{"resultsPerPage":73,"startIndex":0,"totalResults":73,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-15T08:50:27.897","vulnerabilities":[{"cve":{"id":"CVE-2025-13914","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:22.697","lastModified":"2026-07-08T03:18:04.677","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM \n\nattacker to impersonate managed devices.\n\nDue to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.\n\nThis issue affects all versions of Apstra before 6.1.1."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"Apstra","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"6.1.1","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.8},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-14T14:35:08.217958Z","id":"CVE-2025-13914","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-322"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:apstra:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.1","matchCriteriaId":"30F738A9-9E5D-4CD5-9CE5-A61839AA86B4"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA107862","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-21904","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:24.557","lastModified":"2026-07-08T03:17:14.290","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the \n\nlist filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator.\n\nThis issue affects all versions of Junos Space before 24.1R5 Patch V3."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"Junos Space","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"24.1R5 Patch V3","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-10T14:14:36.676713Z","id":"CVE-2026-21904","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:1.0:*:*:*:*:*:*:*","matchCriteriaId":"289CAAE5-882C-4236-BF76-B20F8A7F3014"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:1.1:*:*:*:*:*:*:*","matchCriteriaId":"DA36F3E8-0F58-4635-843C-B3C62FD48682"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:1.2:*:*:*:*:*:*:*","matchCriteriaId":"CEA96869-72CF-49D2-94E1-4FF8102A29CA"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:1.3:*:*:*:*:*:*:*","matchCriteriaId":"21DA6F2F-72F5-4D3A-AB4C-2C5D56C615FF"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:1.4:*:*:*:*:*:*:*","matchCriteriaId":"F6CF9AF7-A335-4C05-9F45-08253A521D40"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:2.0:*:*:*:*:*:*:*","matchCriteriaId":"87F7E9A7-CA85-4F4D-8F0C-DF0C79A80B93"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:11.1:*:*:*:*:*:*:*","matchCriteriaId":"61A323AE-7C8D-49F3-BB47-15DEBAFC86BD"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:11.2:*:*:*:*:*:*:*","matchCriteriaId":"EAEC058B-C096-455B-9A75-5191E00A367D"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:11.3:*:*:*:*:*:*:*","matchCriteriaId":"A6E79208-AF42-48D9-990C-E2E2E1DE8E1E"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:11.4:*:*:*:*:*:*:*","matchCriteriaId":"DA5E2C05-12C0-48B6-BE84-0A045B2A2B91"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:12.1:*:*:*:*:*:*:*","matchCriteriaId":"167749D0-F3B8-48F3-BFC8-37A531E48C16"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:12.2:*:*:*:*:*:*:*","matchCriteriaId":"D4C754E5-ACBB-45DE-B983-0888A8EB7CD3"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:12.3:*:*:*:*:*:*:*","matchCriteriaId":"84E7CE7F-4410-461D-9381-B186789B6509"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.1:-:*:*:*:*:*:*","matchCriteriaId":"5BE1AAAA-0C4E-4059-96E7-4D118BF2DBEF"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.1:r1.8:*:*:*:*:*:*","matchCriteriaId":"04858E4C-720A-400E-81AF-B5572424B351"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1:*:*:*:*:*:*","matchCriteriaId":"7B610137-66AC-43D3-BBAE-4390011C20AC"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.1:*:*:*:*:*:*","matchCriteriaId":"53C917DF-0507-45C8-89FE-29F400C35030"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.2:*:*:*:*:*:*","matchCriteriaId":"677B0C4D-923A-4376-85A8-56208E3728A3"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.3:*:*:*:*:*:*","matchCriteriaId":"BDEF52F5-ABE3-453C-9A5C-7FD5CCC18F09"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.4:*:*:*:*:*:*","matchCriteriaId":"1B7BBF07-791C-43FE-AC38-EB68493092BC"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.5:*:*:*:*:*:*","matchCriteriaId":"D5B55D33-A294-4DE2-887D-6A7E29F7EEE8"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.6:*:*:*:*:*:*","matchCriteriaId":"8DA50B20-F26E-4FB7-A46A-74836CF546A0"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.7:*:*:*:*:*:*","matchCriteriaId":"2BA008EC-659A-43CC-9741-E765958BD824"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.8:*:*:*:*:*:*","matchCriteriaId":"FB63AB30-45A0-40A3-8C45-1BBAA501B2A4"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r1.9:*:*:*:*:*:*","matchCriteriaId":"31B0594A-AA98-4C17-9646-9DF7620089A5"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r2:*:*:*:*:*:*","matchCriteriaId":"D81E5484-5C0D-44CB-90A8-65EE4E7D4F92"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r3:*:*:*:*:*:*","matchCriteriaId":"5EDD9296-6FB1-45E2-80EE-9F0F84CAFC94"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:13.3:r4:*:*:*:*:*:*","matchCriteriaId":"A53A9542-72FD-40E8-94F1-C7C0D776D726"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:14.1:-:*:*:*:*:*:*","matchCriteriaId":"DC29AA1D-4CBC-413A-9333-72F3616CE918"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:14.1:r1:*:*:*:*:*:*","matchCriteriaId":"00FCCF10-B612-46FC-94E6-70082F2E1091"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:14.1:r2:*:*:*:*:*:*","matchCriteriaId":"E5F85CA0-36F3-48EE-8D35-A986412C91D9"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:14.1:r3:*:*:*:*:*:*","matchCriteriaId":"61813043-BAED-4803-9D5B-7B7E113D2FBD"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.1:-:*:*:*:*:*:*","matchCriteriaId":"E0D618D6-F413-47DD-BD26-4F62B7227A7F"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.1:r2:*:*:*:*:*:*","matchCriteriaId":"B5A79F3A-80B9-4D98-92EE-681ED2E716B8"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.1:r3:*:*:*:*:*:*","matchCriteriaId":"FD833CE8-F37B-4EEB-9DD3-E8A8BB121390"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.1:r4:*:*:*:*:*:*","matchCriteriaId":"3E4B00D0-93F9-4145-BA91-6F4A66F19854"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.2:-:*:*:*:*:*:*","matchCriteriaId":"74CB3FCB-192A-48A7-9FF3-3D228729AC60"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:15.2:r2:*:*:*:*:*:*","matchCriteriaId":"139FA36E-582D-41E9-AC4F-9BD49C844039"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1:*:*:*:*:*:*:*","matchCriteriaId":"67829EE9-39AE-43C5-91FE-A911F5C99346"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1:-:*:*:*:*:*:*","matchCriteriaId":"2EB54773-A54F-4D9E-B213-464421B4FA88"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1:r1:*:*:*:*:*:*","matchCriteriaId":"FC8CBF0A-310F-41EB-B377-F08FE03E3867"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1:r2:*:*:*:*:*:*","matchCriteriaId":"62BB74B8-C90B-4CA1-B8CE-29F8D42D4B46"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1:r3:*:*:*:*:*:*","matchCriteriaId":"44855E13-5493-4362-B7E8-5A1A6F299FFC"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:16.1r3:*:*:*:*:*:*:*","matchCriteriaId":"FC82CE95-E9A7-4B1E-9DEE-FFF24EED713E"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:17.1:-:*:*:*:*:*:*","matchCriteriaId":"28D46176-27CE-4EAF-AF83-83F81A798103"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:17.1:r1:*:*:*:*:*:*","matchCriteriaId":"430F2EBF-09EB-4F48-ACF8-8B4EDF83E284"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:17.2:-:*:*:*:*:*:*","matchCriteriaId":"F3EAC6FC-A2DC-4EF1-BF56-93728A9CDDAA"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:17.2:r1.4:*:*:*:*:*:*","matchCriteriaId":"BE35151C-FCF6-4A89-8283-B24225019241"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:18.1:-:*:*:*:*:*:*","matchCriteriaId":"041D10A1-B577-4109-A98D-DA20560FDA37"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:18.1r1:*:*:*:*:*:*:*","matchCriteriaId":"D82DF30A-C838-49AC-95DC-16D765FD5588"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:18.2:-:*:*:*:*:*:*","matchCriteriaId":"3FD83E88-0DD9-4584-B594-2839D15FA055"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:18.3:-:*:*:*:*:*:*","matchCriteriaId":"5F1FA208-9AC5-414A-917A-6595917440EC"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:18.4:-:*:*:*:*:*:*","matchCriteriaId":"746F17A3-C20A-495D-9EEA-635392ECE907"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:19.1:-:*:*:*:*:*:*","matchCriteriaId":"F113B1F6-CF32-4BB4-A3C5-638D1531FE9F"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:20.3:r1:*:*:*:*:*:*","matchCriteriaId":"326E02EB-2D43-4784-AF77-EAF364AFCA44"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:21.1:r1:*:*:*:*:*:*","matchCriteriaId":"395C3952-0DD2-414E-BD71-34C636A60411"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:21.2:r1:*:*:*:*:*:*","matchCriteriaId":"CAAD4A16-885D-403B-B7F0-D505F16117E1"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:21.3:r1:*:*:*:*:*:*","matchCriteriaId":"4E35AACE-C693-4813-8A4C-84AF5CE31598"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:22.1:r1:*:*:*:*:*:*","matchCriteriaId":"2A299BD3-E911-4B33-A759-088DADC0CF5C"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:22.2:r1:*:*:*:*:*:*","matchCriteriaId":"022F09D3-1F23-459B-BA76-14FABB2CB2E6"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:22.3:r1:*:*:*:*:*:*","matchCriteriaId":"4679BFE4-F00C-4CA2-B7F5-93DC97C13A76"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:23.1:r1:*:*:*:*:*:*","matchCriteriaId":"2B4163AD-07D3-4C60-9277-0ACCFBD24255"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*","matchCriteriaId":"0566970C-0E9B-4566-9920-C7C436A4243D"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*","matchCriteriaId":"A2AA399D-5A7D-45B8-B774-D69054DFA4D3"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*","matchCriteriaId":"57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:24.1:r4:*:*:*:*:*:*","matchCriteriaId":"3F39EC68-9DBB-4A30-BB44-1A26020079CB"},{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:junos_space:24.1:r5:*:*:*:*:*:*","matchCriteriaId":"18B71350-88B1-4644-8CDD-D31661A848F0"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA106003","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-21915","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:24.747","lastModified":"2026-07-08T03:19:23.710","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root.