv6 se cargará primero. Dado que nf_defrag_ipv6 se carga primero, sus hooks de salida de netns se ejecutan _después_ del hook de salida de netns de conntrack.\n\nVaciar todos los SKBs de la cola de fragmentos durante fqdir_pre_exit() para liberar referencias de conntrack antes de que se ejecute la limpieza de conntrack. También vaciar las colas en los manejadores de expiración del temporizador cuando descubren que fqdir-&gt;dead está establecido, en caso de que un paquete se cuele mientras estamos ejecutando el vaciado de pre_exit.\n\nEl commit bajo Fixes no es exactamente el culpable, pero creo que anteriormente el disparo del temporizador eventualmente desbloquearía el conntrack en bucle."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"22ee4010866da81aeee08e1ea3fddbe418feb212","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"543555954b1ee8d1903a7020324efb41b0c97428","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"c70df25214ac9b32b53e18e6ae3b8f073ffa6903","versionType":"git","status":"affected"},{"version":"d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db","lessThan":"006a5035b495dec008805df249f92c22c89c3d2e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/inet_frag.h","include/net/ipv6_frag.h","net/ipv4/inet_fragment.c","net/ipv4/ip_fragment.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/22ee4010866da81aeee08e1ea3fddbe418feb212","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/543555954b1ee8d1903a7020324efb41b0c97428","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23099","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-04T17:16:20.777","lastModified":"2026-06-19T13:16:24.520","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: limit BOND_MODE_8023AD to Ethernet devices\n\nBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.\n\nsyzbot reported:\n\n BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nRead of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G             L      syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n <TASK>\n  dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0xca/0x240 mm/kasan/report.c:482\n  kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n  kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n  __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n  __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n  dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n  bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n  do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n  do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n  rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n  __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n  rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n  rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n  netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n  netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n  netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n  sock_sendmsg_nosec net/socket.c:727 [inline]\n  __sock_sendmsg+0x21c/0x270 net/socket.c:742\n  ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n  ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n  __sys_sendmsg+0x164/0x220 net/socket.c:2678\n  do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n  __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n  do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n </TASK>\n\nThe buggy address belongs to the variable:\n lacpdu_mcast_addr+0x0/0x40"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbonding: limitar BOND_MODE_8023AD a dispositivos Ethernet\n\nBOND_MODE_8023AD solo tiene sentido para ARPHRD_ETHER.\n\nsyzbot informó:\n\n BUG: KASAN: global-out-of-bounds en __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds en __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nLectura de tamaño 16 en la dirección ffffffff8bf94040 por la tarea syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nNombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nTraza de Llamadas:\n \n  dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0xca/0x240 mm/kasan/report.c:482\n  kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n  kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n  __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n  __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n  dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n  bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n  do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n  do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n  rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n  __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n  rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n  rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n  netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n  netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n  netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n  sock_sendmsg_nosec net/socket.c:727 [inline]\n  __sock_sendmsg+0x21c/0x270 net/socket.c:742\n  ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n  ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n  __sys_sendmsg+0x164/0x220 net/socket.c:2678\n  do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n  __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n  do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n \n\nLa dirección errónea pertenece a la variable:\n lacpdu_mcast_addr+0x0/0x40"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/bonding/bond_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"19266182b82e9100c799d8a29f5e0452f0bf7703","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"5063b2cd9b27d35ab788d707d7858ded0acc8f1d","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"ef68afb1bee8d35a18896c27d7358079353d8d8a","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"43dee6f7ef1d228821de1b61c292af3744c8d7da","versionType":"git","status":"affected"},{"version":"872254dd6b1f80cb95ee9e2e22980888533fc293","lessThan":"c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/bonding/bond_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.24","status":"affected"},{"version":"0","lessThan":"2.6.24","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.68","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.8","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-10T20:40:44.652755Z","id":"CVE-2026-23099","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.24","versionEndExcluding":"5.15.199","matchCriteriaId":"B1B14999-5FD5-43C6-B224-8B3A07A91FB6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.162","matchCriteriaId":"6579E0D4-0641-479D-A4C3-0EF618798C55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.122","matchCriteriaId":"8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.68","matchCriteriaId":"52F38E19-0FDD-4992-9D6D-D4169D689598"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.8","matchCriteriaId":"E65C6E79-7EBE-4C77-93F0-818CF5B38F4E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/19266182b82e9100c799d8a29f5e0452f0bf7703","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23247","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-18T11:16:16.723","lastModified":"2026-06-19T13:16:25.190","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ntcp: secure_seq: añadir de nuevo puertos al desplazamiento TS\n\nEsto revierte 28ee1b746f49 ('secure_seq: degradar a desplazamientos de marca de tiempo por host')\n\ntcp_tw_recycle desapareció en 2017.\n\nZhouyan Deng informó de una fuga de puerto de origen TCP fuera de ruta a través de un canal lateral de SYN cookie que se puede solucionar de múltiples maneras.\n\nUna de ellas es traer de vuelta los puertos TCP en la aleatorización del desplazamiento TS.\n\nComo ventaja adicional, realizamos un único cálculo de siphash() para proporcionar tanto un ISN como un desplazamiento TS."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/secure_seq.h","include/net/tcp.h","net/core/secure_seq.c","net/ipv4/syncookies.c","net/ipv4/tcp_input.c","net/ipv4/tcp_ipv4.c","net/ipv6/syncookies.c","net/ipv6/tcp_ipv6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"28ee1b746f493b7c62347d714f58fbf4f70df4f0","lessThan":"5da5662181ef8a251e3ba564903002c2e87de452","versionType":"git","status":"affected"},{"version":"28ee1b746f493b7c62347d714f58fbf4f70df4f0","lessThan":"eae2f14ab2efccdb7480fae7d42c4b0116ef8805","versionType":"git","status":"affected"},{"version":"28ee1b746f493b7c62347d714f58fbf4f70df4f0","lessThan":"46e5b0d7cf55821527adea471ffe52a5afbd9caf","versionType":"git","status":"affected"},{"version":"28ee1b746f493b7c62347d714f58fbf4f70df4f0","lessThan":"165573e41f2f66ef98940cf65f838b2cb575d9d1","versionType":"git","status":"affected"},{"version":"443fac9f2618b93cbc5ab068dc594530236b3a23","versionType":"git","status":"affected"},{"version":"4.10.14","lessThan":"4.11","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/secure_seq.h","include/net/tcp.h","net/core/secure_seq.c","net/ipv4/syncookies.c","net/ipv4/tcp_input.c","net/ipv4/tcp_ipv4.c","net/ipv6/syncookies.c","net/ipv6/tcp_ipv6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartExcluding":"4.11","versionEndExcluding":"6.18.17","matchCriteriaId":"93C0B2B1-66EF-41A6-8FCE-4ED37AB02E2A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.10.14:*:*:*:*:*:*:*","matchCriteriaId":"C30F9041-D8C3-4F81-B9F1-08BA07D0AE00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.11:-:*:*:*:*:*:*","matchCriteriaId":"623D643F-123E-4D3E-8CBF-16BF845D734B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.11:rc6:*:*:*:*:*:*","matchCriteriaId":"D67BFFD0-1A52-4F5D-98DB-D94B58FD8D30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.11:rc7:*:*:*:*:*:*","matchCriteriaId":"7D996F38-22AC-4059-84FC-F7D69CE0CB9B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.11:rc8:*:*:*:*:*:*","matchCriteriaId":"97EFF4F7-E5F9-4FAA-AD58-94A24501AD59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5da5662181ef8a251e3ba564903002c2e87de452","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23310","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:27.160","lastModified":"2026-06-19T13:16:25.320","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded\n\nbond_option_mode_set() already rejects mode changes that would make a\nloaded XDP program incompatible via bond_xdp_check().  However,\nbond_option_xmit_hash_policy_set() has no such guard.\n\nFor 802.3ad and balance-xor modes, bond_xdp_check() returns false when\nxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually\nabsent due to hardware offload.  This means a user can:\n\n1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode\n   with a compatible xmit_hash_policy (e.g. layer2+3).\n2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.\n\nThis leaves bond->xdp_prog set but bond_xdp_check() now returning false\nfor the same device.  When the bond is later destroyed, dev_xdp_uninstall()\ncalls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits\nthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:\n\nWARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))\n\nFix this by rejecting xmit_hash_policy changes to vlan+srcmac when an\nXDP program is loaded on a bond in 802.3ad or balance-xor mode.\n\ncommit 39a0876d595b (\"net, bonding: Disallow vlan+srcmac with XDP\")\nintroduced bond_xdp_check() which returns false for 802.3ad/balance-xor\nmodes when xmit_hash_policy is vlan+srcmac.  The check was wired into\nbond_xdp_set() to reject XDP attachment with an incompatible policy, but\nthe symmetric path -- preventing xmit_hash_policy from being changed to an\nincompatible value after XDP is already loaded -- was left unguarded in\nbond_option_xmit_hash_policy_set().\n\nNote:\ncommit 094ee6017ea0 (\"bonding: check xdp prog when set bond mode\")\nlater added a similar guard to bond_option_mode_set(), but\nbond_option_xmit_hash_policy_set() remained unprotected."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbpf/bonding: rechazar el cambio de política de hash de transmisión (xmit_hash_policy) a vlan+srcmac cuando XDP está cargado\n\nbond_option_mode_set() ya rechaza los cambios de modo que harían incompatible un programa XDP cargado a través de bond_xdp_check(). Sin embargo, bond_option_xmit_hash_policy_set() no tiene tal protección.\n\nPara los modos 802.3ad y balance-xor, bond_xdp_check() devuelve falso cuando la política de hash de transmisión (xmit_hash_policy) es vlan+srcmac, porque la carga útil 802.1q suele estar ausente debido a la descarga de hardware. Esto significa que un usuario puede:\n\n1. Adjuntar un programa XDP nativo a un bond en modo 802.3ad/balance-xor con una política de hash de transmisión (xmit_hash_policy) compatible (por ejemplo, capa2+3).\n2. Cambiar la política de hash de transmisión (xmit_hash_policy) a vlan+srcmac mientras XDP permanece cargado.\n\nEsto deja bond-&gt;xdp_prog establecido, pero bond_xdp_check() ahora devuelve falso para el mismo dispositivo. Cuando el bond es destruido posteriormente, dev_xdp_uninstall() llama a bond_xdp_set(dev, NULL, NULL) para eliminar el programa, lo que activa la protección de bond_xdp_check() y devuelve -EOPNOTSUPP, desencadenando:\n\nWARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))\n\nSolucione esto rechazando los cambios de política de hash de transmisión (xmit_hash_policy) a vlan+srcmac cuando un programa XDP está cargado en un bond en modo 802.3ad o balance-xor.\n\nEl commit 39a0876d595b ('net, bonding: No permitir vlan+srcmac con XDP') introdujo bond_xdp_check() que devuelve falso para los modos 802.3ad/balance-xor cuando la política de hash de transmisión (xmit_hash_policy) es vlan+srcmac. La verificación se integró en bond_xdp_set() para rechazar la asociación de XDP con una política incompatible, pero la ruta simétrica -- impidiendo que la política de hash de transmisión (xmit_hash_policy) se cambie a un valor incompatible después de que XDP ya esté cargado -- se dejó sin protección en bond_option_xmit_hash_policy_set().\n\nNota:\nEl commit 094ee6017ea0 ('bonding: verificar programa xdp al establecer modo de bond') añadió posteriormente una protección similar a bond_option_mode_set(), pero bond_option_xmit_hash_policy_set() permaneció sin protección."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/bonding/bond_main.c","drivers/net/bonding/bond_options.c","include/net/bonding.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"0a80e6ecaf669c77260b44254f4a84d76bf83e89","versionType":"git","status":"affected"},{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"5c262bd0e39320a6d6c8277cb8349ce21c01b8c1","versionType":"git","status":"affected"},{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"d36ad7e126c6a0c5f699583309ccc37e3a3263ea","versionType":"git","status":"affected"},{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e","versionType":"git","status":"affected"},{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"e85fa809e507b9d8eff4840888b8c727e4e8448c","versionType":"git","status":"affected"},{"version":"39a0876d595bd7c7512782dfcce0ee66f65bf221","lessThan":"479d589b40b836442bbdadc3fdb37f001bb67f26","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/bonding/bond_main.c","drivers/net/bonding/bond_options.c","include/net/bonding.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.130","matchCriteriaId":"E265D934-61CB-43A3-82C6-6D0F5B6DD9D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.77","matchCriteriaId":"B3D12E00-E42D-4056-B354-BAD4903C03A5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.17","matchCriteriaId":"A5E006E4-59C7-43C1-9231-62A72219F2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a80e6ecaf669c77260b44254f4a84d76bf83e89","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23346","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:32.767","lastModified":"2026-06-19T13:16:25.463","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: io: Extract user memory type in ioremap_prot()\n\nThe only caller of ioremap_prot() outside of the generic ioremap()\nimplementation is generic_access_phys(), which passes a 'pgprot_t' value\ndetermined from the user mapping of the target 'pfn' being accessed by\nthe kernel. On arm64, the 'pgprot_t' contains all of the non-address\nbits from the pte, including the permission controls, and so we end up\nreturning a new user mapping from ioremap_prot() which faults when\naccessed from the kernel on systems with PAN:\n\n  | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000\n  | ...\n  | Call trace:\n  |   __memcpy_fromio+0x80/0xf8\n  |   generic_access_phys+0x20c/0x2b8\n  |   __access_remote_vm+0x46c/0x5b8\n  |   access_remote_vm+0x18/0x30\n  |   environ_read+0x238/0x3e8\n  |   vfs_read+0xe4/0x2b0\n  |   ksys_read+0xcc/0x178\n  |   __arm64_sys_read+0x4c/0x68\n\nExtract only the memory type from the user 'pgprot_t' in ioremap_prot()\nand assert that we're being passed a user mapping, to protect us against\nany changes in future that may require additional handling. To avoid\nfalsely flagging users of ioremap(), provide our own ioremap() macro\nwhich simply wraps __ioremap_prot()."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\narm64: io: Extraer el tipo de memoria de usuario en ioremap_prot()\n\nEl único llamador de ioremap_prot() fuera de la implementación genérica de ioremap() es generic_access_phys(), que pasa un valor 'pgprot_t' determinado a partir del mapeo de usuario del 'pfn' objetivo al que accede el kernel. En arm64, el 'pgprot_t' contiene todos los bits no relacionados con la dirección del pte, incluidos los controles de permiso, y así terminamos devolviendo un nuevo mapeo de usuario desde ioremap_prot() que falla cuando se accede desde el kernel en sistemas con PAN:\n\n  | No se puede manejar la lectura del kernel desde memoria ilegible en la dirección virtual ffff80008ea89000\n  | ...\n  | Rastro de llamada:\n  |   __memcpy_fromio+0x80/0xf8\n  |   generic_access_phys+0x20c/0x2b8\n  |   __access_remote_vm+0x46c/0x5b8\n  |   access_remote_vm+0x18/0x30\n  |   environ_read+0x238/0x3e8\n  |   vfs_read+0xe4/0x2b0\n  |   ksys_read+0xcc/0x178\n  |   __arm64_sys_read+0x4c/0x68\n\nExtraer solo el tipo de memoria del 'pgprot_t' de usuario en ioremap_prot() y afirmar que se nos está pasando un mapeo de usuario, para protegernos contra cualquier cambio futuro que pueda requerir manejo adicional. Para evitar marcar erróneamente a los usuarios de ioremap(), proporcionar nuestra propia macro ioremap() que simplemente envuelve a __ioremap_prot()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/arm64/include/asm/io.