\n\nThe CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system.\n\nThis issue affects all JSI vLWC versions before 3.0.94."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"JSI LWC","defaultStatus":"unaffected","platforms":["vLWC"],"versions":[{"version":"0","lessThan":"3.0.94","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-10T03:56:14.461955Z","id":"CVE-2026-21915","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-183"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:virtual_lightweight_collector:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.94","matchCriteriaId":"FF1FB888-3C5F-485F-BA71-83ED891665B1"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA106016","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-33774","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:25.803","lastModified":"2026-07-08T03:20:40.993","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.\n\nOn MX platforms with \n\nMPC10, MPC11, LC4800 or LC9600\n\nline cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance.\n\n An affected configuration would be:\n\nuser@host# show configuration interfaces lo0 | display set\nset interfaces lo0 unit 1 family inet filter input <filter-name>\n\nwhere a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI.\n\nThe issue can be observed with the CLI command:\n\nuser@device> show firewall counter filter <filter_name> \n\nnot showing any matches.\n\nThis issue affects Junos OS on MX Series:\n\n  *  all versions before 23.2R2-S6,\n  *  23.4 versions before 23.4R2-S7,\n  *  24.2 versions before 24.2R2,\n  *  24.4 versions before 24.4R2."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"Junos OS","defaultStatus":"unaffected","platforms":["MX Series"],"versions":[{"version":"0","lessThan":"23.2R2-S6","versionType":"semver","status":"affected"},{"version":"23.4","lessThan":"23.4R2-S7","versionType":"semver","status":"affected"},{"version":"24.2","lessThan":"24.2R2","versionType":"semver","status":"affected"},{"version":"24.4","lessThan":"24.4R2","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"LOW","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-10T14:14:09.835711Z","id":"CVE-2026-33774","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-754"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*","versionEndExcluding":"23.2","matchCriteriaId":"3D14745F-3090-483F-9DB4-C424FA09BD21"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*","matchCriteriaId":"4B3B2FE1-C228-46BE-AC76-70C2687050AE"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"F1B16FF0-900F-4AEE-B670-A537139F6909"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"B227E831-30FF-4BE1-B8B2-31829A5610A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*","matchCriteriaId":"1ADA814B-EF98-45B1-AF7A-0C89688F7CA5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*","matchCriteriaId":"A6FB32DF-D062-4FB9-8777-452978BEC7B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*","matchCriteriaId":"B3B6C811-5C10-4486-849D-5559B592350A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*","matchCriteriaId":"078D61B9-A228-453C-9D20-6F9C6B20637F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s4:*:*:*:*:*:*","matchCriteriaId":"F1F136A0-021D-43FE-BDD3-AD7201F7FC03"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r2-s5:*:*:*:*:*:*","matchCriteriaId":"37147BC9-9ED8-48AE-906A-614AD8600962"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*","matchCriteriaId":"BE8A5BA3-87BD-473A-B229-2AAB2C797005"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*","matchCriteriaId":"8B74AC3E-8FC9-400A-A176-4F7F21F10756"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"CB2D1FCE-8019-4CE1-BA45-D62F91AF7B51"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*","matchCriteriaId":"175CCB13-76C0-44A4-A71D-41E22B92EB23"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*","matchCriteriaId":"166BFDB3-1945-4949-BC2B-E18442FF2E4D"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*","matchCriteriaId":"5923610F-878C-48CA-8B5D-9C609E4DD4DB"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*","matchCriteriaId":"A7C207E3-0252-4192-8E8C-E2ED2831B4F4"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*","matchCriteriaId":"E6974492-FE69-4340-8881-61C3329C1545"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s5:*:*:*:*:*:*","matchCriteriaId":"279E59FE-96DF-4E1D-A3A2-61D180F04533"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.4:r2-s6:*:*:*:*:*:*","matchCriteriaId":"4D9A36E5-A1BB-46E1-91B6-91A4C40C1B59"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1:*:*:*:*:*:*","matchCriteriaId":"AD69A194-1B03-44EA-8092-79BD10C6F729"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"8463ADB4-B8A7-4D63-97A9-232ED713A21C"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"FE68337F-106E-4317-A5B6-292B0159F577"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*","matchCriteriaId":"2B8158F2-2028-40E9-955F-CFD581A32F60"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"1A7233A1-EC7A-4458-9AE1-835480A03A21"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:24.4:r1-s3:*:*:*:*:*:*","matchCriteriaId":"D74087E2-5CAA-4085-8408-EB70EC1D5D91"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:lc4800:-:*:*:*:*:*:*:*","matchCriteriaId":"F9C1C794-916A-401E-B430-D91E523B900D"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:mpc10:-:*:*:*:*:*:*:*","matchCriteriaId":"E821E5BD-8DF5-4C22-BD8E-2331318F97EB"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:mpc11:-:*:*:*:*:*:*:*","matchCriteriaId":"349364B1-359A-4D53-87D6-C440BC1D95E1"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:mx304:-:*:*:*:*:*:*:*","matchCriteriaId":"3F7FB0CC-624D-4AB9-A7AC-BB19838C3B22"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA107865","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-33784","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:27.820","lastModified":"2026-07-08T03:20:22.177","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Use of Default Password vulnerability in the Juniper Networks \n\nSupport Insights (JSI) \n\nVirtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.\n\nvLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"JSI LWC","defaultStatus":"unaffected","platforms":["vLWC"],"versions":[{"version":"0","lessThan":"3.0.94","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"LOW","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-13T17:54:25.395838Z","id":"CVE-2026-33784","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-1393"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:juniper:virtual_lightweight_collector:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.94","matchCriteriaId":"FF1FB888-3C5F-485F-BA71-83ED891665B1"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA107871","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-33788","sourceIdentifier":"sirt@juniper.net","published":"2026-04-09T22:16:28.593","lastModified":"2026-07-08T03:21:31.393","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device.\n\nA local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component.\n\nThis issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202:\n\n\n\n\n  *  All versions before 21.2R3-S8-EVO,\n  *  21.4-EVO versions before 21.4R3-S7-EVO,\n  *  22.2-EVO versions before 22.2R3-S4-EVO,\n  *  22.3-EVO versions before 22.3R3-S3-EVO,\n  *  22.4-EVO versions before 22.4R3-S2-EVO,\n  *  23.2-EVO versions before 23.2R2-EVO."}],"affected":[{"source":"sirt@juniper.net","affectedData":[{"vendor":"Juniper Networks","product":"Junos OS Evolved","defaultStatus":"unaffected","platforms":["PTX Series"],"versions":[{"version":"0","lessThan":"21.2R3-S8-EVO","versionType":"semver","status":"affected"},{"version":"21.4-EVO","lessThan":"21.4R3-S7-EVO","versionType":"semver","status":"affected"},{"version":"22.2-EVO","lessThan":"22.2R3-S4-EVO","versionType":"semver","status":"affected"},{"version":"22.3-EVO","lessThan":"22.3R3-S3-EVO","versionType":"semver","status":"affected"},{"version":"22.4-EVO","lessThan":"22.4R3-S2-EVO","versionType":"semver","status":"affected"},{"version":"23.2-EVO","lessThan":"23.2R2-EVO","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"sirt@juniper.net","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-10T03:56:13.066855Z","id":"CVE-2026-33788","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"sirt@juniper.net","type":"Secondary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*","versionEndExcluding":"21.2","matchCriteriaId":"331C0F12-D9B9-483B-9EF0-28E48ED8346D"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:*","matchCriteriaId":"A52AF794-B36B-43A6-82E9-628658624B0A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"3998DC76-F72F-4452-9150-652140B113EB"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"36ED4552-2420-45F9-B6E4-6DA2B2B12870"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r2:*:*:*:*:*:*","matchCriteriaId":"C28A14E7-7EA0-4757-9764-E39A27CFDFA5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r2-s1:*:*:*:*:*:*","matchCriteriaId":"4A43752D-A4AF-4B4E-B95B-192E42883A5B"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r2-s2:*:*:*:*:*:*","matchCriteriaId":"42986538-E9D0-4C2E-B1C4-A763A4EE451B"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3:*:*:*:*:*:*","matchCriteriaId":"DE22CA01-EA7E-4EE5-B59F-EE100688C1DA"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s1:*:*:*:*:*:*","matchCriteriaId":"E596ABD9-6ECD-48DC-B770-87B7E62EA345"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s2:*:*:*:*:*:*","matchCriteriaId":"71745D02-D226-44DC-91AD-678C85F5E6FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s3:*:*:*:*:*:*","matchCriteriaId":"39E44B09-7310-428C-8144-AE9DB0484D1F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s4:*:*:*:*:*:*","matchCriteriaId":"53938295-8999-4316-9DED-88E24D037852"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s5:*:*:*:*:*:*","matchCriteriaId":"2307BF56-640F-49A8-B060-6ACB0F653A61"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s6:*:*:*:*:*:*","matchCriteriaId":"737DDF96-7B1D-44E2-AD0F-E2F50858B2A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.2:r3-s7:*:*:*:*:*:*","matchCriteriaId":"35E0BB39-18AE-4FAD-A528-FDFF6222DDE5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r1:*:*:*:*:*:*","matchCriteriaId":"4310D2D9-A8A6-48F8-9384-0A0692A1E1C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r1-s1:*:*:*:*:*:*","matchCriteriaId":"9962B01C-C57C-4359-9532-676AB81CE8B0"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"62178549-B679-4902-BFDB-2993803B7FCE"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r2:*:*:*:*:*:*","matchCriteriaId":"9AD697DF-9738-4276-94ED-7B9380CD09F5"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r2-s1:*:*:*:*:*:*","matchCriteriaId":"09FF5818-0803-4646-A386-D7C645EE58A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r2-s2:*:*:*:*:*:*","matchCriteriaId":"2229FA59-EB24-49A2-85CE-F529A8DE6BA7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3:*:*:*:*:*:*","matchCriteriaId":"0CB280D8-C5D8-4B51-A879-496ACCDE4538"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s1:*:*:*:*:*:*","matchCriteriaId":"5F3F54F1-75B3-400D-A735-2C27C8CEBE79"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s2:*:*:*:*:*:*","matchCriteriaId":"476A49E7-37E9-40F9-BF2D-9BBFFAA1DFFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s3:*:*:*:*:*:*","matchCriteriaId":"0A5B196A-2AF1-4AE5-9148-A75A572807BC"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s4:*:*:*:*:*:*","matchCriteriaId":"3B457616-2D91-4913-9A7D-038BBF8F1F66"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s5:*:*:*:*:*:*","matchCriteriaId":"C470FB4E-A927-4AF3-ACB0-AD1E264218B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:21.4:r3-s6:*:*:*:*:*:*","matchCriteriaId":"44E98BC3-1D43-481A-AB09-FFA502C36AAF"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r1:*:*:*:*:*:*","matchCriteriaId":"E949B21B-AD62-4022-9088-06313277479E"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"8D862E6F-0D01-4B25-8340-888C30F75A2F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"2F28F73E-8563-41B9-A313-BBAAD5B57A67"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r2:*:*:*:*:*:*","matchCriteriaId":"E37D4694-C80B-475E-AB5B-BB431F59C5E1"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r2-s1:*:*:*:*:*:*","matchCriteriaId":"5EC0D2D2-4922-4675-8A2C-57A08D7BE334"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r2-s2:*:*:*:*:*:*","matchCriteriaId":"9EC91F9D-DEDA-46B4-A39F-59A2CDB86C2E"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r3:*:*:*:*:*:*","matchCriteriaId":"591AA3E6-62A2-4A1A-A04C-E808F71D8B6E"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r3-s1:*:*:*:*:*:*","matchCriteriaId":"786F993E-32CB-492A-A7CC-A7E4F48EA8B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r3-s2:*:*:*:*:*:*","matchCriteriaId":"60CEA89D-BAC4-41CD-A1D1-AA5EDDEBD54A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.2:r3-s3:*:*:*:*:*:*","matchCriteriaId":"BC449CC7-B2D6-41CB-8D6C-81DE89E79520"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r1:*:*:*:*:*:*","matchCriteriaId":"19519212-51DD-4448-B115-8A20A40192CC"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r1-s1:*:*:*:*:*:*","matchCriteriaId":"5CC9909E-AE9F-414D-99B1-83AA04D5297B"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r1-s2:*:*:*:*:*:*","matchCriteriaId":"FDE9E767-4713-4EA2-8D00-1382975A4A15"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r2:*:*:*:*:*:*","matchCriteriaId":"59DDA54E-6845-47EB-AE3C-5EC6BD33DFA7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r2-s1:*:*:*:*:*:*","matchCriteriaId":"574730B0-56C8-4A03-867B-1737148ED9B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r2-s2:*:*:*:*:*:*","matchCriteriaId":"20EBC676-1B26-4A71-8326-0F892124290A"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r3:*:*:*:*:*:*","matchCriteriaId":"FB4C0FBF-8813-44E5-B71A-22CBAA603E2F"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r3-s1:*:*:*:*:*:*","matchCriteriaId":"8BCDE58C-80CC-4C5A-9667-8A4468D8D76C"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r3-s2:*:*:*:*:*:*","matchCriteriaId":"19326769-2F08-4E61-8246-CCE7AE4483F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.3:r3-s3:*:*:*:*:*:*","matchCriteriaId":"8FB298B9-E0F2-4195-82D4-4EBA879C5CD7"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*","matchCriteriaId":"28E42A41-7965-456B-B0AF-9D3229CE4D4C"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*","matchCriteriaId":"CB1A77D6-D3AD-481B-979C-8F778530B175"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*","matchCriteriaId":"3A064B6B-A99B-4D8D-A62D-B00C7870BC30"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*","matchCriteriaId":"40813417-A938-4F74-A419-8C5188A35486"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*","matchCriteriaId":"7FC1BA1A-DF0E-4B15-86BA-24C60E546732"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*","matchCriteriaId":"EBB967BF-3495-476D-839A-9DBFCBE69F91"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*","matchCriteriaId":"7E5688D6-DCA4-4550-9CD1-A3D792252129"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*","matchCriteriaId":"8494546C-00EA-49B6-B6FA-FDE42CA5B1FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*","matchCriteriaId":"4B3B2FE1-C228-46BE-AC76-70C2687050AE"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*","matchCriteriaId":"F1B16FF0-900F-4AEE-B670-A537139F6909"},{"vulnerable":true,"criteria":"cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*","matchCriteriaId":"B227E831-30FF-4BE1-B8B2-31829A5610A6"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:jnp10k-lc1201:-:*:*:*:*:*:*:*","matchCriteriaId":"783F4573-919C-478C-B965-D560562E96BC"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:jnp10k-lc1202:-:*:*:*:*:*:*:*","matchCriteriaId":"176A5135-D9BA-46A9-B94C-7CBA8CA16153"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:ptx100016:-:*:*:*:*:*:*:*","matchCriteriaId":"37F94757-34CE-4F88-A6D3-544FE6A476D5"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:ptx10004:-:*:*:*:*:*:*:*","matchCriteriaId":"C432E543-37F5-4CA0-B239-2B97C6A16907"},{"vulnerable":false,"criteria":"cpe:2.3:h:juniper:ptx10008:-:*:*:*:*:*:*:*","matchCriteriaId":"65A64A26-4606-4D33-8958-5A3B7FFC4CDB"}]}]}],"references":[{"url":"https://kb.juniper.net/JSA107806","source":"sirt@juniper.net","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-3861","sourceIdentifier":"dl_cve@linecorp.com","published":"2026-04-16T07:16:30.090","lastModified":"2026-07-08T03:29:56.760","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable."}],"affected":[{"source":"dl_cve@linecorp.com","affectedData":[{"vendor":"LY Corporation","product":"LINE client for iOS","defaultStatus":"affected","versions":[{"version":"26.3.0","lessThan":"*","versionType":"custom","status":"unaffected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"dl_cve@linecorp.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"dl_cve@linecorp.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-16T12:16:15.191045Z","id":"CVE-2026-3861","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-451"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linecorp:line:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"26.3.0","matchCriteriaId":"39D9772A-4BD9-445D-B9CA-2B6865EE4B10"}]}]}],"references":[{"url":"https://hackerone.com/reports/3422905","source":"dl_cve@linecorp.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-40002","sourceIdentifier":"psirt@zte.com.cn","published":"2026-04-17T08:16:18.120","lastModified":"2026-07-08T03:29:04.650","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties."}],"affected":[{"source":"psirt@zte.com.cn","affectedData":[{"vendor":"ZTE","product":"Red Magic 11 Pro (NX809J)","defaultStatus":"unaffected","versions":[{"version":"GEN_NEEA_NX809J V1.0.0B14MR1","lessThanOrEqual":"V1.0.0B14MR1","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"psirt@zte.com.cn","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.8,"impactScore":3.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-17T12:11:30.065966Z","id":"CVE-2026-40002","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"psirt@zte.com.cn","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:zte:nubia-in_nx809j_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"GEN_NEEA_NX809JV1.0.0B16MR1","matchCriteriaId":"08FC4588-5DB4-432B-9D82-EED2D7FE2294"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:zte:nubia-in_nx809j:-:*:*:*:*:*:*:*","matchCriteriaId":"F89C0115-1F2F-4FE0-96BA-D14C3F7E3F05"}]}]}],"references":[{"url":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8224335890517684583","source":"psirt@zte.com.cn","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-22051","sourceIdentifier":"security-alert@netapp.com","published":"2026-04-20T22:16:23.367","lastModified":"2026-07-08T03:28:39.780","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to."}],"affected":[{"source":"security-alert@netapp.com","affectedData":[{"vendor":"NETAPP","product":"StorageGRID (formerly StorageGRID Webscale)","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"11.9.0.13","versionType":"custom","status":"affected"},{"version":"0","lessThan":"12.0.0.6","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-alert@netapp.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-21T13:40:42.595085Z","id":"CVE-2026-22051","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*","versionEndExcluding":"11.9.0.13","matchCriteriaId":"B754F822-D066-4C69-BC29-2020129FF8AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0","versionEndExcluding":"12.0.0.6","matchCriteriaId":"F124B755-8A4B-4544-BFAE-F0C2639CBB93"}]}]}],"references":[{"url":"https://security.netapp.com/advisory/ntap-20260420-0001","source":"security-alert@netapp.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-6058","sourceIdentifier":"security@zyxel.com.tw","published":"2026-04-21T02:16:08.500","lastModified":"2026-07-08T03:28:08.597","vulnStatus":"Analyzed","cveTags":[{"sourceIdentifier":"security@zyxel.com.tw","tags":["unsupported-when-assigned"]}],"descriptions":[{"lang":"en","value":"** UNSUPPORTED WHEN ASSIGNED ** An improper encoding or escaping vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the WLAN to cause a denial-of-service (DoS) condition in the web management interface by convincing an authenticated administrator to visit the “AP Select” page while a malformed SSID is present."}],"affected":[{"source":"security@zyxel.com.tw","affectedData":[{"vendor":"Zyxel","product":"WRE6505 v2 firmware","defaultStatus":"unaffected","versions":[{"version":"V1.00(ABDV.3)C0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security@zyxel.com.tw","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H","baseScore":4.5,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":0.