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"893dea9ccd08dab924839354aba21d4ed7a9abc0","lessThan":"64858b76ec67c5fc40fef8ec1841fecb78c1ebde","versionType":"git","status":"affected"},{"version":"893dea9ccd08dab924839354aba21d4ed7a9abc0","lessThan":"eeecafce5afffb4da703666ebefbd4d6e2a5abf6","versionType":"git","status":"affected"},{"version":"893dea9ccd08dab924839354aba21d4ed7a9abc0","lessThan":"3d64dcc0799c2d6921ba027716b7be721eb19fa8","versionType":"git","status":"affected"},{"version":"893dea9ccd08dab924839354aba21d4ed7a9abc0","lessThan":"d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a","versionType":"git","status":"affected"},{"version":"893dea9ccd08dab924839354aba21d4ed7a9abc0","lessThan":"8f098037139b294050053123ab2bc0f819d08932","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/arm64/include/asm/io.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.1","versionEndExcluding":"6.18.17","matchCriteriaId":"1E4E7304-41DC-42ED-AFC0-8B1962A7CF99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*","matchCriteriaId":"7BE551E5-89CF-47A8-9B26-03CE727FBA37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/64858b76ec67c5fc40fef8ec1841fecb78c1ebde","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/eeecafce5afffb4da703666ebefbd4d6e2a5abf6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23364","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:35.547","lastModified":"2026-06-19T13:16:25.597","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Compare MACs in constant time\n\nTo prevent timing attacks, MAC comparisons need to be constant-time.\nReplace the memcmp() with the correct function, crypto_memneq()."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nksmbd: Comparar MACs en tiempo constante\n\nPara prevenir ataques de temporización, las comparaciones de MAC necesitan ser de tiempo constante.\nReemplazar memcmp() con la función correcta, crypto_memneq()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/server/Kconfig","fs/smb/server/auth.c","fs/smb/server/smb2pdu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"8a665d733940592e671ec6afadcd0be80a091a80","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"cd52a0e309659537048a864211abc3ea4c5caa63","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"307afccb751f542246bd5dc68a2c1ffe1a78418c","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"2cdc56ed67615ba0921383a688f24415ebe065f3","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"93c0a22fec914ec4b697e464895a0f594e29fb28","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"f4588b85efd6007d46b80aa1b9fb746628ffb3dc","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"c5794709bc9105935dbedef8b9cf9c06f2b559fa","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/server/Kconfig","fs/smb/server/auth.c","fs/smb/server/smb2pdu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.1","versionEndExcluding":"6.1.167","matchCriteriaId":"188E5185-CE12-4815-A91F-88B7BAE67583"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.130","matchCriteriaId":"C57BB918-DF28-46B3-94F7-144176841267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.78","matchCriteriaId":"28D591F5-B196-4CC9-905C-DC80F116E7A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.19","matchCriteriaId":"D394AC60-6F28-435F-872A-CCDF384B8331"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*","matchCriteriaId":"40D9C0D1-0F32-4A2B-9840-1072F5497540"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2cdc56ed67615ba0921383a688f24415ebe065f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/307afccb751f542246bd5dc68a2c1ffe1a78418c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8a665d733940592e671ec6afadcd0be80a091a80","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93c0a22fec914ec4b697e464895a0f594e29fb28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c5794709bc9105935dbedef8b9cf9c06f2b559fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cd52a0e309659537048a864211abc3ea4c5caa63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f4588b85efd6007d46b80aa1b9fb746628ffb3dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31432","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T09:16:21.410","lastModified":"2026-06-19T13:16:26.050","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/server/smb2pdu.c","fs/smb/server/smbacl.c","fs/smb/server/smbacl.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"850452af77f55d185f9445e1f7a1db53c5e4aad4","versionType":"git","status":"affected"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09","versionType":"git","status":"affected"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"075ea208c648cc2bcd616295b711d3637c61de45","versionType":"git","status":"affected"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"515c2daab46021221bdf406bef19bc90a44ec617","versionType":"git","status":"affected"},{"version":"e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d","lessThan":"fda9522ed6afaec45cabc198d8492270c394c7bc","versionType":"git","status":"affected"},{"version":"f2283680a80571ca82d710bc6ecd8f8beac67d63","versionType":"git","status":"affected"},{"version":"9f297df20d93411c0b4ddad7f88ba04a7cd36e77","versionType":"git","status":"affected"},{"version":"5.15.145","lessThan":"5.16","versionType":"semver","status":"affected"},{"version":"6.1.71","lessThan":"6.2","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/server/smb2pdu.c","fs/smb/server/smbacl.c","fs/smb/server/smbacl.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.145","versionEndExcluding":"5.16","matchCriteriaId":"B98C9201-BF17-4E2C-84FF-75EE2AA94DC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.71","versionEndExcluding":"6.2","matchCriteriaId":"163E72B5-0F5D-49E2-AAEA-F11E02D730AD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.81","matchCriteriaId":"D467CA25-2A1E-475C-969E-62759720CE35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/075ea208c648cc2bcd616295b711d3637c61de45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/515c2daab46021221bdf406bef19bc90a44ec617","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/850452af77f55d185f9445e1f7a1db53c5e4aad4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d48c64fb80ad78b3dd29fb7d79b6ec7bd72bfc09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fda9522ed6afaec45cabc198d8492270c394c7bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31449","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:38.933","lastModified":"2026-06-19T13:16:26.183","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/ext4/extents.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"39d6e2b67651614bac0dc6592fa9836321910067","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"c5839b34704c9c2f47f079451bdbb22de0da1ed1","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"10242e640b36b91ad03d25f3dc77854bbdff8358","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"4d08401aa13f1531216f1a7ae281ca4806e90a5c","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"407c944f217c17d4343148011acafebc604d55e1","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"93f2e975ed658ce09db4d4c2877ca2c06540df83","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"01bf1e0b997d82c0e353b51ed74ef99698043c33","versionType":"git","status":"affected"},{"version":"a86c61812637c7dd0c57e29880cffd477b62f2e7","lessThan":"2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/ext4/extents.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.19","status":"affected"},{"version":"0","lessThan":"2.6.19","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19.1","versionEndExcluding":"6.12.80","matchCriteriaId":"6126AEF2-0176-48D1-96AD-72781F726931"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*","matchCriteriaId":"9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"8D97ED16-D6B7-4445-889C-4D6DE2EDC49A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"B2C2D5D4-9A4B-4CDF-8D71-D22EB5E97D5A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"DFFB2843-A867-48EC-97D7-B106C7BBAED0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"3CD3FE23-1A10-47E6-AD7E-D67F1BE3C5E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"9F39FC76-7D77-4064-94D3-A16C436FA8D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/10242e640b36b91ad03d25f3dc77854bbdff8358","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/39d6e2b67651614bac0dc6592fa9836321910067","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d08401aa13f1531216f1a7ae281ca4806e90a5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c5839b34704c9c2f47f079451bdbb22de0da1ed1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31486","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:46.160","lastModified":"2026-06-19T13:16:26.330","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/hwmon/pmbus/pmbus_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7","lessThan":"b26849cffaa7c43355b82e9bef3725e786973a1a","versionType":"git","status":"affected"},{"version":"ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7","lessThan":"acf04e2863132f6d9222f71f3a76fb9782cbe061","versionType":"git","status":"affected"},{"version":"ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7","lessThan":"4e9d723d9f198b86f6882a84c501ba1f39e8d055","versionType":"git","status":"affected"},{"version":"ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7","lessThan":"2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07","versionType":"git","status":"affected"},{"version":"ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7","lessThan":"754bd2b4a084b90b5e7b630e1f423061a9b9b761","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/hwmon/pmbus/pmbus_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.92","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19.1","versionEndExcluding":"6.18.21","matchCriteriaId":"689AD2FA-326D-4E6F-8192-689D60EEA86F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.19:-:*:*:*:*:*:*","matchCriteriaId":"8C54596F-5461-44C4-91FB-7453BE905748"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4e9d723d9f198b86f6882a84c501ba1f39e8d055","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/754bd2b4a084b90b5e7b630e1f423061a9b9b761","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/acf04e2863132f6d9222f71f3a76fb9782cbe061","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b26849cffaa7c43355b82e9bef3725e786973a1a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31489","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:46.603","lastModified":"2026-06-19T13:16:26.467","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/spi/spi-meson-spicc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"05565b469358a9a03034f7f712d83590a9f125a4","lessThan":"01f5f7976c24d6e9beef6b5a410af3b9b1d4d476","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"d61bcec3aec6f0244a9b963e0c76c00f771d49b6","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"7434c64ddae88a02e7fb478bc256cc100d48d3e3","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"0d645c6d13fa0597935d3d16b09a7ba5d24ed284","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"40ad0334c17b23d8b66b1082ad1478a6202e90e2","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"da06a104f0486355073ff0d1bcb1fcbebb7080d6","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"9b812ceb75a6260c17c91db4b9e74ead8cfa06f5","versionType":"git","status":"affected"},{"version":"8311ee2164c5cd1b63a601ea366f540eae89f10e","lessThan":"63542bb402b7013171c9f621c28b609eda4dbf1f","versionType":"git","status":"affected"},{"version":"ff056817560d72363b463ddac27822dc8c121280","versionType":"git","status":"affected"},{"version":"683b47d0ebb10ba0d272604b09686e023d10d40c","versionType":"git","status":"affected"},{"version":"a5bf7ef13ebf6adf62a69ab3542d4fc0564c082e","versionType":"git","status":"affected"},{"version":"f2ca988aba4eaad1319e80eb1316a4ba5dbd6897","versionType":"git","status":"affected"},{"version":"5.10.58","lessThan":"5.10.259","versionType":"semver","status":"affected"},{"version":"4.14.244","lessThan":"4.15","versionType":"semver","status":"affected"},{"version":"4.19.203","lessThan":"4.20","versionType":"semver","status":"affected"},{"version":"5.4.140","lessThan":"5.5","versionType":"semver","status":"affected"},{"version":"5.13.10","lessThan":"5.14","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/spi/spi-meson-spicc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.14","status":"affected"},{"version":"0","lessThan":"5.14","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.244","versionEndExcluding":"4.15","matchCriteriaId":"0BB634A6-F36F-476C-94DA-84A3ABF7A170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.203","versionEndExcluding":"4.20","matchCriteriaId":"701FECB5-CEA6-4D3E-868E-F70A777945E0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.140","versionEndExcluding":"5.5","matchCriteriaId":"75CD851C-0372-41B3-9A47-AC6DD48C6AB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.58","versionEndExcluding":"5.11","matchCriteriaId":"A4D3DC93-FB8F-4C90-807D-BD2092747B75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.10","versionEndExcluding":"5.14","matchCriteriaId":"C09DC193-F9A8-4983-B677-7CE60D711D40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.1","versionEndExcluding":"6.12.80","matchCriteriaId":"1077EA71-D36D-44EB-AEF6-7978036231E8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*","matchCriteriaId":"6A05198E-F8FA-4517-8D0E-8C95066AED38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01f5f7976c24d6e9beef6b5a410af3b9b1d4d476","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0d645c6d13fa0597935d3d16b09a7ba5d24ed284","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7434c64ddae88a02e7fb478bc256cc100d48d3e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d61bcec3aec6f0244a9b963e0c76c00f771d49b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31700","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.907","lastModified":"2026-06-19T13:16:26.743","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap'd TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap'd ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/packet/af_packet.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"0f4c9754956b86de158a4af5278c5cf5bda9439e","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"714aa973da8163925eda7efd49361ccbee21ee46","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"1490f82353bdabc09265a74e645b07f05cf4188e","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"3a1bf9116ea31470b89692585c3910dfe830dcdd","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"28324a3b62d9ce7f9bdd65a8ce63f382041d1b27","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b","versionType":"git","status":"affected"},{"version":"1d036d25e5609ba73fee6a88db01c306b140d512","lessThan":"2c054e17d9d41f1020376806c7f750834ced4dc5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/packet/af_packet.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.6.136","matchCriteriaId":"7A6CE177-C7BA-4E34-9D61-035565B5FFF5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f4c9754956b86de158a4af5278c5cf5bda9439e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1490f82353bdabc09265a74e645b07f05cf4188e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/714aa973da8163925eda7efd49361ccbee21ee46","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31708","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.837","lastModified":"2026-06-19T13:16:27.003","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path\n\nsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL\nand the default QUERY_INFO path.  The QUERY_INFO branch clamps\nqi.input_buffer_length to the server-reported OutputBufferLength and then\ncopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but\nit never verifies that the flexible-array payload actually fits within\nrsp_iov[1].iov_len.\n\nA malicious server can return OutputBufferLength larger than the actual\nQUERY_INFO response, causing copy_to_user() to walk past the response\nbuffer and expose adjacent kernel heap to userspace.\n\nGuard the QUERY_INFO copy with a bounds check on the actual Buffer\npayload.  Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)\nrather than an open-coded addition so the guard cannot overflow on\n32-bit builds."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/client/smb2ops.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"e66bdc0704977ecee667a81d38255b579c2353d0","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"9e203dbb5402897c43130fb171a2617008a91f45","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"1dd757379997b71a328a4b591ffaf481acd0ead1","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"a34d456934fe42e4da5d2cc07787bf418bee99c6","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"ac2f14e4705d020f04e806efa0d49ab8dc2b145f","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"078fae8f50adebb903ccf2252b44391324571e78","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"85fd46ee26a11841c670449508025965f61ce131","versionType":"git","status":"affected"},{"version":"f5778c398713692a16150ae96e5c8270bab8399f","lessThan":"a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/client/smb2ops.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.1","status":"affected"},{"version":"0","lessThan":"5.1","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.136","matchCriteriaId":"B28CAC2A-4B06-4D07-8736-82E515099010"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1dd757379997b71a328a4b591ffaf481acd0ead1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9e203dbb5402897c43130fb171a2617008a91f45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e66bdc0704977ecee667a81d38255b579c2353d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31711","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.150","lastModified":"2026-06-19T13:16:27.260","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath.  The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter.  Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected.  The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\".  