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-21T13:26:22.166869Z","id":"CVE-2026-6058","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@zyxel.com.tw","type":"Secondary","description":[{"lang":"en","value":"CWE-116"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:zyxel:wre6505_firmware:v1.00\\(abdv.3\\)c0:*:*:*:*:*:*:*","matchCriteriaId":"6CCCBD5B-877B-4050-83AB-33E29C86A399"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:zyxel:wre6505:v2:*:*:*:*:*:*:*","matchCriteriaId":"80D82EE7-F4EF-46FA-9D1D-C7EC6159E74E"}]}]}],"references":[{"url":"https://www.zyxel.com/global/en/support/end-of-life","source":"security@zyxel.com.tw","tags":["Product"]}]}},{"cve":{"id":"CVE-2026-21999","sourceIdentifier":"secalert_us@oracle.com","published":"2026-04-21T21:16:25.060","lastModified":"2026-07-08T03:27:15.830","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vulnerability in the XML Database component of Oracle Database Server.  Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)."}],"affected":[{"source":"secalert_us@oracle.com","affectedData":[{"vendor":"Oracle Corporation","product":"Oracle Database Server","versions":[{"version":"23.4.0","lessThanOrEqual":"23.26.1","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"secalert_us@oracle.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-22T14:04:52.440323Z","id":"CVE-2026-21999","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:xml_database:*:*:*:*:*:*:*:*","versionStartIncluding":"23.4","versionEndIncluding":"23.26.1","matchCriteriaId":"9EB5882B-654A-47A8-8EBE-44CCB0DDA08F"}]}]}],"references":[{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","source":"secalert_us@oracle.com","tags":["Patch","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-41988","sourceIdentifier":"cve@mitre.org","published":"2026-04-23T05:16:05.613","lastModified":"2026-07-08T03:27:35.217","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue."}],"affected":[{"source":"cve@mitre.org","affectedData":[{"vendor":"uuidjs","product":"uuid","defaultStatus":"unaffected","packageURL":"pkg:npm/uuid","versions":[{"version":"0","lessThan":"14.0.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N","baseScore":3.2,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.4,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":2.5,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-23T14:48:49.689201Z","id":"CVE-2026-41988","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-670"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:uuidjs:uuid:*:*:*:*:*:node.js:*:*","versionEndExcluding":"11.1.1","matchCriteriaId":"B8AA79D0-36C1-44C8-BB22-29113130D2DA"},{"vulnerable":true,"criteria":"cpe:2.3:a:uuidjs:uuid:12.0.0:*:*:*:*:node.js:*:*","matchCriteriaId":"989A818E-3B12-4BA1-8311-C2C4237B3E47"},{"vulnerable":true,"criteria":"cpe:2.3:a:uuidjs:uuid:13.0.0:*:*:*:*:node.js:*:*","matchCriteriaId":"88125146-C07D-4469-86AC-447F215418F1"}]}]}],"references":[{"url":"https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34","source":"cve@mitre.org","tags":["Patch"]},{"url":"https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq","source":"cve@mitre.org","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42167","sourceIdentifier":"cve@mitre.org","published":"2026-04-28T23:16:20.610","lastModified":"2026-07-08T03:26:55.713","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM)."}],"affected":[{"source":"cve@mitre.org","affectedData":[{"vendor":"ProFTPD","product":"ProFTPD","defaultStatus":"unaffected","versions":[{"version":"1.3.7b","lessThan":"1.3.9a","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-04-29T12:51:40.626237Z","id":"CVE-2026-42167","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*","versionEndIncluding":"1.3.9b","matchCriteriaId":"AB7EA00C-FD1D-4028-8DFF-4287D5CA721F"}]}]}],"references":[{"url":"http://www.proftpd.org/docs/RELEASE_NOTES-1.3.10rc1","source":"cve@mitre.org","tags":["Release Notes"]},{"url":"https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc","source":"cve@mitre.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/proftpd/proftpd/issues/2052","source":"cve@mitre.org","tags":["Exploit","Issue Tracking","Patch"]},{"url":"https://www.openwall.com/lists/oss-security/2026/05/01/4","source":"cve@mitre.org","tags":["Mailing List"]},{"url":"https://zeropath.com/blog/proftpd-cve-2026-42167-auth-bypass-privesc-rce","source":"cve@mitre.org","tags":["Exploit","Press/Media Coverage","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/01/13","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/01/4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"https://github.com/ZeroPathAI/proftpd-CVE-2026-42167-poc","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-37552","sourceIdentifier":"cve@mitre.org","published":"2026-05-01T16:16:30.917","lastModified":"2026-07-08T03:26:23.180","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\\Closure\\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution."}],"affected":[{"source":"cve@mitre.org","affectedData":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-05-01T19:38:00.236038Z","id":"CVE-2026-37552","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openmix:mix_php:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.1","versionEndIncluding":"2.2.17","matchCriteriaId":"3B80F5D1-2142-46BC-8E39-8D0A368F7ADE"}]}]}],"references":[{"url":"https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https://github.com/mix-php/mix","source":"cve@mitre.org","tags":["Product"]},{"url":"https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php","source":"cve@mitre.org","tags":["Product"]}]}},{"cve":{"id":"CVE-2026-42475","sourceIdentifier":"cve@mitre.org","published":"2026-05-01T16:16:31.930","lastModified":"2026-07-08T03:25:53.017","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php."}],"affected":[{"source":"cve@mitre.org","affectedData":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-05-01T18:36:02.868913Z","id":"CVE-2026-42475","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openmix:mix_php:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.1","versionEndIncluding":"2.2.17","matchCriteriaId":"3B80F5D1-2142-46BC-8E39-8D0A368F7ADE"}]}]}],"references":[{"url":"https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https://github.com/mix-php/mix","source":"cve@mitre.org","tags":["Product"]},{"url":"https://github.com/mix-php/mix/blob/v2.2.17/src/database/src/Helper/BuildHelper.php","source":"cve@mitre.org","tags":["Product"]}]}},{"cve":{"id":"CVE-2026-53263","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.283","lastModified":"2026-07-08T04:02:17.687","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\n6lowpan: fix off-by-one in multicast context address compression\n\nThe second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses\n&data[1] as destination and &ipaddr->s6_addr[11] as source, but\nboth should be offset by one: &data[2] and &ipaddr->s6_addr[12]\nrespectively.\n\nThis off-by-one has two consequences:\n1. data[1] is overwritten with s6_addr[11], corrupting the RIID\n   field in the compressed multicast address\n2. data[5] is never written, so uninitialized kernel stack memory\n   is transmitted over the network via lowpan_push_hc_data(),\n   leaking kernel stack contents\n\nThe correct inline data layout must match what the decompression\nfunction lowpan_uncompress_multicast_ctx_daddr() expects:\n  data[0..1] = s6_addr[1..2]  (flags/scope + RIID)\n  data[2..5] = s6_addr[12..15] (group ID)\n\nAlso zero-initialize the data array as a defensive measure against\nsimilar bugs in the future."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/6lowpan/iphc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"f24a58c72a45f4c109f3557a760cc4b60b7a6037","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"da8cbb64b47e9066b40af0de170901caf17b768c","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"4485d79617520d84ba5a14515e2b5136007d6deb","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"06ce6fc106b16dec9b535950db626261be865e5b","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"c32f30ef5e66adbfa102348e2e8a23776eb007cb","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"da8808463882c3f3c357b072e25053c2121f1419","versionType":"git","status":"affected"},{"version":"5609c185f24dffca5f6a9c127106869da150be03","lessThan":"2a58899d11009bffc7b4b32a571858f381121837","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/6lowpan/iphc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-193"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.10.259","matchCriteriaId":"5600752B-5EBB-43C5-ACFC-8AD628C79467"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/06ce6fc106b16dec9b535950db626261be865e5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2a58899d11009bffc7b4b32a571858f381121837","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4485d79617520d84ba5a14515e2b5136007d6deb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c32f30ef5e66adbfa102348e2e8a23776eb007cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/da8808463882c3f3c357b072e25053c2121f1419","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/da8cbb64b47e9066b40af0de170901caf17b768c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f24a58c72a45f4c109f3557a760cc4b60b7a6037","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53264","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.400","lastModified":"2026-07-08T04:02:13.257","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() <-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() <-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index) <-- Action removed from IDR\n 1: mutex_unlock() <-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet's illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0\n 1: rcu_read_unlock() <-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0's subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/act_api.h","net/sched/act_api.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"98b2e40879abf0245be5a5b7af69e0f6ff524ac3","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"18af5d2ef0c4f65787fd1280c8b23286b9f2a835","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"1f1b98fea6b9ea30507d0f2fbff6750292d097e2","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"8b136f18ac4b2ace5aaad3305b3f8a5d8165a009","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"5dd51e09020c65aa53cf128e5e3517cd53b3c113","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"b60e9391142e983fab2be53497aa8f71fdd09cd5","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"91d105d2cbe002f9c7b43a6183adedc37e1da1f7","versionType":"git","status":"affected"},{"version":"d7fb60b9cafb982cb2e46a267646a8dfd4f2e5da","lessThan":"5057e1aca011e51ef51498c940ef96f3d3e8a305","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/act_api.h","net/sched/act_api.