With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/server/transport_tcp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4210c3555db4b38bade92331b153e583261f05f9","lessThan":"dc2e7d595d68cf1be1ba64e3d30ebf3266bf7242","versionType":"git","status":"affected"},{"version":"d5d7847e57ac69fa99c18b363a34419bcdb5a281","lessThan":"60734c8bc3b4aa0672e251f08dda81977e4b5387","versionType":"git","status":"affected"},{"version":"0d0d4680db22eda1eea785c47bbf66a9b33a8b16","lessThan":"97f8d2648ef4871e4cd335e2d769cb40054a6772","versionType":"git","status":"affected"},{"version":"0d0d4680db22eda1eea785c47bbf66a9b33a8b16","lessThan":"295a9fc6789d1011c36ded9f0f2907bb34fa0de4","versionType":"git","status":"affected"},{"version":"0d0d4680db22eda1eea785c47bbf66a9b33a8b16","lessThan":"283027aa93380380a0994f35dde3ec95318f2654","versionType":"git","status":"affected"},{"version":"0d0d4680db22eda1eea785c47bbf66a9b33a8b16","lessThan":"fb48185bcd946d42de7017cf27f912f8ab26acf0","versionType":"git","status":"affected"},{"version":"0d0d4680db22eda1eea785c47bbf66a9b33a8b16","lessThan":"6551300dc452ac16a855a83dbd1e74899542d3b3","versionType":"git","status":"affected"},{"version":"5.15.91","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.9","lessThan":"6.1.175","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/server/transport_tcp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.91","versionEndExcluding":"5.16","matchCriteriaId":"ED68583F-E9BC-4090-BF89-17DA58537455"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.9","versionEndExcluding":"6.2","matchCriteriaId":"64423FA1-5CBD-4C54-B021-9A38E16861A1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.1","versionEndExcluding":"6.6.136","matchCriteriaId":"F9B6E58F-A6C7-42EF-B789-FD0BB75AA71A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*","matchCriteriaId":"3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*","matchCriteriaId":"4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*","matchCriteriaId":"C64BDD9D-C663-4E75-AE06-356EDC392B82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc8:*:*:*:*:*:*","matchCriteriaId":"26544390-88E4-41CA-98BF-7BB1E9D4E243"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60734c8bc3b4aa0672e251f08dda81977e4b5387","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc2e7d595d68cf1be1ba64e3d30ebf3266bf7242","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fb48185bcd946d42de7017cf27f912f8ab26acf0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31712","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.270","lastModified":"2026-06-19T13:16:27.403","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require minimum ACE size in smb_check_perm_dacl()\n\nBoth ACE-walk loops in smb_check_perm_dacl() only guard against an\nunder-sized remaining buffer, not against an ACE whose declared\n`ace->size` is smaller than the struct it claims to describe:\n\n  if (offsetof(struct smb_ace, access_req) > aces_size)\n      break;\n  ace_size = le16_to_cpu(ace->size);\n  if (ace_size > aces_size)\n      break;\n\nThe first check only requires the 4-byte ACE header to be in bounds;\nit does not require access_req (4 bytes at offset 4) to be readable.\nAn attacker who has set a crafted DACL on a file they own can declare\nace->size == 4 with aces_size == 4, pass both checks, and then\n\n  granted |= le32_to_cpu(ace->access_req);               /* upper loop */\n  compare_sids(&sid, &ace->sid);                         /* lower loop */\n\nreads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at\noffset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES\n* 4 bytes).\n\nTighten both loops to require\n\n  ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE\n\nwhich is the smallest valid on-wire ACE layout (4-byte header +\n4-byte access_req + 8-byte sid base with zero sub-auths).  Also\nreject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES\nbefore letting compare_sids() dereference sub_auth[] entries.\n\nparse_sec_desc() already enforces an equivalent check (lines 441-448);\nsmb_check_perm_dacl() simply grew weaker validation over time.\n\nReachability: authenticated SMB client with permission to set an ACL\non a file.  On a subsequent CREATE against that file, the kernel\nwalks the stored DACL via smb_check_perm_dacl() and triggers the\nOOB read.  Not pre-auth, and the OOB read is not reflected to the\nattacker, but KASAN reports and kernel state corruption are\npossible."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/server/smbacl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"282cbbb476b9f35793452bc461934af4c7eca169","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"f20adc4ef7428bc485ee83fd1a592252fb87718b","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"325d4ac11f526cb8964cff14548ccf02d8c756d8","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4c","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"90089584b2e25c4510b7b987387b4405f0673ece","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"151b1799861fde38087c08f613abc2843ef597b0","versionType":"git","status":"affected"},{"version":"e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9","lessThan":"d07b26f39246a82399661936dd0c853983cfade7","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/server/smbacl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.5}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.84","matchCriteriaId":"04651641-C387-4546-B02F-17BA989CC253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/151b1799861fde38087c08f613abc2843ef597b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/282cbbb476b9f35793452bc461934af4c7eca169","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/325d4ac11f526cb8964cff14548ccf02d8c756d8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/90089584b2e25c4510b7b987387b4405f0673ece","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/95e5aa3c3261da8c95b27d7aecf8ee39b9f86a4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d07b26f39246a82399661936dd0c853983cfade7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f20adc4ef7428bc485ee83fd1a592252fb87718b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31715","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.637","lastModified":"2026-06-19T13:16:27.537","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()\n\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\n\nThe concurrent scenario that triggers the panic is as follows:\n\nF2FS_WB_CP_DATA write callback          umount\n                                        - f2fs_write_checkpoint\n                                         - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n - bio_endio\n  - f2fs_write_end_io\n   : dec_page_count(sbi, F2FS_WB_CP_DATA)\n   : wake_up(&sbi->cp_wait)\n                                        - kill_f2fs_super\n                                         - kill_block_super\n                                          - f2fs_put_super\n                                           : iput(sbi->node_inode)\n                                           : sbi->node_inode = NULL\n   : f2fs_in_warm_node_list\n    - is_node_folio // sbi->node_inode is NULL and panic\n\nThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) and\nsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\n\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/f2fs/data.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"7dbdab4430e4654db9aacef12b9b3b8b29ca25cb","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"ffb94770dbdfb5411be5d9f44a960b010ec890ad","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"0d40b26377f891e6dcb6efaf8ef9374c99be1b1d","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"1171f329cf1c175321251ac40fd126150d7ad1e8","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"7be222de96c0f9eee6e65eeb017ef855ee185cfa","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"963d2e24d9d92a31e6773b0f642214f10013ebf7","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"188bb65f247a7a7c62f287c9a263aee3cad96fa5","versionType":"git","status":"affected"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/f2fs/data.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.19","status":"affected"},{"version":"0","lessThan":"4.19","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"6.18.25","matchCriteriaId":"8FCBD357-E27C-4208-8F7A-93061EE45D3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0d40b26377f891e6dcb6efaf8ef9374c99be1b1d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1171f329cf1c175321251ac40fd126150d7ad1e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7be222de96c0f9eee6e65eeb017ef855ee185cfa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7dbdab4430e4654db9aacef12b9b3b8b29ca25cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ffb94770dbdfb5411be5d9f44a960b010ec890ad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31727","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T15:16:35.210","lastModified":"2026-06-19T13:16:27.667","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo\n\nCommit ec35c1969650 (\"usb: gadget: f_ncm: Fix net_device lifecycle with\ndevice_move\") reparents the gadget device to /sys/devices/virtual during\nunbind, clearing the gadget pointer. If the userspace tool queries on\nthe surviving interface during this detached window, this leads to a\nNULL pointer dereference.\n\nUnable to handle kernel NULL pointer dereference\nCall trace:\n eth_get_drvinfo+0x50/0x90\n ethtool_get_drvinfo+0x5c/0x1f0\n __dev_ethtool+0xaec/0x1fe0\n dev_ethtool+0x134/0x2e0\n dev_ioctl+0x338/0x560\n\nAdd a NULL check for dev->gadget in eth_get_drvinfo(). When detached,\nskip copying the fw_version and bus_info strings, which is natively\nhandled by ethtool_get_drvinfo for empty strings."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/usb/gadget/function/u_ether.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"7c97366f5dac5255e60a317ffe3a5b18f3745547","lessThan":"f9f987472f4b8ab177be2b6492a59278ed969479","versionType":"git","status":"affected"},{"version":"36c41e9724c9a7a7cda37f5a4e9d94f25c8031c4","lessThan":"7fce959e9be3bf63bb0fdf4b05f9cc42cb289fe2","versionType":"git","status":"affected"},{"version":"93f116c3393a22acab96ad1bef12b2572eb80ca4","lessThan":"0326429e8ba99892e1d1e115dc8e88e1a3b64e24","versionType":"git","status":"affected"},{"version":"e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d","lessThan":"a36e5e800b9c93e3e1ffa42f34d38b36775dbcee","versionType":"git","status":"affected"},{"version":"85acaba2f42b557499bab3608307f17bf13beb69","lessThan":"7de4d46be40738c7e48e64b5cc0a34aa1e047b0a","versionType":"git","status":"affected"},{"version":"ec35c1969650e7cb6c8a91020e568ed46e3551b0","lessThan":"e002e92e88e12457373ed096b18716d97e7bbb20","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/usb/gadget/function/u_ether.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.12.78","lessThan":"6.12.81","versionType":"semver","status":"affected"},{"version":"6.18.19","lessThan":"6.18.22","versionType":"semver","status":"affected"},{"version":"6.19.9","lessThan":"6.19.12","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.78","versionEndExcluding":"6.12.81","matchCriteriaId":"3567D859-58AE-4093-AF8D-4FAF8C4F6486"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.19","versionEndExcluding":"6.18.22","matchCriteriaId":"FFB8FEEE-92ED-46DD-897B-15F8534FE743"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.9","versionEndExcluding":"6.19.12","matchCriteriaId":"F44F6C4F-96C5-4F3A-8DA1-9B8F6AB14C51"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0326429e8ba99892e1d1e115dc8e88e1a3b64e24","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7de4d46be40738c7e48e64b5cc0a34aa1e047b0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7fce959e9be3bf63bb0fdf4b05f9cc42cb289fe2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a36e5e800b9c93e3e1ffa42f34d38b36775dbcee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e002e92e88e12457373ed096b18716d97e7bbb20","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f9f987472f4b8ab177be2b6492a59278ed969479","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43019","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T15:16:46.103","lastModified":"2026-06-19T13:16:27.777","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it's possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently.  Just RCU lock is not suitable here, as we also want to\navoid \"tearing\" in the configuration."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/bluetooth/hci_conn.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a091289218202bc09d9b9caa8afcde1018584aec","lessThan":"7502c1cf303b69f71d085f5ff7251b0e1b0f09df","versionType":"git","status":"affected"},{"version":"a091289218202bc09d9b9caa8afcde1018584aec","lessThan":"66d432e9b45bae7881ffcdb12cd8fd0bf254ef02","versionType":"git","status":"affected"},{"version":"a091289218202bc09d9b9caa8afcde1018584aec","lessThan":"7d568fede8eac91161a60b710aa920abe9b0fb9f","versionType":"git","status":"affected"},{"version":"a091289218202bc09d9b9caa8afcde1018584aec","lessThan":"bad65b4b0a96139f023eadc28a33125963208449","versionType":"git","status":"affected"},{"version":"a091289218202bc09d9b9caa8afcde1018584aec","lessThan":"a2639a7f0f5bf7d73f337f8f077c19415c62ed2c","versionType":"git","status":"affected"},{"version":"3a273cd0f47dd672d37736e623849374f9ab9ce9","versionType":"git","status":"affected"},{"version":"d8570c4c3f2a3e51b3c8b5e6ec898364c5c03062","versionType":"git","status":"affected"},{"version":"6.4.16","lessThan":"6.5","versionType":"semver","status":"affected"},{"version":"6.5.3","lessThan":"6.6","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/bluetooth/hci_conn.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.81","matchCriteriaId":"D467CA25-2A1E-475C-969E-62759720CE35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.4.16:*:*:*:*:*:*:*","matchCriteriaId":"8E92AAEB-3511-43E8-B87A-8ECDD0F9A60C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5.3:*:*:*:*:*:*:*","matchCriteriaId":"82CFAFF6-0F05-40A4-B4A0-3140D6DD012F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/66d432e9b45bae7881ffcdb12cd8fd0bf254ef02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7502c1cf303b69f71d085f5ff7251b0e1b0f09df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d568fede8eac91161a60b710aa920abe9b0fb9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a2639a7f0f5bf7d73f337f8f077c19415c62ed2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bad65b4b0a96139f023eadc28a33125963208449","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43052","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T15:16:51.670","lastModified":"2026-06-19T13:16:27.900","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta->sta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/mac80211/tdls.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"e602246235fc2ef06c39b2e9cf147d84d0896b73","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"6813a8b1b240756dad4375f3e020ce10e4e3871b","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"44839ea7e96b3659a1606f3d5267063135479b7c","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"ba5b43db126a5e7378553869e3f7954d9187349f","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"8148c2fda4ebb17104a573649c9b699208ad10ee","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"be81f17151fcb8546a95f35ca8f4231b065985de","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"e77b2937aaa20264e4bd699d3244bdb50e7e3343","versionType":"git","status":"affected"},{"version":"941c93cd039852b7ab02c74f4698c99d82bd6cfe","lessThan":"7d73872d949c488a1d7c308031d6a9d89b5e0a8b","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/mac80211/tdls.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.2","status":"affected"},{"version":"0","lessThan":"3.2","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.142","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.12.81","matchCriteriaId":"D380DB7C-C66B-4BEC-9529-5AC7B5E565D9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/44839ea7e96b3659a1606f3d5267063135479b7c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6813a8b1b240756dad4375f3e020ce10e4e3871b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d73872d949c488a1d7c308031d6a9d89b5e0a8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8148c2fda4ebb17104a573649c9b699208ad10ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ba5b43db126a5e7378553869e3f7954d9187349f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be81f17151fcb8546a95f35ca8f4231b065985de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e602246235fc2ef06c39b2e9cf147d84d0896b73","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e77b2937aaa20264e4bd699d3244bdb50e7e3343","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43064","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-05T16:16:15.567","lastModified":"2026-06-19T13:16:28.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix not releasing workqueue on .release()\n\nThe workqueue associated with an DSA/IAA device is not released when\nthe object is freed."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/dma/idxd/sysfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"70ae35be58d476e2fd9f7a941a5e03b2f5fadb8d","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"b22fd53b2ceb35445475f0edab13a908c5fb8433","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"d02c24af126dee45247dc7890409c86d1831859d","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"958e96533ddbd1edd127feb7624a7eed0cc379dc","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"fc34f199eb576b3a73089452fdf0056cc9a9301d","versionType":"git","status":"affected"},{"version":"47c16ac27d4cb664cee53ee0b9b7e2f907923fb3","lessThan":"3d33de353b1ff9023d5ec73b9becf80ea87af695","versionType":"git","status":"affected"},{"version":"3f0e87eb9680975184e98aed0e8866b4442a31f6","versionType":"git","status":"affected"},{"version":"a13e4cf29da68630a116c1309072a265ade9566d","versionType":"git","status":"affected"},{"version":"5.11.22","lessThan":"5.12","versionType":"semver","status":"affected"},{"version":"5.12.5","lessThan":"5.13","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/dma/idxd/sysfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.22","versionEndExcluding":"5.12","matchCriteriaId":"4BA7BC58-B6BD-469F-B348-D71C30EF4397"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.5","versionEndExcluding":"5.13","matchCriteriaId":"2CA34CAF-7251-4EB2-8208-AC54EF7AD9C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.1.168","matchCriteriaId":"04D24E88-753A-4536-B478-6EEE3223E44B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.131","matchCriteriaId":"CE6ED4D4-0046-4573-BFA9-D64143B6A89F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.80","matchCriteriaId":"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/70ae35be58d476e2fd9f7a941a5e03b2f5fadb8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b22fd53b2ceb35445475f0edab13a908c5fb8433","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43088","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:22.090","lastModified":"2026-06-19T13:16:28.160","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_key: zero aligned sockaddr tail in PF_KEY exports\n\nPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr\npayload space, so IPv6 addresses occupy 32 bytes on the wire. However,\n`pfkey_sockaddr_fill()` initializes only the first 28 bytes of\n`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.\n\nNot every PF_KEY message is affected. The state and policy dump builders\nalready zero the whole message buffer before filling the sockaddr\npayloads. Keep the fix to the export paths that still append aligned\nsockaddr payloads with plain `skb_put()`:\n\n  - `SADB_ACQUIRE`\n  - `SADB_X_NAT_T_NEW_MAPPING`\n  - `SADB_X_MIGRATE`\n\nFix those paths by clearing only the aligned sockaddr tail after\n`pfkey_sockaddr_fill()`."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/key/af_key.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3c19cb8a84ef709d57943bd6664cf31cb91ba6ec","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"11cbf294bac623bd57296f231199193087f57b4a","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"edd446ee7cd3d02cac246168063d5b3e9ea68460","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"2e74f974359b5382ecbe8536abbb5b837eb6c724","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"426c355742f02cf743b347d9d7dbdc1bfbfa31ef","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/key/af_key.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.12.88","matchCriteriaId":"F6A976D5-52D2-4887-B410-6D4BFD825BCB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/11cbf294bac623bd57296f231199193087f57b4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3c19cb8a84ef709d57943bd6664cf31cb91ba6ec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/edd446ee7cd3d02cac246168063d5b3e9ea68460","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43116","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:25.400","lastModified":"2026-06-19T13:16:28.283","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ensure safe access to master conntrack\n\nHolding reference on the expectation is not sufficient, the master\nconntrack object can just go away, making exp->master invalid.\n\nTo access exp->master safely:\n\n- Grab the nf_conntrack_expect_lock, this gets serialized with\n  clean_from_lists() which also holds this lock when the master\n  conntrack goes away.\n\n- Hold reference on master conntrack via nf_conntrack_find_get().\n  Not so easy since the master tuple to look up for the master conntrack\n  is not available in the existing problematic paths.\n\nThis patch goes for extending the nf_conntrack_expect_lock section\nto address this issue for simplicity, in the cases that are described\nbelow this is just slightly extending the lock section.\n\nThe add expectation command already holds a reference to the master\nconntrack from ctnetlink_create_expect().\n\nHowever, the delete expectation command needs to grab the spinlock\nbefore looking up for the expectation. Expand the existing spinlock\nsection to address this to cover the expectation lookup. Note that,\nthe nf_ct_expect_iterate_net() calls already grabs the spinlock while\niterating over the expectation table, which is correct.\n\nThe get expectation command needs to grab the spinlock to ensure master\nconntrack does not go away. This also expands the existing spinlock\nsection to cover the expectation lookup too. I needed to move the\nnetlink skb allocation out of the spinlock to keep it GFP_KERNEL.\n\nFor the expectation events, the IPEXP_DESTROY event is already delivered\nunder the spinlock, just move the delivery of IPEXP_NEW under the\nspinlock too because the master conntrack event cache is reached through\nexp->master.\n\nWhile at it, add lockdep notations to help identify what codepaths need\nto grab the spinlock."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"9e1196d27ef496f404c76f7a9d03761142d991c4","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"5e1c1d22268ae710c238342c8030c21daf298168","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"d52fa1fa7440676b8c238037a050ab008c22737f","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"f338ced0473849c9f6ed0b77ca99f1aab5826787","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"497f99b26fffdc5635706d1b4811f1ed8ee21a5b","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.16","status":"affected"},{"version":"0","lessThan":"2.6.16","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.16","versionEndExcluding":"6.18.24","matchCriteriaId":"0D55758C-FA92-4C05-99B4-542E75635240"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5e1c1d22268ae710c238342c8030c21daf298168","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e1196d27ef496f404c76f7a9d03761142d991c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d52fa1fa7440676b8c238037a050ab008c22737f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43129","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T12:16:29.963","lastModified":"2026-06-19T13:16:28.960","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nima: verify the previous kernel's IMA buffer lies in addressable RAM\n\nPatch series \"Address page fault in ima_restore_measurement_list()\", v3.\n\nWhen the second-stage kernel is booted via kexec with a limiting command\nline such as \"mem=<size>\" we observe a pafe fault that happens.\n\n    BUG: unable to handle page fault for address: ffff97793ff47000\n    RIP: ima_restore_measurement_list+0xdc/0x45a\n    #PF: error_code(0x0000)  not-present page\n\nThis happens on x86_64 only, as this is already fixed in aarch64 in\ncommit: cbf9c4b9617b (\"of: check previous kernel's ima-kexec-buffer\nagainst memory bounds\")\n\n\nThis patch (of 3):\n\nWhen the second-stage kernel is booted with a limiting command line (e.g. \n\"mem=<size>\"), the IMA measurement buffer handed over from the previous\nkernel may fall outside the addressable RAM of the new kernel.  Accessing\nsuch a buffer can fault during early restore.\n\nIntroduce a small generic helper, ima_validate_range(), which verifies\nthat a physical [start, end] range for the previous-kernel IMA buffer lies\nwithin addressable memory:\n\t- On x86, use pfn_range_is_mapped().\n\t- On OF based architectures, use page_is_ram()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/linux/ima.h","security/integrity/ima/ima_kexec.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"43308106a1762b72f3b20a44b75b2df5cb25b77b","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"f11d7d088f5ed54b31c6735854c12845eb60eb4a","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"5366ec7d2f793ce703c403d7fd4c25a3db365b9d","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"10d1c75ed4382a8e79874379caa2ead8952734f9","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/linux/ima.h","security/integrity/ima/ima_kexec.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.12.77","matchCriteriaId":"08247D85-C56B-439D-A2E8-1570C7CF83AC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/43308106a1762b72f3b20a44b75b2df5cb25b77b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43240","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T12:16:44.330","lastModified":"2026-06-19T13:16:29.197","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: add a sanity check on previous kernel's ima kexec buffer\n\nWhen the second-stage kernel is booted via kexec with a limiting command\nline such as \"mem=<size>\", the physical range that contains the carried\nover IMA measurement list may fall outside the truncated RAM leading to a\nkernel panic.\n\n    BUG: unable to handle page fault for address: ffff97793ff47000\n    RIP: ima_restore_measurement_list+0xdc/0x45a\n    #PF: error_code(0x0000) – not-present page\n\nOther architectures already validate the range with page_is_ram(), as done\nin commit cbf9c4b9617b (\"of: check previous kernel's ima-kexec-buffer\nagainst memory bounds\") do a similar check on x86.\n\nWithout carrying the measurement list across kexec, the attestation\nwould fail."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/x86/kernel/setup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"37f18915a261afe84dab462624ed829cddb77a9b","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"22e460b6333a5f818b042ac89201f8e735556f4a","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"7e2476057950c174c7b2c2802246707bbfb497e4","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"f8f73bf0f8a57ee9b86792456bd42079bc98c6b7","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"d4a132f121c591b60dbaf57ea91f1faf11631fbc","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"4d7a8f5f28187e3d2958b2a134473da2665207e7","versionType":"git","status":"affected"},{"version":"b69a2afd5afce9bf6d56e349d6ab592c916e20f2","lessThan":"c5489d04337b47e93c0623e8145fcba3f5739efd","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/x86/kernel/setup.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1.165","matchCriteriaId":"CCAEAB8E-BC62-4F74-ABC0-E38788A92B8B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.128","matchCriteriaId":"851E9353-6C09-4CC9-877E-E09DB164A3C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.75","matchCriteriaId":"BCE16369-98ED-41CF-8995-DFDC10B288D2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/22e460b6333a5f818b042ac89201f8e735556f4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/37f18915a261afe84dab462624ed829cddb77a9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d7a8f5f28187e3d2958b2a134473da2665207e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e2476057950c174c7b2c2802246707bbfb497e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5489d04337b47e93c0623e8145fcba3f5739efd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d4a132f121c591b60dbaf57ea91f1faf11631fbc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8f73bf0f8a57ee9b86792456bd42079bc98c6b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43303","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:37.583","lastModified":"2026-06-19T13:16:29.323","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page->private in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page->private but don't\nclear it before freeing pages.  When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage->private values.\n\nThis causes a use-after-free in the swap subsystem.  The swap code uses\npage->private to track swap count continuations, assuming freshly\nallocated pages have page->private == 0.  When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page->lru containing LIST_POISON values,\ncausing a crash:\n\n  KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n  RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page->private in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["mm/page_alloc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"e7790ab165713b79b1617ce659742ceb3a859d05","versionType":"git","status":"affected"},{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"3edb8ebbf79b9016040e8f3421d723ae3d542b32","versionType":"git","status":"affected"},{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b","versionType":"git","status":"affected"},{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"23b82b7a26182ad840ae67d390d7ec9771e8c00f","versionType":"git","status":"affected"},{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"d757c793853ec5483eb41ec2942c300b8fa720fb","versionType":"git","status":"affected"},{"version":"3b8000ae185cb068adbda5f966a3835053c85fd4","lessThan":"ac1ea219590c09572ed5992dc233bbf7bb70fef9","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["mm/page_alloc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.1","versionEndExcluding":"6.18.16","matchCriteriaId":"B1BE1177-E500-439D-B3E5-0E63F54C1BE6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*","matchCriteriaId":"0384FA0A-DE99-48D7-84E3-46ED0C3B5E03"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc4:*:*:*:*:*:*","matchCriteriaId":"DA5F085D-52F3-4EE2-8353-455D1A6FE073"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc5:*:*:*:*:*:*","matchCriteriaId":"D6EE5B78-0D83-4715-893C-ABD69B49E7FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc6:*:*:*:*:*:*","matchCriteriaId":"EE723F14-047B-4FCF-B109-E0542EDFB063"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc7:*:*:*:*:*:*","matchCriteriaId":"2FCFCE58-5118-4D05-864E-C82CF20EABE5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:rc9:*:*:*:*:*:*","matchCriteriaId":"9C3E5BC9-613C-4362-BF02-153A5BBFFB2F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3edb8ebbf79b9016040e8f3421d723ae3d542b32","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e7790ab165713b79b1617ce659742ceb3a859d05","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43311","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:39.480","lastModified":"2026-06-19T13:16:29.553","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc/tegra: pmc: Fix unsafe generic_handle_irq() call\n\nCurrently, when resuming from system suspend on Tegra platforms,\nthe following warning is observed:\n\nWARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666\nCall trace:\n handle_irq_desc+0x20/0x58 (P)\n tegra186_pmc_wake_syscore_resume+0xe4/0x15c\n syscore_resume+0x3c/0xb8\n suspend_devices_and_enter+0x510/0x540\n pm_suspend+0x16c/0x1d8\n\nThe warning occurs because generic_handle_irq() is being called from\na non-interrupt context which is considered as unsafe.\n\nFix this warning by deferring generic_handle_irq() call to an IRQ work\nwhich gets executed in hard IRQ context where generic_handle_irq()\ncan be called safely.\n\nWhen PREEMPT_RT kernels are used, regular IRQ work (initialized with\ninit_irq_work) is deferred to run in per-CPU kthreads in preemptible\ncontext rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD\nvariant so that with PREEMPT_RT kernels, the IRQ work is processed in\nhardirq context instead of being deferred to a thread which is required\nfor calling generic_handle_irq().\n\nOn non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD()\nexecute in IRQ context, so this change has no functional impact for\nstandard kernel configurations.\n\n[treding@nvidia.com: miscellaneous cleanups]"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/soc/tegra/pmc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0474cc8489bda9a8cd6a10252e7e6af29c849438","lessThan":"d1c9c79eb06ed7c4e0a090ba5b1d4e475f7d0681","versionType":"git","status":"affected"},{"version":"0474cc8489bda9a8cd6a10252e7e6af29c849438","lessThan":"64016227dcdb968b7030eda04304f3d0df5d209d","versionType":"git","status":"affected"},{"version":"0474cc8489bda9a8cd6a10252e7e6af29c849438","lessThan":"e6d96073af681780820c94079b978474a8a44413","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/soc/tegra/pmc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.19.6","matchCriteriaId":"02662113-2CE6-417D-941C-D5D307C2F671"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/64016227dcdb968b7030eda04304f3d0df5d209d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1c9c79eb06ed7c4e0a090ba5b1d4e475f7d0681","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e6d96073af681780820c94079b978474a8a44413","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43331","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:42.763","lastModified":"2026-06-19T13:16:29.693","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Disable KCOV instrumentation after load_segments()\n\nThe load_segments() function changes segment registers, invalidating GS base\n(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any\nsubsequent instrumented C code call (e.g. native_gdt_invalidate()) begins\ncrashing the kernel in an endless loop.\n\nTo reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented\nkernel:\n\n  $ kexec -l /boot/otherKernel\n  $ kexec -e\n\nThe real-world context for this problem is enabling crash dump collection in\nsyzkaller. For this, the tool loads a panic kernel before fuzzing and then\ncalls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC\nand CONFIG_KCOV to be enabled simultaneously.\n\nAdding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())\nis also undesirable as it would introduce an extra performance overhead.\n\nDisabling instrumentation for the individual functions would be too fragile,\nso disable KCOV instrumentation for the entire machine_kexec_64.c and\nphysaddr.c. If coverage-guided fuzzing ever needs these components in the\nfuture, other approaches should be considered.\n\nThe problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported\nthere.\n\n  [ bp: Space out comment for better readability. ]"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/x86/kernel/Makefile","arch/x86/mm/Makefile"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0d345996e4cb573f8cc81d49b3ee9a7fd2035bef","lessThan":"0e96cd314c0d819c1635d68125a4d77852c2162e","versionType":"git","status":"affected"},{"version":"0d345996e4cb573f8cc81d49b3ee9a7fd2035bef","lessThan":"593d67032544b9271094fc9b43e437e017cb2b2f","versionType":"git","status":"affected"},{"version":"0d345996e4cb573f8cc81d49b3ee9a7fd2035bef","lessThan":"1e3e98596c2769721ade0418434852fb3af4849a","versionType":"git","status":"affected"},{"version":"0d345996e4cb573f8cc81d49b3ee9a7fd2035bef","lessThan":"de05c66fab8847237a9ca216934e56d3ee837f08","versionType":"git","status":"affected"},{"version":"0d345996e4cb573f8cc81d49b3ee9a7fd2035bef","lessThan":"917e3ad3321e75ca0223d5ccf26ceda116aa51e1","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/x86/kernel/Makefile","arch/x86/mm/Makefile"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.93","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.18.22","matchCriteriaId":"CB33D19D-30CB-4E4C-9018-2230BD327607"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0e96cd314c0d819c1635d68125a4d77852c2162e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/593d67032544b9271094fc9b43e437e017cb2b2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43341","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:44.050","lastModified":"2026-06-19T13:16:29.810","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: ioam6: prevent schema length wraparound in trace fill\n\nioam6_fill_trace_data() stores the schema contribution to the trace\nlength in a u8. With bit 22 enabled and the largest schema payload,\nsclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the\nremaining-space check. __ioam6_fill_trace_data() then positions the\nwrite cursor without reserving the schema area but still copies the\n4-byte schema header and the full schema payload, overrunning the trace\nbuffer.