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.14","status":"affected"},{"version":"0","lessThan":"4.14","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.10.259","matchCriteriaId":"2CDA3B30-3B30-45B4-8931-6E0B99F68C44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53265","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.530","lastModified":"2026-07-08T04:02:08.980","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache policy smq: check allocation under invalidate lock\n\ncommit 2d1f7b65f5de (\"dm cache policy smq: fix missing locks in\ninvalidating cache blocks\") added mq->lock around the destructive part of\nsmq_invalidate_mapping(), but left the e->allocated check outside the\ncritical section.\n\nThat leaves a check-then-act race. Two concurrent invalidators can both\nobserve e->allocated as true before either of them takes mq->lock. The\nfirst invalidator that acquires the lock removes the entry from the\nqueues and hash table and then calls free_entry(), which clears\ne->allocated and puts the entry back on the free list. The second\ninvalidator can then acquire mq->lock and continue with the stale result\nof the unlocked check.\n\nThis can corrupt the SMQ queues or hash table by deleting an entry that\nis no longer on those structures. It can also hit the allocation check in\nfree_entry() when the same entry is freed again.\n\nMove the allocation check under mq->lock so the predicate and the\ndestructive operations are serialized by the same lock."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/md/dm-cache-policy-smq.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4991b5a08751e2e82488fb93ae08849b6aea10d9","lessThan":"c242c7af2aecf0b538b8623bdb86b8b441da38d9","versionType":"git","status":"affected"},{"version":"1b2bec4a7dcf5f00b7a1cbeeec8997841d783513","lessThan":"13da856c86fb8c2ccab95034fd77da1bb2c2a17c","versionType":"git","status":"affected"},{"version":"9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e","lessThan":"d886945fcb0f8c9dc6b39928d7a96c95c587346c","versionType":"git","status":"affected"},{"version":"ac5ee99443891bdb161f5539606a66a1b5e72542","lessThan":"b4892561552d671bd8c4da5ebb70e9fbb1ec446e","versionType":"git","status":"affected"},{"version":"93627a29d4b66d4a2def938dfb8610cc80ae454b","lessThan":"03ffe1112ed88bb3a9bd0b971549bf4d64bfc59a","versionType":"git","status":"affected"},{"version":"c348ae47d8e65f06429fa41adce9ad986b696766","lessThan":"42ff6774ecd9d7f70d599cb71ff64373a1da4948","versionType":"git","status":"affected"},{"version":"2b62d0611c9af14a16bddf22df2612b4f40eb5a1","lessThan":"c57570fba24016ec25ec046ab44db39143fb7a64","versionType":"git","status":"affected"},{"version":"2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45","lessThan":"d3f0a606b9f278ece8a0df626ded9c4044071235","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/md/dm-cache-policy-smq.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.10.258","lessThan":"5.10.259","versionType":"semver","status":"affected"},{"version":"5.15.209","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.175","lessThan":"6.1.176","versionType":"semver","status":"affected"},{"version":"6.6.141","lessThan":"6.6.143","versionType":"semver","status":"affected"},{"version":"6.12.91","lessThan":"6.12.94","versionType":"semver","status":"affected"},{"version":"6.18.33","lessThan":"6.18.36","versionType":"semver","status":"affected"},{"version":"7.0.10","lessThan":"7.0.13","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.141","versionEndExcluding":"6.6.143","matchCriteriaId":"4AFF4889-6272-45B8-83E6-40947CF7C045"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.91","versionEndExcluding":"6.12.94","matchCriteriaId":"EB3D103E-DB23-43C8-AF24-8F145E9C9E88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.33","versionEndExcluding":"6.18.36","matchCriteriaId":"C7D4EF57-A04D-41BB-B0BA-9049C50D800A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.10","versionEndExcluding":"7.0.13","matchCriteriaId":"F1B096A9-C4FA-4C91-BDD2-CBF0B2D0C3EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.10.258:*:*:*:*:*:*:*","matchCriteriaId":"E06CB1F8-0038-48C3-B07B-5AB49978945D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15.209:*:*:*:*:*:*:*","matchCriteriaId":"06EE5040-044C-46B4-B840-27D15DB507EC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1.175:*:*:*:*:*:*:*","matchCriteriaId":"999EB52F-155A-4FDB-900D-33D8421E7009"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03ffe1112ed88bb3a9bd0b971549bf4d64bfc59a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/13da856c86fb8c2ccab95034fd77da1bb2c2a17c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/42ff6774ecd9d7f70d599cb71ff64373a1da4948","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b4892561552d671bd8c4da5ebb70e9fbb1ec446e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c242c7af2aecf0b538b8623bdb86b8b441da38d9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c57570fba24016ec25ec046ab44db39143fb7a64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3f0a606b9f278ece8a0df626ded9c4044071235","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d886945fcb0f8c9dc6b39928d7a96c95c587346c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53266","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.643","lastModified":"2026-07-08T04:02:04.290","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: make ebt_snat ARP rewrite writable\n\nThe ebtables SNAT target keeps the Ethernet source address rewrite\nbehind skb_ensure_writable(skb, 0).  This is intentional: at the bridge\nebtables hooks the Ethernet header is addressed through\nskb_mac_header()/eth_hdr(), while skb->data points at the Ethernet\npayload.  Asking skb_ensure_writable() for ETH_HLEN bytes would check\nthe payload, not the Ethernet header, and would reintroduce the small\npacket regression fixed by commit 63137bc5882a.\n\nHowever, the optional ARP sender hardware address rewrite is different.\nIt writes through skb_store_bits() at an offset relative to skb->data:\n\n        skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)\n\nskb_header_pointer() only safely reads the ARP header; it does not make\nthe later sender hardware address range writable.  If that range is\nstill held in a nonlinear skb fragment backed by a splice-imported file\npage, skb_store_bits() maps the frag page and copies the new MAC address\ndirectly into it.\n\nEnsure the ARP SHA range is writable before reading the ARP header and\nbefore calling skb_store_bits()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/bridge/netfilter/ebt_snat.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"76280b78cc9f23bdc6438e10ad6dff148ef8375b","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"b7e91939ba9be805a62a257fa4e227dffbb88fa0","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"afd64b59c3de9bbbdd3759e834fdc55cda716e0b","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"153ea96c806aea395daba907a4f88480b6ad5093","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"b18675263db1147c8e1cab625400c13a0d87bd2d","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5","versionType":"git","status":"affected"},{"version":"63137bc5882a1882c553d389fdeeeace86ee1741","lessThan":"67ba971ae02514d85818fe0c32549ab4bfa3bf49","versionType":"git","status":"affected"},{"version":"2f3839075a5f8dcf116c1abe35b36b018ac62445","versionType":"git","status":"affected"},{"version":"51ba2945a8ef65ae437c8f9ba05f0343aa82ae5b","versionType":"git","status":"affected"},{"version":"b7d23c2c87584eb429f115c078ed511be8b18e29","versionType":"git","status":"affected"},{"version":"5.4.73","lessThan":"5.5","versionType":"semver","status":"affected"},{"version":"5.8.17","lessThan":"5.9","versionType":"semver","status":"affected"},{"version":"5.9.2","lessThan":"5.10","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/bridge/netfilter/ebt_snat.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.10","status":"affected"},{"version":"0","lessThan":"5.10","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.73","versionEndExcluding":"5.5","matchCriteriaId":"886AB560-B760-44F0-AD89-3F275E4C0F58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.17","versionEndExcluding":"5.9","matchCriteriaId":"BEFC3ACE-365D-48E7-9C0A-019C74CC0725"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9.2","versionEndExcluding":"5.10.259","matchCriteriaId":"992FFB71-217E-40A6-B8BD-5AA742898F28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/153ea96c806aea395daba907a4f88480b6ad5093","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/67ba971ae02514d85818fe0c32549ab4bfa3bf49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/76280b78cc9f23bdc6438e10ad6dff148ef8375b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/afd64b59c3de9bbbdd3759e834fdc55cda716e0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b18675263db1147c8e1cab625400c13a0d87bd2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b7e91939ba9be805a62a257fa4e227dffbb88fa0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bf84ad7c7a9ede46e31afaa41a1ba06a159e8c87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c9b5ff59feffb92a147a84a5aa28acd2cb8ff4c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53267","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.770","lastModified":"2026-07-08T04:01:59.457","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n    table ip t {\n        chain pre {\n            type filter hook prerouting priority raw;\n            ct zone set 1\n            ct original saddr 1.2.3.4 accept\n        }\n    }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple->{src,dst}.u3.all are\nwell-defined zero. priv->len is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nft_ct.c","net/netfilter/nft_ct_fast.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","lessThan":"af80f78ce984649e1698b841cd33f4fa505ad828","versionType":"git","status":"affected"},{"version":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","lessThan":"8470f676eadeab99132708acb1a85915664d6115","versionType":"git","status":"affected"},{"version":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","lessThan":"f071b0bf078146368d18e4eec386bf2ddc0ab7e0","versionType":"git","status":"affected"},{"version":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","lessThan":"2e154b5f53f1b0b490c7b8b02499f90feb86b1d5","versionType":"git","status":"affected"},{"version":"45d9bcda21f4c13be75e3571b0f0ef39e77934b5","lessThan":"3027ecbdb5fdf9200251c21d4818e4c447ef78e1","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nft_ct.c","net/netfilter/nft_ct_fast.