\n\nKeep sclen in an unsigned int so the remaining-space check and the write\ncursor calculation both see the full schema length."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv6/ioam6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"e96d48b37708d53cbdc47f6f60b0714fc4a5f596","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"d1b041080086e91d3733a5438a8c51ad5d3d8e09","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"77695a69baca9b99d95fad09fc78c2318736604f","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"184d2e9db27c0f76226b5cad16fe29510a5d2280","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d","versionType":"git","status":"affected"},{"version":"8c6f6fa6772696be0c047a711858084b38763728","lessThan":"5e67ba9bb531e1ec6599a82a065dea9040b9ce50","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv6/ioam6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.134","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.81","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.22","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.12","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.168","matchCriteriaId":"37E272EA-F1FA-423C-A31E-EB93B931B836"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.134","matchCriteriaId":"F56F925B-BAF8-4F4B-B62F-1496AF19A307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.81","matchCriteriaId":"6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3a1fb2ca323d7a4e10ab3afbfa25e6d8921e4f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43350","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:45.123","lastModified":"2026-06-19T13:16:29.943","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: require a full NFS mode SID before reading mode bits\n\nparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS\nmode SID and reads sid.sub_auth[2] to recover the mode bits.\n\nThat assumes the ACE carries three subauthorities, but compare_sids()\nonly compares min(a, b) subauthorities.  A malicious server can return\nan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still\nmatches sid_unix_NFS_mode and then drives the sub_auth[2] read four\nbytes past the end of the ACE.\n\nRequire num_subauth >= 3 before treating the ACE as an NFS mode SID.\nThis keeps the fix local to the special-SID mode path without changing\ncompare_sids() semantics for the rest of cifsacl."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/client/cifsacl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"23b54d6cc3ef30a51d984dc74364f24039ae2ecb","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"1592a6cd6f653f2d24572a6976c7a775b19f4940","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"8bd4cad3f458d11650d51c2d24b03fb1770ae6cc","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"b53b8e98c23310294fc45fc686db5ee860311896","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"c8eef12af1cc73031639ea7cf16e0b10e2536b0b","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"38a69f08ee82c450d3e4168707fff2e317dc3ff7","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"f8488c07bea2431ee12a6067d736578064fa46b4","versionType":"git","status":"affected"},{"version":"e2f8fbfb8d09c06decde162090fac3ee220aa280","lessThan":"2757ad3e4b6f9e0fed4c7739594e702abc5cab21","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/client/cifsacl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.4","status":"affected"},{"version":"0","lessThan":"5.4","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.84","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4","versionEndExcluding":"6.6.136","matchCriteriaId":"69577FD5-601B-4A4B-BBA2-0FC336EB0D3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1592a6cd6f653f2d24572a6976c7a775b19f4940","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/23b54d6cc3ef30a51d984dc74364f24039ae2ecb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8bd4cad3f458d11650d51c2d24b03fb1770ae6cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43383","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T15:16:49.593","lastModified":"2026-06-19T13:16:30.070","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp-md5: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant\ntime.  Use the appropriate helper function for this."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/Kconfig","net/ipv4/tcp.c","net/ipv4/tcp_ipv4.c","net/ipv6/tcp_ipv6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"821c8751fdeecdeecabeb11704dd33439c9e4bbc","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"ff44ec94d4fc8348600a69de0a8fa1102c23bce8","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"345a9530756528d7ca407663d659c3c40e75c3dd","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"5d305a95130a8d08b9545e47f1e18d29d59866cb","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"02669e2a4d207068edce7e8b5fafd85822018ce6","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"ae3831b44f477de048287493e184fc3ff913b624","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"b502e97e29d791ff7a8051f29a414535739be218","versionType":"git","status":"affected"},{"version":"cfb6eeb4c860592edd123fdea908d23c6ad1c7dc","lessThan":"46d0d6f50dab706637f4c18a470aac20a21900d3","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/Kconfig","net/ipv4/tcp.c","net/ipv4/tcp_ipv4.c","net/ipv6/tcp_ipv6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.20","status":"affected"},{"version":"0","lessThan":"2.6.20","versionType":"semver","status":"unaffected"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.5}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.20","versionEndExcluding":"5.10.253","matchCriteriaId":"59C621AA-EC43-49D2-8ABF-80CF7EB6225F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"6.1.167","matchCriteriaId":"56D62904-7C85-4BED-9EC0-3982B880F72D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.130","matchCriteriaId":"C57BB918-DF28-46B3-94F7-144176841267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.78","matchCriteriaId":"28D591F5-B196-4CC9-905C-DC80F116E7A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.19","matchCriteriaId":"D394AC60-6F28-435F-872A-CCDF384B8331"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.9","matchCriteriaId":"E825E7C3-FEAC-4FD3-8A81-78D7387948C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ff44ec94d4fc8348600a69de0a8fa1102c23bce8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43421","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T15:16:54.173","lastModified":"2026-06-19T13:16:30.203","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix net_device lifecycle with device_move\n\nThe network device outlived its parent gadget device during\ndisconnection, resulting in dangling sysfs links and null pointer\ndereference problems.\n\nA prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]\nwas reverted due to power management ordering concerns and a NO-CARRIER\nregression.\n\nA subsequent attempt to defer net_device allocation to bind [2] broke\n1:1 mapping between function instance and network device, making it\nimpossible for configfs to report the resolved interface name. This\nresults in a regression where the DHCP server fails on pmOS.\n\nUse device_move to reparent the net_device between the gadget device and\n/sys/devices/virtual/ across bind/unbind cycles. This preserves the\nnetwork interface across USB reconnection, allowing the DHCP server to\nretain their binding.\n\nIntroduce gether_attach_gadget()/gether_detach_gadget() helpers and use\n__free(detach_gadget) macro to undo attachment on bind failure. The\nbind_count ensures device_move executes only on the first bind.\n\n[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/\n[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/usb/gadget/function/f_ncm.c","drivers/usb/gadget/function/u_ether.c","drivers/usb/gadget/function/u_ether.h","drivers/usb/gadget/function/u_ncm.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"7c97366f5dac5255e60a317ffe3a5b18f3745547","versionType":"git","status":"affected"},{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"36c41e9724c9a7a7cda37f5a4e9d94f25c8031c4","versionType":"git","status":"affected"},{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"93f116c3393a22acab96ad1bef12b2572eb80ca4","versionType":"git","status":"affected"},{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d","versionType":"git","status":"affected"},{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"85acaba2f42b557499bab3608307f17bf13beb69","versionType":"git","status":"affected"},{"version":"40d133d7f542616cf9538508a372306e626a16e9","lessThan":"ec35c1969650e7cb6c8a91020e568ed46e3551b0","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/usb/gadget/function/f_ncm.c","drivers/usb/gadget/function/u_ether.c","drivers/usb/gadget/function/u_ether.h","drivers/usb/gadget/function/u_ncm.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.11","status":"affected"},{"version":"0","lessThan":"3.11","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"6.12.78","matchCriteriaId":"EC012AB1-5F8C-48BD-8A2C-AB95351EF175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.19","matchCriteriaId":"D394AC60-6F28-435F-872A-CCDF384B8331"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.9","matchCriteriaId":"E825E7C3-FEAC-4FD3-8A81-78D7387948C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/36c41e9724c9a7a7cda37f5a4e9d94f25c8031c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7c97366f5dac5255e60a317ffe3a5b18f3745547","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85acaba2f42b557499bab3608307f17bf13beb69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/93f116c3393a22acab96ad1bef12b2572eb80ca4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec35c1969650e7cb6c8a91020e568ed46e3551b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-45991","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:16.643","lastModified":"2026-06-19T13:16:31.053","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix partition descriptor append bookkeeping\n\nMounting a crafted UDF image with repeated partition descriptors can\ntrigger a heap out-of-bounds write in part_descs_loc[].\n\nhandle_partition_descriptor() deduplicates entries by partition number,\nbut appended slots never record partnum. As a result duplicate\nPartition Descriptors are appended repeatedly and num_part_descs keeps\ngrowing.\n\nOnce the table is full, the growth path still sizes the allocation from\npartnum even though inserts are indexed by num_part_descs. If partnum is\nalready aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep\nthe old capacity and the next append writes past the end of the table.\n\nStore partnum in the appended slot and size growth from the next append\ncount so deduplication and capacity tracking follow the same model."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/udf/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"ad3c0c4400686f6f37b382aaa48fac2b9aefccbe","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"68013a9bd4c01acd42073715f00e1a1992f089ee","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"e8474cfbac9ada2cdaa4eaedec22aadfa0f58559","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"058b451b1039f056d1362c4fec2229e522366ab0","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"b5597bb83fc37b5b5da74a4453fa920b932cf39a","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"08fa5d818e5bf53c7ca234d88ba334f32004e9b6","versionType":"git","status":"affected"},{"version":"ee4af50ca94f58afc3532662779b9cf80bbe27c8","lessThan":"08841b06fa64d8edbd1a21ca6e613420c90cc4b8","versionType":"git","status":"affected"},{"version":"7f401f160a9c7a1ff84ba3cb9b2f636d1f5cfb6b","versionType":"git","status":"affected"},{"version":"4.18.7","lessThan":"4.19","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/udf/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.19","status":"affected"},{"version":"0","lessThan":"4.19","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18.7","versionEndExcluding":"4.19","matchCriteriaId":"D5BDA993-EF76-4D54-84B2-73CDF4E1B72C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.1","versionEndExcluding":"6.6.140","matchCriteriaId":"03E02558-93BE-47E0-82D4-3BE2135EC2BF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"7.0.4","matchCriteriaId":"EFAD87B2-77CB-48FF-B0F8-D6A539C24301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*","matchCriteriaId":"CFDAD450-8799-4C2D-80CE-2AA45DEC35CE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc2:*:*:*:*:*:*","matchCriteriaId":"490A26B2-349C-4C71-AD40-2EA486A34DD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc3:*:*:*:*:*:*","matchCriteriaId":"1A60AAA7-F86C-4D3E-933D-0ECEFE637CEF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc4:*:*:*:*:*:*","matchCriteriaId":"79225B06-DC8B-4622-94DF-797D7B1588D8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc5:*:*:*:*:*:*","matchCriteriaId":"344A395A-4EA9-4A70-B52B-622DFC91B2F5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc6:*:*:*:*:*:*","matchCriteriaId":"77A82DDA-F9EB-4146-A264-F144821F5B48"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc7:*:*:*:*:*:*","matchCriteriaId":"50D37BFA-0EDF-4061-AE49-2547A31AF500"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.19:rc8:*:*:*:*:*:*","matchCriteriaId":"C76524C2-3C99-42A8-B110-C3B886DEAFA5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/68013a9bd4c01acd42073715f00e1a1992f089ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ad3c0c4400686f6f37b382aaa48fac2b9aefccbe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e8474cfbac9ada2cdaa4eaedec22aadfa0f58559","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45993","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:16.853","lastModified":"2026-06-19T13:16:31.200","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Add spectre boundry for syscall dispatch table\n\nThe LoongArch syscall number is directly controlled by userspace, but\ndoes not have a array_index_nospec() boundry to prevent access past the\nsyscall function pointer tables."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/loongarch/kernel/syscall.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"c8a8e863928424046b8fd328f02c359baa0a0c3f","versionType":"git","status":"affected"},{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"108f2cd13577a410c0ad6ea00708596d9d0dfc90","versionType":"git","status":"affected"},{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"07040904ad217545be096d4280ed33c02f6a3750","versionType":"git","status":"affected"},{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"85cbf7fb568af5358aae61925c4e66b8f5e1439d","versionType":"git","status":"affected"},{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"bc84a109c2082dd0c4b38e8d923c046b41977533","versionType":"git","status":"affected"},{"version":"be769645a2aef577f07afdcb4de8fad20b6d57c0","lessThan":"0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/loongarch/kernel/syscall.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.6.140","matchCriteriaId":"DFE3BB4F-66FD-4FA9-8E12-3B92C3EED20E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8a8e863928424046b8fd328f02c359baa0a0c3f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45996","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:17.180","lastModified":"2026-06-19T13:16:31.310","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: imx: fix use-after-free on unbind\n\nThe SPI subsystem frees the controller and any subsystem allocated\ndriver data as part of deregistration (unless the allocation is device\nmanaged).\n\nTake another reference before deregistering the controller so that the\ndriver data is not freed until the driver is done with it."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/spi/spi-imx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"c7c40c3e7b9fb900504aa746de3e53c5275b24bd","versionType":"git","status":"affected"},{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"f99165ef067723221472ce1aff632bc74f562643","versionType":"git","status":"affected"},{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"385a330083f8dd47c15b02e9a83aef9234a37003","versionType":"git","status":"affected"},{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"132e47030b0b5e398e0da6c59df5a5dae9b52cff","versionType":"git","status":"affected"},{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"aa9025a498036b6012769f7af36d421385386c17","versionType":"git","status":"affected"},{"version":"307c897db762d1e0feee9477276b08f6deca4a5b","lessThan":"1c78c2002380a1fe31bfb01a3d5f29809e55a096","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/spi/spi-imx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.6.140","matchCriteriaId":"DFE3BB4F-66FD-4FA9-8E12-3B92C3EED20E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1c78c2002380a1fe31bfb01a3d5f29809e55a096","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/385a330083f8dd47c15b02e9a83aef9234a37003","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aa9025a498036b6012769f7af36d421385386c17","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c7c40c3e7b9fb900504aa746de3e53c5275b24bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f99165ef067723221472ce1aff632bc74f562643","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-45999","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:17.517","lastModified":"2026-06-19T13:16:31.423","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()\n\nSome crafted images can have illegal (!partial_decoding &&\nm_llen < m_plen) extents, and the LZ4 inplace decompression path\ncan be wrongly hit, but it cannot handle (outpages < inpages)\nproperly: \"outpages - inpages\" wraps to a large value and\nthe subsequent rq->out[] access reads past the decompressed_pages\narray.\n\nHowever, such crafted cases can correctly result in a corruption\nreport in the normal LZ4 non-inplace path.\n\nLet's add an additional check to fix this for backporting.