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.1","status":"affected"},{"version":"0","lessThan":"4.1","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-674"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.6.143","matchCriteriaId":"E9D84BC7-DC4F-40EB-8A4E-6851C0D6A0C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53268","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:44.883","lastModified":"2026-07-08T04:01:54.120","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack_irc: fix possible out-of-bounds read\n\nWhen parsing fails after we've matched the command string we\nshould bail out instead of trying to match a different command.\n\nThis helper should be deprecated, given prevalence of TLS I doubt it has\nany relevance in 2026."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nf_conntrack_irc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"4cdda7f868f48e2f81579371584fdbdce37df2c8","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"8a1d6e40dedfe1068aee094d851bd69e289c9fd6","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"0afc802160af0df61ed374fdb97fb34cfe5cdf2f","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"7c34f91305292083253df6a9f6c8ede02d4ccaea","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"ddddd8271359961e403d11c90c9ba9fc38914f7e","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"9e5da2379f968a3ea5a6e38921ab6201576466dc","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"573810f61bcd6b6815e2ff53bbdd2b9c9d747176","versionType":"git","status":"affected"},{"version":"869f37d8e48f3911eb70f38a994feaa8f8380008","lessThan":"66eba0ffce3b7e11449946b4cbbef8ea36112f56","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nf_conntrack_irc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.20","status":"affected"},{"version":"0","lessThan":"2.6.20","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.20","versionEndExcluding":"5.10.259","matchCriteriaId":"03DC6215-FFBD-4E60-BBBC-37C4F9A1E6EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0afc802160af0df61ed374fdb97fb34cfe5cdf2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4cdda7f868f48e2f81579371584fdbdce37df2c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/573810f61bcd6b6815e2ff53bbdd2b9c9d747176","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/66eba0ffce3b7e11449946b4cbbef8ea36112f56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c34f91305292083253df6a9f6c8ede02d4ccaea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8a1d6e40dedfe1068aee094d851bd69e289c9fd6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9e5da2379f968a3ea5a6e38921ab6201576466dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ddddd8271359961e403d11c90c9ba9fc38914f7e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53269","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.007","lastModified":"2026-07-08T04:01:49.977","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: synproxy: add mutex to guard hook reference counting\n\nAs the synproxy infrastructure register netfilter hooks on-demand when a\nuser adds the first iptables target or nftables expression, if done\nconcurrently they can race each other.\n\nIntroduce a mutex to serialize the refcount control blocks access from\nboth frontends. While a per namespace mutex might be more efficient, it\nis not needed for target/expression like SYNPROXY."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nf_synproxy_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"0ec9ddc1bda261a2c57636c74c8b4e53000102c9","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"debc57b83d5b323df74bf010c8d50fe26ad2ed6b","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"640441348258220e78daed40528b85b8afcedab6","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"aaf80701dc2f7a48fe543961e21f8ca3924d587c","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"fbf0591275f50eae5733c3d7a8cd6c1e79933ffa","versionType":"git","status":"affected"},{"version":"ad49d86e07a497e834cb06f2b151dccd75f8e148","lessThan":"2fcba19caaeb2a33017459d3430f057967bb91b6","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nf_synproxy_core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.259","matchCriteriaId":"A0CDBE95-7E68-415A-8D97-F1C9CD8DAAF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0ec9ddc1bda261a2c57636c74c8b4e53000102c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2fcba19caaeb2a33017459d3430f057967bb91b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/640441348258220e78daed40528b85b8afcedab6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aaf80701dc2f7a48fe543961e21f8ca3924d587c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/debc57b83d5b323df74bf010c8d50fe26ad2ed6b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fbf0591275f50eae5733c3d7a8cd6c1e79933ffa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53270","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.123","lastModified":"2026-07-08T04:01:44.260","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: clear the svc scheduler ptr early on edit\n\nip_vs_edit_service() while unbinding the old scheduler clears\nthe svc->scheduler ptr after the scheduler module initiates\nRCU callbacks. This can cause packets to use the old\nscheduler at the time when svc->sched_data is already freed\nafter RCU grace period.\n\nFix it by clearing the ptr early in ip_vs_unbind_scheduler(),\nbefore the done_service method schedules any RCU callbacks.\n\nAlso, if the new scheduler fails to initialize when replacing\nthe old scheduler, try to restore the old scheduler while still\nreturning the error code."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/ip_vs.h","net/netfilter/ipvs/ip_vs_ctl.c","net/netfilter/ipvs/ip_vs_sched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"d10730a1f2caf08088e0db1b19b242f3e6fa5f06","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"e4feec3174036ba772006be74beee0efa09a9eb8","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"7d4f5004511757e3984901ffb412fcf858d80ed5","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"c6376b9b1b4d2bad638256b1b3588e073344ae69","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"14e4689c113b4c06af1069364ade24fdd7055f33","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"25918720ba97f974a4f8d433b5a0132c5b43f6f3","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03","versionType":"git","status":"affected"},{"version":"05f00505a89acd21f5d0d20f5797dfbc4cf85243","lessThan":"193989cc6d80dd8e0460fb3992e69fa03bf0ff9b","versionType":"git","status":"affected"},{"version":"c803fddd2a95a70873c68dbff42d4c59fd2e674e","versionType":"git","status":"affected"},{"version":"4ec8fb23158797affae7993c15beba080488482f","versionType":"git","status":"affected"},{"version":"3.18.23","lessThan":"3.19","versionType":"semver","status":"affected"},{"version":"4.1.11","lessThan":"4.2","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/ip_vs.h","net/netfilter/ipvs/ip_vs_ctl.c","net/netfilter/ipvs/ip_vs_sched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.23","versionEndExcluding":"3.19","matchCriteriaId":"DFEB996F-37AA-4FE9-9E1E-7158BD2B7CA9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.11","versionEndExcluding":"4.2","matchCriteriaId":"3CD6E092-00BA-470A-BD6E-9FF38E84DB99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.1","versionEndExcluding":"5.10.259","matchCriteriaId":"3B9B3AA9-A2A9-4ABB-81A1-0E8F0D3F770D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.210","matchCriteriaId":"5E938CDF-D1C4-43D0-98DC-9E11B6B55801"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.2:-:*:*:*:*:*:*","matchCriteriaId":"37D5F2FA-B7D0-4F9D-BC97-F450E5839C7B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.2:rc5:*:*:*:*:*:*","matchCriteriaId":"130E1C2A-45DE-4C16-8FFA-06E9C9F7F175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.2:rc6:*:*:*:*:*:*","matchCriteriaId":"78F0CC21-E28A-4B83-B65B-94AB9242F345"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.2:rc7:*:*:*:*:*:*","matchCriteriaId":"AED16DC6-6364-4B57-92A1-F14F347DADF7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.2:rc8:*:*:*:*:*:*","matchCriteriaId":"03A4BCF1-5A7D-4E74-948F-134F0E57D73B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14e4689c113b4c06af1069364ade24fdd7055f33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/193989cc6d80dd8e0460fb3992e69fa03bf0ff9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/25918720ba97f974a4f8d433b5a0132c5b43f6f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7d4f5004511757e3984901ffb412fcf858d80ed5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c6376b9b1b4d2bad638256b1b3588e073344ae69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d10730a1f2caf08088e0db1b19b242f3e6fa5f06","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e4feec3174036ba772006be74beee0efa09a9eb8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53271","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.247","lastModified":"2026-07-08T04:01:39.257","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers\n\nsmb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn\ninto a local with neither READ_ONCE() nor a NULL check.  Both run from\noplock_break() after opinfo_get_list() has dropped ci->m_lock, so a\nconcurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL\nunder ci->m_lock within that window.  ksmbd_conn_r_count_inc(conn) then\nwrites through NULL at offset 0xc4 -- a remotely triggerable oops.\n\nGuard both reads the way compare_guid_key() already does: read\nopinfo->conn with READ_ONCE() and return early if it is NULL, before\nallocating the work struct so nothing leaks.  A NULL conn means the\nclient is gone and the break is moot, so return 0; oplock_break() treats\nthat as success and runs the normal teardown."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/smb/server/oplock.