\n\nReproducible image (base64-encoded gzipped blob):\n\nH4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g\ndilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i\nPNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz\n2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w\nywAAAAAAAADwu14ATsEYtgBQAAA=\n\n$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt\n$ dd if=/mnt/data of=/dev/null bs=4096 count=1"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/erofs/decompressor.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"778acd52e9497806fbd2cea7f770c41d6850fc48","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"118ff71ff09ebaf323a09af9e911517321a299f4","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"43a878639b90e9721ffa5eb616a7e6d8454adef3","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"f1374fa6e57fd836623668d782ded9244cfd2938","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"c9ce18e6bb2c467ec85756dc7989b547b7584fee","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e","versionType":"git","status":"affected"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/erofs/decompressor.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-191"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.6.140","matchCriteriaId":"3E67E12B-C9B9-4C36-87B6-F887F426E683"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/118ff71ff09ebaf323a09af9e911517321a299f4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/778acd52e9497806fbd2cea7f770c41d6850fc48","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46003","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.010","lastModified":"2026-06-19T13:16:31.573","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the total number of nodes\n\nCurrently, the nameserver doesn't limit the number of nodes it handles.\nThis can be an attack vector if a malicious client starts registering\nrandom nodes, leading to memory exhaustion.\n\nHence, limit the maximum number of nodes to 64. Note that, limit of 64 is\nchosen based on the current platform requirements. If requirement changes\nin the future, this limit can be increased."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"b703ee903b24974aca4bde99c7d25d66309d35dd","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"823310645065bd49666e84af689fa95192819f55","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"ed29887286aba96d1930f4ddb9f235f6b421073c","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"4c46413661431aa60fb134cd4ecdf8beaa39f824","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"5cf6d5e5e3b804a44692fbf548a5179442e2e923","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"8022876894d09ae485b499058c3357da683bcc5d","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"27d5e84e810b0849d08b9aec68e48570461ce313","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.140","matchCriteriaId":"A990FD1C-7109-4DDB-A221-53FD00482C29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/27d5e84e810b0849d08b9aec68e48570461ce313","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4c46413661431aa60fb134cd4ecdf8beaa39f824","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5cf6d5e5e3b804a44692fbf548a5179442e2e923","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8022876894d09ae485b499058c3357da683bcc5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/823310645065bd49666e84af689fa95192819f55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b703ee903b24974aca4bde99c7d25d66309d35dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ed29887286aba96d1930f4ddb9f235f6b421073c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46005","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.240","lastModified":"2026-06-19T13:16:31.697","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix a resource leak in xfs_alloc_buftarg()\n\nIn the error path, call fs_put_dax() to drop the DAX\ndevice reference."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/xfs/xfs_buf.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"ed2d6442e61169e565727ba15c4f6a0cb5ce16df","versionType":"git","status":"affected"},{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"82fb9da6477d08bdab954dc7bc081a41f2f9cae6","versionType":"git","status":"affected"},{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"28a6c132b8c6e5eeefa889c4fb43d65b12989d48","versionType":"git","status":"affected"},{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9","versionType":"git","status":"affected"},{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"5804cb507233ed767a83ac70527b2f6c4566ec75","versionType":"git","status":"affected"},{"version":"6f643c57d57c56d4677bc05f1fca2ef3f249797c","lessThan":"29a7b2614357393b176ef06ba5bc3ff5afc8df69","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/xfs/xfs_buf.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.140","matchCriteriaId":"42C969B5-5AF7-4327-A835-36C9FE167867"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ed2d6442e61169e565727ba15c4f6a0cb5ce16df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46006","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.353","lastModified":"2026-06-19T13:16:31.807","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix u32 overflow in pushbuf reloc bounds check\n\nnouveau_gem_pushbuf_reloc_apply() validates each relocation with\n\n    if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)\n\nbut reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer\nliteral 4 promotes to unsigned int, so the addition is performed in 32\nbits and wraps before the comparison against the size_t bo size.\n\nCast to u64 so the addition happens in 64-bit arithmetic.\n\n[ Add Fixes: tag. - Danilo ]"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/nouveau/nouveau_gem.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"3429275684f4bad42876955301f3c5c814aae909","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"573a1104bd36e49c067a9dc62e7c476d5ee7e92a","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"45a45184b9c0b0b26ead06e370cda2073616a7cc","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"fa297e919d1680c38ab268ff952b1698dac987f6","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"d749a9a0ee4014681487e7ae549901aa8c176637","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"332884f5eb79dd60a7162b079d09d39208567a31","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"e441d5c23ec644c8d27593db3b8928e8933512a9","versionType":"git","status":"affected"},{"version":"a1606a9596e54da90ad6209071b357a4c1b0fa82","lessThan":"2fc87d37be1b730a149b035f9375fdb8cc5333a5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/nouveau/nouveau_gem.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.15.209","matchCriteriaId":"910DA080-3DB1-4436-9683-809A8CBDBDB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.140","matchCriteriaId":"A1A92866-F406-43B5-B2D1-CFC274753E9D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3429275684f4bad42876955301f3c5c814aae909","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46021","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.567","lastModified":"2026-06-19T13:16:31.933","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix thermal zone governor cleanup issues\n\nIf thermal_zone_device_register_with_trips() fails after adding\na thermal governor to the thermal zone being registered, the\ngovernor is not removed from it as appropriate which may lead to\na memory leak.\n\nIn turn, thermal_zone_device_unregister() calls thermal_set_governor()\nwithout acquiring the thermal zone lock beforehand which may race with\na governor update via sysfs and may lead to a use-after-free in that\ncase.\n\nAddress these issues by adding two thermal_set_governor() calls, one to\nthermal_release() to remove the governor from the given thermal zone,\nand one to the thermal zone registration error path to cover failures\npreceding the thermal zone device registration."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/thermal/thermal_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"a172fa18bc370b776ac1510abb0dcb50a7a35fac","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"8e563d8db50f303171aceb79eec0807e7ba06951","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"d4eb861adde5ce22e459fbd29366f47bb2167977","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"37a430a2d4e66ec8238da6c7f7e48809bf265e13","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"f412e541d25a3dfaf3d53e012ade6ff03cae8a45","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"75f8f3c3e09122270986de9d7aa347d701676761","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06","versionType":"git","status":"affected"},{"version":"e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8","lessThan":"41ff66baf81c6541f4f985dd7eac4494d03d9440","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/thermal/thermal_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.6.140","matchCriteriaId":"51C70DBB-3DC0-42D5-8319-BBAA828267C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8e563d8db50f303171aceb79eec0807e7ba06951","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a172fa18bc370b776ac1510abb0dcb50a7a35fac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d4eb861adde5ce22e459fbd29366f47bb2167977","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46026","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:21.160","lastModified":"2026-06-19T13:16:32.060","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the maximum number of lookups\n\nCurrent code does no bound checking on the number of lookups a client can\nperform. Though the code restricts the lookups to local clients, there is\nstill a possibility of a malicious local client sending a flood of\nNEW_LOOKUP messages over the same socket.\n\nFix this issue by limiting the maximum number of lookups to 64 globally.\nSince the nameserver allows only atmost one local observer, this global\nlookup count will ensure that the lookups stay within the limit.\n\nNote that, limit of 64 is chosen based on the current platform\nrequirements. If requirement changes in the future, this limit can be\nincreased."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"bd69e0e8a7643ba5385f19f479e8e3da71f8d495","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"91cb30b6bb1880ba0748ca059bef50b8ac13793d","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"6e3675251fcea06caecc61eb76462467558adfa6","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"76adf8f69b0bb3ab20be7c58f5d555027332d113","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"20855cef7e659ef84ac73251256fa530819b2346","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"2b930bc77e00cb27e1d6e1d497b3b596283465ef","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"5640227d9a21c6a8be249a10677b832e7f40dc55","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.140","matchCriteriaId":"A990FD1C-7109-4DDB-A221-53FD00482C29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6e3675251fcea06caecc61eb76462467558adfa6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/91cb30b6bb1880ba0748ca059bef50b8ac13793d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bd69e0e8a7643ba5385f19f479e8e3da71f8d495","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46038","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.140","lastModified":"2026-06-19T13:16:32.183","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Free the node during ctrl_cmd_bye()\n\nA node sends the BYE packet when it is about to go down. So the nameserver\nshould advertise the removal of the node to all remote and local observers\nand free the node finally. But currently, the nameserver doesn't free the\nnode memory even after processing the BYE packet. This causes the node\nmemory to leak.\n\nHence, remove the node from Xarray list and free the node memory during\nboth success and failure case of ctrl_cmd_bye()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"6c9cca46acb6f22e63f015ea7b2ed6032d2badf5","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"a5a454f3364877b22f0e5a165df8b3702ff96ae7","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"25d580a46b079a7963ff024a5195e547baf12b64","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"ff78ed177a66763085e3214d6fbe13ca8f0b3f11","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"65932f5102bb5377db36c8a4f0c28179a1967a9a","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"154fc7fe3f62c46891c3c4302f4b5b5391c932e6","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"076e4b162d6caba12c229e7f262df5b6881162b0","versionType":"git","status":"affected"},{"version":"0c2204a4ad710d95d348ea006f14ba926e842ffd","lessThan":"68efba36446a7774ea5b971257ade049272a07ac","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/qrtr/ns.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.140","matchCriteriaId":"A990FD1C-7109-4DDB-A221-53FD00482C29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/25d580a46b079a7963ff024a5195e547baf12b64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c9cca46acb6f22e63f015ea7b2ed6032d2badf5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a5a454f3364877b22f0e5a165df8b3702ff96ae7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46044","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.853","lastModified":"2026-06-19T13:16:32.310","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ssif: Clean up kthread on errors\n\nIf an error occurs after the ssif kthread is created, but before the\nmain IPMI code starts the ssif interface, the ssif kthread will not\nbe stopped.\n\nSo make sure the kthread is stopped on an error condition if it is\nrunning."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/char/ipmi/ipmi_ssif.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"549607af66a0efdb41307ba6343eed31de8b133e","versionType":"git","status":"affected"},{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"f2d0a3ede5ebf404d4c334a1f04ef439e0086857","versionType":"git","status":"affected"},{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"e662be2d0d05253d0fd7deda9771aa036c23393e","versionType":"git","status":"affected"},{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"858bc8b9edb6eaf0522900128bb9053e2df6b0f6","versionType":"git","status":"affected"},{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"800febc637d1c1974b1e899dea8a07e115d60766","versionType":"git","status":"affected"},{"version":"259307074bfcf1ff88016e12c68f057aee6cb694","lessThan":"75c486cb1bcaa1a3ec3a6438498176a3a4998ae4","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/char/ipmi/ipmi_ssif.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.10.258","matchCriteriaId":"62BEB848-DA36-437D-BE81-009427982D1A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.18.27","matchCriteriaId":"E8ACCD5C-0F15-4B5A-B287-D04F25C2257A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/549607af66a0efdb41307ba6343eed31de8b133e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/75c486cb1bcaa1a3ec3a6438498176a3a4998ae4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/800febc637d1c1974b1e899dea8a07e115d60766","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/858bc8b9edb6eaf0522900128bb9053e2df6b0f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e662be2d0d05253d0fd7deda9771aa036c23393e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f2d0a3ede5ebf404d4c334a1f04ef439e0086857","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46052","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.807","lastModified":"2026-06-19T13:16:32.420","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nceph: only d_add() negative dentries when they are unhashed\n\nCeph can call d_add(dentry, NULL) on a negative dentry that is already\npresent in the primary dcache hash.\n\nIn the current VFS that is not safe.  d_add() goes through __d_add()\nto __d_rehash(), which unconditionally reinserts dentry->d_hash into\nthe hlist_bl bucket.  If the dentry is already hashed, reinserting the\nsame node can corrupt the bucket, including creating a self-loop.\nOnce that happens, __d_lookup() can spin forever in the hlist_bl walk,\ntypically looping only on the d_name.hash mismatch check and\neventually triggering RCU stall reports like this one:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu:         87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829\n rcu:         (t=2101 jiffies g=79058445 q=698988 ncpus=192)\n CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023\n RIP: 0010:__d_lookup+0x46/0xb0\n Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f\n RSP: 0018:ff745a70c8253898 EFLAGS: 00000282\n RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966\n RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0\n RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89\n R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0\n R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f\n FS:  00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  lookup_fast+0x9f/0x100\n  walk_component+0x1f/0x150\n  link_path_walk+0x20e/0x3d0\n  path_lookupat+0x68/0x180\n  filename_lookup+0xdc/0x1e0\n  vfs_statx+0x6c/0x140\n  vfs_fstatat+0x67/0xa0\n  __do_sys_newfstatat+0x24/0x60\n  do_syscall_64+0x6a/0x230\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is reachable with reused cached negative dentries.  A Ceph lookup\nor atomic_open can be handed a negative dentry that is already hashed,\nand fs/ceph/dir.c then hits one of two paths that incorrectly assume\n\"negative\" also means \"unhashed\":\n\n  - ceph_finish_lookup():\n      MDS reply is -ENOENT with no trace\n      -> d_add(dentry, NULL)\n\n  - ceph_lookup():\n      local ENOENT fast path for a complete directory with shared caps\n      -> d_add(dentry, NULL)\n\nBoth paths can therefore re-add an already-hashed negative dentry.\n\nCeph already uses the correct pattern elsewhere: ceph_fill_trace() only\ncalls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)\nis true.\n\nFix both fs/ceph/dir.c sites the same way: only call d_add() for a\nnegative dentry when it is actually unhashed.  If the negative dentry\nis already hashed, leave it in place and reuse it as-is.\n\nThis preserves the existing behavior for unhashed dentries while\navoiding d_hash list corruption for reused hashed negatives."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/ceph/dir.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"4147ae08824cc8b65d2b2018f79d416af2937108","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"73b47a1f06dee5e61b00dee5227d75d3f1f6d977","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"79ffcbeac6bc1dc1bcdb0434acf250f6215ec111","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"83ce43a21bb7df8dd52228afdd918d2d058eefde","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"4179cc390dacebc87079419ec92f86f3dc46294d","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"b91e535f208c48a5e7464f1aa38338a30e7912df","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"2010cb06b9df7d3c816c78358c566bdacbdf38ff","versionType":"git","status":"affected"},{"version":"2817b000b02c5f0c05af67c01fb2684e1381d6ef","lessThan":"803447f93d75ab6e40c85e6d12b5630d281d70d6","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/ceph/dir.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34.1","versionEndExcluding":"6.6.140","matchCriteriaId":"86294DD1-E89E-436E-80BC-95171A8D719F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*","matchCriteriaId":"A3B1BC1D-ED46-4364-A1D9-1FA74182B03A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*","matchCriteriaId":"86D3F64C-3F27-43E0-B0D4-62CE1E1F4EFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*","matchCriteriaId":"7927713B-5EB0-41EB-86A9-9935775162E0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*","matchCriteriaId":"59037296-3143-4FBB-AFF7-D4FE2C85502F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*","matchCriteriaId":"9CA27FD5-7DBF-4C85-80A9-D523B2E4B033"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*","matchCriteriaId":"9711E333-A8E7-4F4B-BCFD-2023E889651A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*","matchCriteriaId":"E04D3358-973B-42A1-8E08-2E3AE947193C"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2010cb06b9df7d3c816c78358c566bdacbdf38ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4147ae08824cc8b65d2b2018f79d416af2937108","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4179cc390dacebc87079419ec92f86f3dc46294d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/73b47a1f06dee5e61b00dee5227d75d3f1f6d977","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/79ffcbeac6bc1dc1bcdb0434acf250f6215ec111","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/803447f93d75ab6e40c85e6d12b5630d281d70d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/83ce43a21bb7df8dd52228afdd918d2d058eefde","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b91e535f208c48a5e7464f1aa38338a30e7912df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46056","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:25.317","lastModified":"2026-06-19T13:16:32.587","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in SSP passkey handlers\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise\nthe connection can be freed concurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage in both\nhandlers.\n\nKeep the existing keypress notification behavior unchanged by routing\nthe early exits through a common unlock path."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/bluetooth/hci_event.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"ea18732d2614557e59f4c0d8cdbe6611aeab33b7","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"d28311539ac9f65e29308ea219ecaa48aa5e76e5","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"b6ae482f88654db407c8c17619d4b62959b903ef","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"204028af77a265e31ceb4ba7f643349a3cca72b2","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"01a6431766c35dfedb86e0cb5d3fc80c6d604a47","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"e08d75753db17aa943d7622f09d9c217b5bfd3b8","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"8c6443bb9257b780986fb67ec08565bf48ecb8d7","versionType":"git","status":"affected"},{"version":"92a25256f142d55e25f9959441cea6ddeabae57e","lessThan":"85fa3512048793076eef658f66489112dcc91993","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/bluetooth/hci_event.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.7","status":"affected"},{"version":"0","lessThan":"3.7","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"6.1.175","matchCriteriaId":"EBFC6347-9890-499C-AFAB-ED243C4C3818"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.140","matchCriteriaId":"A1A92866-F406-43B5-B2D1-CFC274753E9D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.27","matchCriteriaId":"A10AC84F-C058-47D5-85B4-E6E51A613B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.4","matchCriteriaId":"CDB78D6D-22C3-4154-B0D0-94AF1CE5C2E3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d28311539ac9f65e29308ea219ecaa48aa5e76e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ea18732d2614557e59f4c0d8cdbe6611aeab33b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46159","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.553","lastModified":"2026-06-19T13:16:34.193","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak\n\nbtrfs_ioctl_space_info() has a TOCTOU race between two passes over the\nblock group RAID type lists. The first pass counts entries to determine\nthe allocation size, then the second pass fills the buffer. The\ngroups_sem rwlock is released between passes, allowing concurrent block\ngroup removal to reduce the entry count.\n\nWhen the second pass fills fewer entries than the first pass counted,\ncopy_to_user() copies the full alloc_size bytes including trailing\nuninitialized kmalloc bytes to userspace.\n\nFix by copying only total_spaces entries (the actually-filled count from\nthe second pass) instead of alloc_size bytes, and switch to kzalloc so\nany future copy size mismatch cannot leak heap data."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/btrfs/ioctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"f407aad350bdea4db300c47433573b7a41630d33","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d8224b1be6627c6c3b204bfb264508d27c65ac44","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d69a4a6813fdba7c4cc3695a7e843842b240790d","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"f5ee467b56764964027c361641f64953fc0f8f9a","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"5d12e0ab009ade48c1bff9324fd9bea2c773d088","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"d09d67d5de577cedae3de9497dff217e0ac8b641","versionType":"git","status":"affected"},{"version":"7fde62bffb576d384ea49a3aed3403d5609ee5bc","lessThan":"973e57c726c1f8e77259d1c8e519519f1e9aea77","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/btrfs/ioctl.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.90","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.32","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-367"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34.1","versionEndExcluding":"6.6.140","matchCriteriaId":"86294DD1-E89E-436E-80BC-95171A8D719F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.90","matchCriteriaId":"3BAAA2BE-6EEC-45D5-AD66-50F63CA20483"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.32","matchCriteriaId":"CB9F1FA8-6D5E-42B1-9877-57BACFE5C886"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*","matchCriteriaId":"A3B1BC1D-ED46-4364-A1D9-1FA74182B03A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc2:*:*:*:*:*:*","matchCriteriaId":"86D3F64C-3F27-43E0-B0D4-62CE1E1F4EFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc3:*:*:*:*:*:*","matchCriteriaId":"7927713B-5EB0-41EB-86A9-9935775162E0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc4:*:*:*:*:*:*","matchCriteriaId":"59037296-3143-4FBB-AFF7-D4FE2C85502F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc5:*:*:*:*:*:*","matchCriteriaId":"9CA27FD5-7DBF-4C85-80A9-D523B2E4B033"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc6:*:*:*:*:*:*","matchCriteriaId":"9711E333-A8E7-4F4B-BCFD-2023E889651A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.34:rc7:*:*:*:*:*:*","matchCriteriaId":"E04D3358-973B-42A1-8E08-2E3AE947193C"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d69a4a6813fdba7c4cc3695a7e843842b240790d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8224b1be6627c6c3b204bfb264508d27c65ac44","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f407aad350bdea4db300c47433573b7a41630d33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46160","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.647","lastModified":"2026-06-19T13:16:34.320","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix missing last_unlink_trans update when removing a directory\n\nWhen removing a directory we are not updating its last_unlink_trans field,\nwhich can result in incorrect fsync behaviour in case some one fsyncs the\ndirectory after it was removed because it's holding a file descriptor on\nit.\n\nExample scenario:\n\n   mkdir /mnt/dir1\n   mkdir /mnt/dir1/dir2\n   mkdir /mnt/dir3\n\n   sync -f /mnt\n\n   # Do some change to the directory and fsync it.\n   chmod 700 /mnt/dir1\n   xfs_io -c fsync /mnt/dir1\n\n   # Move dir2 out of dir1 so that dir1 becomes empty.\n   mv /mnt/dir1/dir2 /mnt/dir3/\n\n   open fd on /mnt/dir1\n   call rmdir(2) on path \"/mnt/dir1\"\n   fsync fd\n\n   <trigger power failure>\n\nWhen attempting to mount the filesystem, the log replay will fail with\nan -EIO error and dmesg/syslog has the following:\n\n   [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650\n   [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm\n   [445771.627912] BTRFS info (device dm-0): start tree-log replay\n   [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5\n   [445771.629453] memcg:ffff89f400351b00\n   [445771.629892] aops:btree_aops [btrfs] ino:1\n   [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n   [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8\n   [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00\n   [445771.635029] page dumped because: eb page dump\n   [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir\n   [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5\n   [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087\n   [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n   [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n   [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n   [445771.638100] \t\trdev 0 sequence 2 flags 0x0\n   [445771.638102] \t\tatime 1775744884.0\n   [445771.660056] \t\tctime 1775744885.645502983\n   [445771.660058] \t\tmtime 1775744885.645502983\n   [445771.660060] \t\totime 1775744884.0\n   [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n   [445771.660064] \t\tindex 0 name_len 2\n   [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34\n   [445771.660068] \t\tlocation key (259 1 0) type 2\n   [445771.660070] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34\n   [445771.660076] \t\tlocation key (257 1 0) type 2\n   [445771.660077] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n   [445771.660079] \t\tlocation key (257 1 0) type 2\n   [445771.660080] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34\n   [445771.660082] \t\tlocation key (259 1 0) type 2\n   [445771.660083] \t\ttransid 9 data_len 0 name_len 4\n   [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160\n   [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0\n   [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0\n   [445771.660088] \t\trdev 0 sequence 2 flags 0x0\n   [445771.660089] \t\tatime 1775744885.641174097\n   [445771.660090] \t\tctime 1775744885.645502983\n   [445771.660091] \t\tmtime 1775744885.645502983\n   [445771.660105] \t\totime 1775744885.641174097\n   [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14\n   [445771.660107] \t\tindex 2 name_len 4\n   [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34\n   [445771.660109] \t\tlocation key (2\n---truncated---"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/btrfs/inode.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"af467162290f5fe79d6a361b7c84302e45b1fd9f","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"2525998ac956476bded26b9f34c4164dc890b87a","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"cc3c0a0f965754ce230d93ba44ee5b34fbe6138a","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"aa9c3ecaf7337df3a689318584f879b5339ede0f","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"fb388eb58c1ba047ccabc33901839acfecadcf49","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"36fcc2c7517f8a86379154c9793f867592aa8b7e","versionType":"git","status":"affected"},{"version":"12fcfd22fe5bf4fe74710232098bc101af497995","lessThan":"999757231c49376cd1a37308d2c8c4c9932571e1","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/btrfs/inode.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.30","status":"affected"},{"version":"0","lessThan":"2.6.30","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.30","versionEndExcluding":"6.6.141","matchCriteriaId":"4CCF2FBC-3CB1-46C8-A0F3-CEC8C2609FA1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2525998ac956476bded26b9f34c4164dc890b87a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6acbb2f6dff23c9bb9761fb98b516525b9cf1ce9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/af467162290f5fe79d6a361b7c84302e45b1fd9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46164","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.043","lastModified":"2026-06-19T13:16:34.477","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info_sub_group() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info_sub_group()\n-> btrfs_sysfs_add_space_info_type()\n-> kobject_init_and_add()\n-> failure\n-> kobject_put(&sub_group->kobj)\n-> space_info_release()\n-> kfree(sub_group)\n\nThen control returns to create_space_info_sub_group(), where:\n\nbtrfs_sysfs_add_space_info_type() returns error\n-> kfree(sub_group)\n\nThus, sub_group is freed twice.\n\nKeep parent->sub_group[index] = NULL for the failure path, but after\nbtrfs_sysfs_add_space_info_type() has called kobject_put(), let the\nkobject release callback handle the cleanup."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/btrfs/space-info.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"64c7ddda83acfbaa0efb381a1928ce908c584607","lessThan":"c2d59527cba6d59f0d77a75c1101ab4e69758bea","versionType":"git","status":"affected"},{"version":"0bd151ce4200ca847990e05cca29a76456982ca5","lessThan":"d2a675f2e238ec96c8e91e2718c1f910c9c8fb21","versionType":"git","status":"affected"},{"version":"190d5a7c4fe42b8c9aa46e3336389e7cb10395bb","lessThan":"14b22be1dd844383eb03af9b1ee3b6b25d32aeaf","versionType":"git","status":"affected"},{"version":"f92ee31e031c7819126d2febdda0c3e91f5d2eb9","lessThan":"dfd05a16b5c9d1d98b47905f37f2fccda52173d1","versionType":"git","status":"affected"},{"version":"f92ee31e031c7819126d2febdda0c3e91f5d2eb9","lessThan":"259af6857a1b4f1e9ef8b780353f9d11c26a22bd","versionType":"git","status":"affected"},{"version":"f92ee31e031c7819126d2febdda0c3e91f5d2eb9","lessThan":"a7449edf96143f192606ec8647e3167e1ecbd728","versionType":"git","status":"affected"},{"version":"6.1.162","lessThan":"6.1.176","versionType":"semver","status":"affected"},{"version":"6.6.122","lessThan":"6.6.141","versionType":"semver","status":"affected"},{"version":"6.12.67","lessThan":"6.12.90","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/btrfs/space-info.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.90","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.32","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.162","versionEndExcluding":"6.2","matchCriteriaId":"CC09986F-7799-41B9-80E9-13187E3E33E7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.122","versionEndExcluding":"6.6.141","matchCriteriaId":"9DDACAED-DB5F-4215-90D1-9638039CD94F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.67","versionEndExcluding":"6.12.90","matchCriteriaId":"2B62EF25-7B21-4945-BFC3-D47BBC89F73F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.32","matchCriteriaId":"FF62AC18-3B67-498C-BE98-210B26013D50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2d59527cba6d59f0d77a75c1101ab4e69758bea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46169","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.537","lastModified":"2026-06-19T13:16:34.600","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value by validating catalog record size\n\nSyzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The\nroot cause is that hfs_brec_read() doesn't validate that the on-disk\nrecord size matches the expected size for the record type being read.\n\nWhen mounting a corrupted filesystem, hfs_brec_read() may read less data\nthan expected. For example, when reading a catalog thread record, the\ndebug output showed:\n\n  HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26\n  HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!\n\nhfs_brec_read() only validates that entrylength is not greater than the\nbuffer size, but doesn't check if it's less than expected. It successfully\nreads 26 bytes into a 520-byte structure and returns success, leaving 494\nbytes uninitialized.\n\nThis uninitialized data in tmp.thread.nodeName then gets copied by\nhfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering\nthe KMSAN warning when the uninitialized bytes are used as array indices\nin case_fold().\n\nFix by introducing hfsplus_brec_read_cat() wrapper that:\n1. Calls hfs_brec_read() to read the data\n2. Validates the record size based on the type field:\n   - Fixed size for folder and file records\n   - Variable size for thread records (depends on string length)\n3. Returns -EIO if size doesn't match expected\n\nFor thread records, check against HFSPLUS_MIN_THREAD_SZ before reading\nnodeName.length to avoid reading uninitialized data at call sites that\ndon't zero-initialize the entry structure.\n\nAlso initialize the tmp variable in hfsplus_find_cat() as defensive\nprogramming to ensure no uninitialized data even if validation is\nbypassed."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/hfsplus/bfind.c","fs/hfsplus/catalog.c","fs/hfsplus/dir.c","fs/hfsplus/hfsplus_fs.h","fs/hfsplus/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3003dbf62d151d47a6b90f71655292a51a05f244","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"8be69532e399eec9d9d990f6958b4ff2383b19b3","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3bc337697c66db2e2a4a94f0509c282c1a014b86","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"61a790974ff7e533acbceca06c7d02f22bf96d4d","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"a420904450962a562ad053a41a53a27755021b48","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"93e8d613f1a01b6637f387cc93f184cf7fb881d6","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"b6b592275aeff184aa82fcf6abccd833fb71b393","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/hfsplus/bfind.c","fs/hfsplus/catalog.c","fs/hfsplus/dir.c","fs/hfsplus/hfsplus_fs.h","fs/hfsplus/super.