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8df4bcdb0a4232192b2445256c39b787d58ef14d","lessThan":"945a86b21b40fb17183f5b27461baa6f03e2467f","versionType":"git","status":"affected"},{"version":"c8efcc786146a951091588e5fa7e3c754850cb3c","lessThan":"1ff58dcfcab434ebb51649da33774fbb8e1f7b67","versionType":"git","status":"affected"},{"version":"c8efcc786146a951091588e5fa7e3c754850cb3c","lessThan":"e735dbd489e3ea02be78dba991056fe1138be51e","versionType":"git","status":"affected"},{"version":"c8efcc786146a951091588e5fa7e3c754850cb3c","lessThan":"75e33deda658c1ab3a9336cbdb1436536f9b3660","versionType":"git","status":"affected"},{"version":"c8efcc786146a951091588e5fa7e3c754850cb3c","lessThan":"b003086d76968298f22e7cf62239833b5a3a06b1","versionType":"git","status":"affected"},{"version":"6.6.32","lessThan":"6.6.143","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/smb/server/oplock.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.9","status":"affected"},{"version":"0","lessThan":"6.9","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.32","versionEndExcluding":"6.6.143","matchCriteriaId":"4870AAED-882B-41F6-9339-0744EE085A78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.12.94","matchCriteriaId":"0FA23C34-76C0-4758-A17E-44FD25C1DEA5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1ff58dcfcab434ebb51649da33774fbb8e1f7b67","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/75e33deda658c1ab3a9336cbdb1436536f9b3660","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/945a86b21b40fb17183f5b27461baa6f03e2467f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b003086d76968298f22e7cf62239833b5a3a06b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e735dbd489e3ea02be78dba991056fe1138be51e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53272","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.353","lastModified":"2026-07-08T04:01:32.377","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix use-after-free on sbi->sync_decompress\n\nz_erofs_decompress_kickoff() can race with filesystem unmount, causing\na use-after-free on sbi->sync_decompress.\n\nWhen I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff()\nto queue z_erofs_decompressqueue_work() asynchronously. Then, after all\nfolios are unlocked, unmount workflow can proceed and sbi will be freed\nbefore accessing to sbi->sync_decompress.\n\nThread (unmount)        I/O completion        kworker\n                        queue_work\n                                              z_erofs_decompressqueue_work\n                                               (all folios are unlocked)\ncleanup_mnt\n ..\n erofs_kill_sb\n  erofs_sb_free\n   kfree(sbi)\n                        access sbi->sync_decompress  // UAF!!"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/erofs/zdata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"40452ffca3c1a0f2994e826f9fa213b107f1a2d4","lessThan":"86ab00cf81d44b675bb23db62b88fd76c8ac8cea","versionType":"git","status":"affected"},{"version":"40452ffca3c1a0f2994e826f9fa213b107f1a2d4","lessThan":"00bf6868df65fa95b3854996246d15759fdc7070","versionType":"git","status":"affected"},{"version":"40452ffca3c1a0f2994e826f9fa213b107f1a2d4","lessThan":"95caf60da33d87ed26c28993620f0d92487b0296","versionType":"git","status":"affected"},{"version":"40452ffca3c1a0f2994e826f9fa213b107f1a2d4","lessThan":"1aee05e814d292064bf5fa15733741040cdc48ba","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/erofs/zdata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.17","status":"affected"},{"version":"0","lessThan":"5.17","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.12.94","matchCriteriaId":"6C10860E-50CA-48B1-85F2-919CC87682E6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/00bf6868df65fa95b3854996246d15759fdc7070","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1aee05e814d292064bf5fa15733741040cdc48ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/86ab00cf81d44b675bb23db62b88fd76c8ac8cea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/95caf60da33d87ed26c28993620f0d92487b0296","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53273","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.447","lastModified":"2026-07-08T04:00:54.680","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: prevent use-after-free when the client exits before the supplicant\n\nCommit 70b0d6b0a199 (\"tee: optee: Fix supplicant wait loop\") made the\nclient wait as killable so it can be interrupted during shutdown or\nafter a supplicant crash. This changes the original lifetime expectations:\nthe client task can now terminate while the supplicant is still processing\nits request.\n\nIf the client exits first it removes the request from its queue and\nkfree()s it, while the request ID remains in supp->idr. A subsequent\nlookup on the supplicant path then dereferences freed memory, leading to\na use-after-free.\n\nSerialise access to the request with supp->mutex:\n\n  * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while\n    looking up and touching the request.\n  * Let optee_supp_thrd_req() notice that the client has terminated and\n    signal optee_supp_send() accordingly.\n\nWith these changes the request cannot be freed while the supplicant still\nhas a reference, eliminating the race."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/tee/optee/supp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"0180cf0373f84fff61b16f8c062553a13dd7cfca","lessThan":"416259cb5bffecaaae5f76539deb535a8c1b2c34","versionType":"git","status":"affected"},{"version":"c0a9a948159153be145f9471435695373904ee6d","lessThan":"724d0caffd4204b46f78efe22f18f8338031c6e1","versionType":"git","status":"affected"},{"version":"ec18520f5edc20a00c34a8c9fdd6507c355e880f","lessThan":"ae847ab29ded2d7cece4d5970f0edefa4137bf2f","versionType":"git","status":"affected"},{"version":"d61cc1a435e6894bfb0dd3370c6f765d2d12825d","lessThan":"9a0dc9279d0907b198f205a693aedf696b08145d","versionType":"git","status":"affected"},{"version":"fd9d2d6124c293e40797a080adf8a9c237efd8b8","lessThan":"d366a01475f927402c96a3fe78bfc06b924fc87d","versionType":"git","status":"affected"},{"version":"70b0d6b0a199c5a3ee6c72f5e61681ed6f759612","lessThan":"d5b57bb314d79e99bebb58a53588fa11dd4dbf69","versionType":"git","status":"affected"},{"version":"70b0d6b0a199c5a3ee6c72f5e61681ed6f759612","lessThan":"373152c94e57e9592b68c100e224fbd943cfd608","versionType":"git","status":"affected"},{"version":"70b0d6b0a199c5a3ee6c72f5e61681ed6f759612","lessThan":"387a926ee166814611acecb960207fe2f3c4fd3e","versionType":"git","status":"affected"},{"version":"3eb4911364c764572e9db4ab900a57689a54e8ce","versionType":"git","status":"affected"},{"version":"21234efe2a8474a6d2d01ea9573319de7858ce44","versionType":"git","status":"affected"},{"version":"5.10.235","lessThan":"5.10.259","versionType":"semver","status":"affected"},{"version":"5.15.179","lessThan":"5.15.210","versionType":"semver","status":"affected"},{"version":"6.1.130","lessThan":"6.1.176","versionType":"semver","status":"affected"},{"version":"6.6.80","lessThan":"6.6.143","versionType":"semver","status":"affected"},{"version":"6.12.17","lessThan":"6.12.94","versionType":"semver","status":"affected"},{"version":"5.4.291","lessThan":"5.5","versionType":"semver","status":"affected"},{"version":"6.13.5","lessThan":"6.14","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/tee/optee/supp.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","versionType":"semver","status":"unaffected"},{"version":"5.10.259","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.291","versionEndExcluding":"5.5","matchCriteriaId":"2082E874-B9D3-4B60-9D27-1F3B8A838CD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.235","versionEndExcluding":"5.10.259","matchCriteriaId":"3CB82F7B-CABF-48EC-AEED-4A5799F64E5F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.179","versionEndExcluding":"5.15.210","matchCriteriaId":"1AB30758-70C9-44E4-88BA-0072C600F320"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.130","versionEndExcluding":"6.1.176","matchCriteriaId":"3F92AF16-A081-4307-A9B5-D7CE5D8339CA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.80","versionEndExcluding":"6.6.143","matchCriteriaId":"2B64BC42-DE70-4C16-9F86-89BD4D1896B5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.17","versionEndExcluding":"6.12.94","matchCriteriaId":"AD0C6AD5-8A37-4C84-B002-659B13528ADF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.5","versionEndExcluding":"6.14","matchCriteriaId":"1B251FE1-91BD-4791-95BD-385EA9CC085B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.1","versionEndExcluding":"6.18.36","matchCriteriaId":"3F48CF32-9EE9-47F4-A2EB-57B861DFDB71"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*","matchCriteriaId":"7DE421BA-0600-4401-A175-73CAB6A6FB4E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*","matchCriteriaId":"D3D6550E-6679-4560-902D-AF52DCFE905B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*","matchCriteriaId":"45B90F6B-BEC7-4D4E-883A-9DBADE021750"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*","matchCriteriaId":"1759FFB7-531C-41B1-9AE1-FD3D80E0D920"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*","matchCriteriaId":"AD948719-8628-4421-A340-1066314BBD4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/373152c94e57e9592b68c100e224fbd943cfd608","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/387a926ee166814611acecb960207fe2f3c4fd3e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/416259cb5bffecaaae5f76539deb535a8c1b2c34","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/724d0caffd4204b46f78efe22f18f8338031c6e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a0dc9279d0907b198f205a693aedf696b08145d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ae847ab29ded2d7cece4d5970f0edefa4137bf2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d366a01475f927402c96a3fe78bfc06b924fc87d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d5b57bb314d79e99bebb58a53588fa11dd4dbf69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53274","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.577","lastModified":"2026-07-08T04:00:43.930","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS\n\nA logic flaw in __smc_setsockopt() allows a local unprivileged user to\ncause a Denial of Service (DoS) by holding the socket lock indefinitely.\n\nThe function __smc_setsockopt() calls copy_from_sockptr() while holding\nlock_sock(sk). By passing a userfaultfd-monitored memory page (or\nFUSE-backed memory on systems where unprivileged userfaultfd is disabled)\nas the optval, an attacker can halt execution during the copy operation,\nkeeping the lock held.