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-908"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.6.140","matchCriteriaId":"CE922FB2-1245-46C1-A6AA-98350F6EBAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3003dbf62d151d47a6b90f71655292a51a05f244","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3bc337697c66db2e2a4a94f0509c282c1a014b86","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8be69532e399eec9d9d990f6958b4ff2383b19b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46180","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:33.643","lastModified":"2026-06-19T13:16:34.740","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task\n\nWatchdog task might end between send_sig() and kthread_stop() calls, what\nresults in the use-after-free issue. Fix this by increasing watchdog task\nreference count before calling send_sig() and dropping it by switching to\nkthread_stop_put()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"a21f735fb1017ef89c6f9dbf4d799513b4e7bd5a","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"df2e90d6a9955510f24f1dada78cfc439fd9fa88","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"d616bb10de79e5c2bd8a24230a1128aeaf715615","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"ed4168d1a50fef5be8eca947fbbf05a28507d265","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"d16827cb1d3936f7627d0da6044483f743ebde03","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"658d2e46c2e9a8eb9b80c5e803ce3c89885b3366","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"908b92231e1ded53e43fcfad5e0704d83e1b803c","versionType":"git","status":"affected"},{"version":"a9ffda88be7416b8336f644806c2b3ed3ce08b26","lessThan":"c623b63580880cc742255eaed3d79804c1b91143","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.3","status":"affected"},{"version":"0","lessThan":"3.3","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.6.140","matchCriteriaId":"5466053F-31C7-41D6-AF97-CC6D33C52185"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a21f735fb1017ef89c6f9dbf4d799513b4e7bd5a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d616bb10de79e5c2bd8a24230a1128aeaf715615","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/df2e90d6a9955510f24f1dada78cfc439fd9fa88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46190","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.640","lastModified":"2026-06-19T13:16:34.860","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()\n\nSashiko noticed an out-of-bounds read [1].\n\nIn spi_nor_params_show(), the snor_f_names array is passed to\nspi_nor_print_flags() using sizeof(snor_f_names).\n\nSince snor_f_names is an array of pointers, sizeof() returns the total\nnumber of bytes occupied by the pointers\n\t(element_count * sizeof(void *))\nrather than the element count itself. On 64-bit systems, this makes the\npassed length 8x larger than intended.\n\nInside spi_nor_print_flags(), the 'names_len' argument is used to\nbounds-check the 'names' array access. An out-of-bounds read occurs\nif a flag bit is set that exceeds the array's actual element count\nbut is within the inflated byte-size count.\n\nCorrect this by using ARRAY_SIZE() to pass the actual number of\nstring pointers in the array."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/mtd/spi-nor/debugfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"231b8e1f604f6e0a7e100536f506cdf482e2c5f5","versionType":"git","status":"affected"},{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"9a80c458320e0514e11945402dd6e48fcee05524","versionType":"git","status":"affected"},{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"ca18c180b053f6ce80394322b314ac721c316af7","versionType":"git","status":"affected"},{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"34bdcfb496b29f9a52431194f94473b37fb8c162","versionType":"git","status":"affected"},{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"c0b654bc0b76a1da102d9138be1ed1223bd99310","versionType":"git","status":"affected"},{"version":"0257be79fc4a16a3252ce80aa13b3640f728c425","lessThan":"e47029b977e747cb3a9174308fd55762cce70147","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/mtd/spi-nor/debugfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.6.140","matchCriteriaId":"DFE3BB4F-66FD-4FA9-8E12-3B92C3EED20E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/231b8e1f604f6e0a7e100536f506cdf482e2c5f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/34bdcfb496b29f9a52431194f94473b37fb8c162","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a80c458320e0514e11945402dd6e48fcee05524","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c0b654bc0b76a1da102d9138be1ed1223bd99310","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ca18c180b053f6ce80394322b314ac721c316af7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e47029b977e747cb3a9174308fd55762cce70147","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46191","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.740","lastModified":"2026-06-19T13:16:34.980","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Avoid OOB font access if console rotation fails\n\nClear the font buffer if the reallocation during console rotation fails\nin fbcon_rotate_font(). The putcs implementations for the rotated buffer\nwill return early in this case. See [1] for an example.\n\nCurrently, fbcon_rotate_font() keeps the old buffer, which is too small\nfor the rotated font. Printing to the rotated console with a high-enough\ncharacter code will overflow the font buffer.\n\nv2:\n- fix typos in commit message"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/video/fbdev/core/fbcon_rotate.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"b51c343a81e6e806525a4435e22532c107dd7e9d","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"46cf3646dea54baeaa2eafe3fb1ba769947f31b0","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"524a6079395916fb3d790ef2bb46a1d2939b27dd","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"594973a2e54924d8ba31c9faac669fc1ba6fcb80","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"ab6c34b9829d5de03f1d08a47a2253729a6e7e27","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"7105d9f1387d63b15c9a860674fc92c959181f2f","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"b44cc78ff46b96e72d333a3be6aaaa0a14797263","versionType":"git","status":"affected"},{"version":"6cc50e1c5b57180fd37a31282000f43859b0fe73","lessThan":"e4ef723d8975a2694cc90733a6b888a5e2841842","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/video/fbdev/core/fbcon_rotate.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.15","status":"affected"},{"version":"0","lessThan":"2.6.15","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.90","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.32","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.15","versionEndExcluding":"6.6.140","matchCriteriaId":"72788083-DE76-436F-8F3A-A2B84197FB84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.90","matchCriteriaId":"3BAAA2BE-6EEC-45D5-AD66-50F63CA20483"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.32","matchCriteriaId":"CB9F1FA8-6D5E-42B1-9877-57BACFE5C886"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/46cf3646dea54baeaa2eafe3fb1ba769947f31b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/524a6079395916fb3d790ef2bb46a1d2939b27dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b51c343a81e6e806525a4435e22532c107dd7e9d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46193","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.923","lastModified":"2026-06-19T13:16:35.097","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: ah: account for ESN high bits in async callbacks\n\nAH allocates its temporary auth/ICV layout differently when ESN is enabled:\nthe async ahash setup appends a 4-byte seqhi slot before the ICV or\nauth_data area, but the async completion callbacks still reconstruct the\ntemporary layout as if seqhi were absent.\n\nWith an async AH implementation selected, that makes AH copy or compare\nthe wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH\nwith ESN and forced async hmac(sha1), ping fails with 100% packet loss,\nand the callback logs show the pre-fix drift:\n\n  ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24\n  ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36\n\nReconstruct the callback-side layout the same way the setup path built it\nby skipping the ESN seqhi slot before locating the saved auth_data or ICV.\nPer RFC 4302, the ESN high-order 32 bits participate in the AH ICV\ncomputation, so the async callbacks must account for the seqhi slot.\n\nPost-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows\nthe corrected offset (ah4 output_done: esn=1 err=0 icv_off=24\nexpected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o\nbuild clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the\nchange has not been tested against a real async hardware AH engine."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv4/ah4.c","net/ipv6/ah6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"ec406c26c97594124e79d14516b729a8d5dced62","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"1dae77078ceb4bab833f7a4935f05c5b8c97b9ba","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"0555d4f526232b3c9e3afbcd490c0c0793aefec6","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"729899a2aa8bda7844be0cdcd3b470f11b912eda","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"7db99a09b3bc87268287bc7ab5f2e7f382b5ad87","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"2ffaa7a94f9a4d22724364a1821735a0231d9f8d","versionType":"git","status":"affected"},{"version":"d4d573d0334d07341beffdcf97e2b85d3955d8ae","lessThan":"ec54093e6a8f87e800bb6aa15eb7fc1e33faa524","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv4/ah4.c","net/ipv6/ah6.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.15","status":"affected"},{"version":"0","lessThan":"3.15","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.15","versionEndExcluding":"6.6.140","matchCriteriaId":"0BDD7E3A-E407-45A0-BC63-3035F5A44C90"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1dae77078ceb4bab833f7a4935f05c5b8c97b9ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec406c26c97594124e79d14516b729a8d5dced62","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46196","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:35.253","lastModified":"2026-06-19T13:16:35.350","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()\n\nWhen a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()\ninvokes the subsystem's ext->regfunc() before attempting to install the\nnew probe via func_add(). If func_add() then fails (for example, when\nallocate_probes() cannot allocate a new probe array under memory pressure\nand returns -ENOMEM), the function returns the error without calling the\nmatching ext->unregfunc(), leaving the side effects of regfunc() behind\nwith no installed probe to justify them.\n\nFor syscall tracepoints this is particularly unpleasant: syscall_regfunc()\nbumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.\nAfter a leaked failure, the refcount is stuck at a non-zero value with no\nconsumer, and every task continues paying the syscall trace entry/exit\noverhead until reboot. Other subsystems providing regfunc()/unregfunc()\npairs exhibit similarly scoped persistent state.\n\nMirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the\nfunc_add() error path, gated on the same condition used there so the\nunwind is symmetric with the registration."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["kernel/tracepoint.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"5787052e5f69beb649f3d6a80a8aa37d9e683e4e","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"4f1756d043e56ea2e9a6c858fb290a0cf6fc2251","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"36ff362235307af95152d510b53c2d9b8773a342","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"247ed8a969f981bfba3112fd4bb441eaa6cef59c","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"7bcadb3c2bc1cf60690e931aadd35fb7bd646a49","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"2c5b8eeea006eb694c81631cd5713d494b80be90","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"342829e042ac00f3d68d442ea92873fb6683f494","versionType":"git","status":"affected"},{"version":"8cf868affdc459beee1a941df0cfaba1673740e3","lessThan":"fad217e16fded7f3c09f8637b0f6a224d58b5f2e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["kernel/tracepoint.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.6.140","matchCriteriaId":"1CDBDDA2-4E4B-4908-9ACD-0A1C61DC1753"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.88","matchCriteriaId":"5AFBE0EC-CCDF-4207-AE92-ABF958125CA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30","matchCriteriaId":"BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.7","matchCriteriaId":"D0893CA7-9AE6-4DFE-AC75-48967D73AD8E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/36ff362235307af95152d510b53c2d9b8773a342","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f1756d043e56ea2e9a6c858fb290a0cf6fc2251","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5787052e5f69beb649f3d6a80a8aa37d9e683e4e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46203","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:35.960","lastModified":"2026-06-19T13:16:35.480","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: fix unclocked access on unbind\n\nMake sure that the controller is runtime resumed before disabling it\nduring driver unbind to avoid an unclocked register access.\n\nThis issue was flagged by Sashiko when reviewing a controller\nderegistration fix."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/spi/spi-cadence-quadspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0578a6dbfe7514db7134501cf93acc21cf13e479","lessThan":"2e7cd62c37f51823c2bb79de1d4d76d0c1678c7e","versionType":"git","status":"affected"},{"version":"0578a6dbfe7514db7134501cf93acc21cf13e479","lessThan":"63a9f6012f453578898c9fcc13c8452a8651104e","versionType":"git","status":"affected"},{"version":"0578a6dbfe7514db7134501cf93acc21cf13e479","lessThan":"d67a5311818b3e6481a1e4293c9337ebfee73111","versionType":"git","status":"affected"},{"version":"0578a6dbfe7514db7134501cf93acc21cf13e479","lessThan":"233db2cb14db8b1935dda52a6affd97276462b82","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/spi/spi-cadence-quadspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.9","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"7.0.9","matchCriteriaId":"8E137ACC-667C-4BE9-82DC-FC037C5B10C6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/233db2cb14db8b1935dda52a6affd97276462b82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2e7cd62c37f51823c2bb79de1d4d76d0c1678c7e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63a9f6012f453578898c9fcc13c8452a8651104e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d67a5311818b3e6481a1e4293c9337ebfee73111","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-46208","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:36.457","lastModified":"2026-06-19T13:16:35.580","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: stop tp_meter sessions during mesh teardown\n\nTP meter sessions remain linked on bat_priv->tp_list after the netlink\nrequest has already finished. When the mesh interface is removed,\nbatadv_mesh_free() currently tears down the mesh without first draining\nthese sessions.\n\nA running sender thread or a late incoming tp_meter packet can then keep\nprocessing against a mesh instance which is already shutting down.\nSynchronize tp_meter with the mesh lifetime by stopping all active\nsessions from batadv_mesh_free() and waiting for sender threads to exit\nbefore teardown continues."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/batman-adv/main.c","net/batman-adv/tp_meter.c","net/batman-adv/tp_meter.h","net/batman-adv/types.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"5e7d0ac936354c36810e74ac3056b334ed1f4058","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"268078acae72daa12b17b2b299701cb9924e469a","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"58943b7ea356294749dae3e75b96c0ee292c00be","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"79bc0eaeef2c5797317bf2da8e3159a74d62ec47","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"26dfeee8db81354bfdade155f27f9e16510ad196","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"03660dab86f93319178a24667f6998526dc4355d","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"8634c1dbd73adb74d40533ebb7e914efb82e71fb","versionType":"git","status":"affected"},{"version":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e","lessThan":"3d3cf6a7314aca4df0a6dde28ce784a2a30d0166","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/batman-adv/main.c","net/batman-adv/tp_meter.c","net/batman-adv/tp_meter.h","net/batman-adv/types.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.8","status":"affected"},{"version":"0","lessThan":"4.8","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.90","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.32","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.9","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.140","matchCriteriaId":"8A43D2A6-1BA2-4D24-92BF-860A1BD48E27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.90","matchCriteriaId":"3BAAA2BE-6EEC-45D5-AD66-50F63CA20483"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.32","matchCriteriaId":"CB9F1FA8-6D5E-42B1-9877-57BACFE5C886"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.9","matchCriteriaId":"33ACA10B-B260-46EA-BD50-70EBE5097672"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03660dab86f93319178a24667f6998526dc4355d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/268078acae72daa12b17b2b299701cb9924e469a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/26dfeee8db81354bfdade155f27f9e16510ad196","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d3cf6a7314aca4df0a6dde28ce784a2a30d0166","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/58943b7ea356294749dae3e75b96c0ee292c00be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5e7d0ac936354c36810e74ac3056b334ed1f4058","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/79bc0eaeef2c5797317bf2da8e3159a74d62ec47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8634c1dbd73adb74d40533ebb7e914efb82e71fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}