\n\nCombined with asynchronous tear-down operations like shutdown(), this\nexhausts the kernel wq (kworkers) and triggers the hung task watchdog.\n\n[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.\n[  240.123489] Call Trace:\n[  240.123501]  smc_shutdown+...\n[  240.123512]  lock_sock_nested+...\n\nThis patch moves the user-space copy outside the lock_sock() critical\nsection to prevent the issue."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/smc/af_smc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"35a22117839602bb52283de08894c5a7dde92420","versionType":"git","status":"affected"},{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"5d27d2ffe487df89ce28fda0410eafa05dbe03a0","versionType":"git","status":"affected"},{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"89f6fbe0033c942cb790ffd53ca93a45eeaf1c91","versionType":"git","status":"affected"},{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"dcd90f42a33e4220385f27b515183d0c91b2fc4a","versionType":"git","status":"affected"},{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"94d286fa5eedc550d42bcb9c85416af8f77736ff","versionType":"git","status":"affected"},{"version":"a6a6fe27bab48f0d09a64b051e7bde432fcae081","lessThan":"a3fdd924d88c30b9f488636ce0e4696012cf5511","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/smc/af_smc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.176","matchCriteriaId":"E993847F-F6CD-4FFE-A341-8A32051D3681"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/35a22117839602bb52283de08894c5a7dde92420","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d27d2ffe487df89ce28fda0410eafa05dbe03a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/89f6fbe0033c942cb790ffd53ca93a45eeaf1c91","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/94d286fa5eedc550d42bcb9c85416af8f77736ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a3fdd924d88c30b9f488636ce0e4696012cf5511","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcd90f42a33e4220385f27b515183d0c91b2fc4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53275","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.687","lastModified":"2026-07-08T04:00:32.483","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Fix use-after-free when processing MLD queries\n\nWhen processing an MLD query, a pointer to the multicast group address\nis retrieved when initially parsing the packet. This pointer is later\ndereferenced without being reloaded despite the fact that the skb header\nmight have been reallocated following the pskb_may_pull() calls, leading\nto a use-after-free [1].\n\nFix by copying the multicast group address when the packet is initially\nparsed.\n\n[1]\nBUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)\nRead of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118\n\nWorkqueue: mld mld_query_work\nCall Trace:\n<TASK>\ndump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\nprint_report (mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:595)\n__mld_query_work (net/ipv6/mcast.c:1512)\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)\n</TASK>\n\n[...]\n\nFreed by task 118:\nkasan_save_stack (mm/kasan/common.c:57)\nkasan_save_track (mm/kasan/common.c:78)\nkasan_save_free_info (mm/kasan/generic.c:584)\n__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)\nkfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)\npskb_expand_head (net/core/skbuff.c:2335)\n__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))\n__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/ipv6/mcast.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"1354271c89d0e5fbf8b3d94097ff0216695209c7","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"53baa63a4183291574483f89583dbef13677a2c4","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"2a613bf497029d555a7428406aa8cdb84a503cea","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"b2eb8886200b907fc71806869620609f0f4cacb0","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"4203806f700bb44ea0b05d484d9d40044b47fb04","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"087dbacf897c020f438f780f0a4a8aa73b6d7c5a","versionType":"git","status":"affected"},{"version":"97300b5fdfe28c6edae926926f9467a27cf5889c","lessThan":"791c91dc7a9dfb2457d5e29b8216a6484b9c4b40","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/ipv6/mcast.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.15","status":"affected"},{"version":"0","lessThan":"2.6.15","versionType":"semver","status":"unaffected"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.36","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.15","versionEndExcluding":"5.15.210","matchCriteriaId":"54C46741-C002-4552-85A7-21134555854B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.176","matchCriteriaId":"C4446623-5F2B-4DD8-8666-9FAAC285A757"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.143","matchCriteriaId":"9062F1CD-CAD6-4EA2-A73F-C06D4A887B8C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.94","matchCriteriaId":"85421C0C-ABDE-4357-971C-67F9087DE1B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.36","matchCriteriaId":"389025D2-958D-41BD-BD96-70ED1033A9F3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/087dbacf897c020f438f780f0a4a8aa73b6d7c5a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1354271c89d0e5fbf8b3d94097ff0216695209c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2a613bf497029d555a7428406aa8cdb84a503cea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4203806f700bb44ea0b05d484d9d40044b47fb04","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/53baa63a4183291574483f89583dbef13677a2c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/791c91dc7a9dfb2457d5e29b8216a6484b9c4b40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b2eb8886200b907fc71806869620609f0f4cacb0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53276","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-25T09:16:45.807","lastModified":"2026-07-08T04:00:13.750","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix a use-after-free of the hci_conn pointer\n\nIn iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is\ndropped:\n\tbis = iso_pi(sk)->conn->hcon;\n\t/* Release the socket before lookups since that requires hci_dev_lock\n\t * which shall not be acquired while holding sock_lock for proper\n\t * ordering.\n\t */\n\trelease_sock(sk);\n\thci_dev_lock(bis->hdev);\n\nDuring the unlocked window, could a concurrent close() destroy the connection\nand free the bis structure, causing hci_dev_lock(bis->hdev) to access memory\nafter it is freed, fix this by using the hdev reference which was safely\nacquired via iso_conn_get_hdev()."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/bluetooth/iso.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"d3413703d5f8b7d1e6f514f9440ed5da1bc30796","lessThan":"d324b8aa20bd3c3394e3647dc22491d88f3f4e7a","versionType":"git","status":"affected"},{"version":"d3413703d5f8b7d1e6f514f9440ed5da1bc30796","lessThan":"f50331f2a1441ec49988832c3a95f2edacc47322","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/bluetooth/iso.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"7.0.13","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.13","matchCriteriaId":"6A64BF9F-3BCA-42FD-98CB-8F03474D2B1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:*","matchCriteriaId":"E5910A9D-F60A-409A-B486-FE66BFEBA9B9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc5:*:*:*:*:*:*","matchCriteriaId":"81DFF19E-9CF8-49C6-8C36-1E4038622933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc6:*:*:*:*:*:*","matchCriteriaId":"B0E8FC71-3952-444C-83E9-718DBBBEC615"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d324b8aa20bd3c3394e3647dc22491d88f3f4e7a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f50331f2a1441ec49988832c3a95f2edacc47322","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-13083","sourceIdentifier":"secalert@redhat.com","published":"2026-06-26T00:16:50.883","lastModified":"2026-07-08T03:59:11.393","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report."}],"affected":[{"source":"secalert@redhat.com","affectedData":[{"vendor":"Red Hat","product":"Pen Drive Powered by Red Hat Lightspeed","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"pen-drive/pen-drive-scanner-rhel9","cpes":["cpe:/a:redhat:pdrive_lightspeed:0"]},{"vendor":"Red Hat","product":"Pen Drive Powered by Red Hat Lightspeed","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"pen-drive/pen-drive-scanner-rhel9","cpes":["cpe:/a:redhat:pdrive_lightspeed:1"]}]}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":4.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-27T02:34:32.908658Z","id":"CVE-2026-13083","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:pen_drive:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.0-2","matchCriteriaId":"AD4BF7F7-36B7-4FD5-AC7E-482F0D813880"}]}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-13083","source":"secalert@redhat.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2491886","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-53278","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:19.277","lastModified":"2026-07-08T03:58:33.900","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm_mpam: Check whether the config array is allocated before destroying it\n\n__destroy_component_cfg() is called to free the configuration array.\nIt uses the embedded 'garbage' structure, which means the array has\nto be allocated.\n\nIf __destroy_component_cfg() is called from mpam_disable() before the\nconfiguration was ever allocated, then a NULL pointer is dereferenced.\n\nCheck for this case and return early if the configuration is not\nallocated.\n\n__destroy_component_cfg() also frees the mbwu_state as this is allocated\nby __allocate_component_cfg(). As the mbwu_state is allocated after\ncomp->cfg is set, and is also under mpam_list_lock, only the first\npointer needs checking."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/resctrl/mpam_devices.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3bd04fe7d807bbdcfe75b29ca82fae4e2d7dc524","lessThan":"8eb6dc76eeae5302c0d885906a0e469ef9630a59","versionType":"git","status":"affected"},{"version":"3bd04fe7d807bbdcfe75b29ca82fae4e2d7dc524","lessThan":"6ccbb613b42a1f1ba7bfd547a148f644a902a25c","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/resctrl/mpam_devices.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6ccbb613b42a1f1ba7bfd547a148f644a902a25c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8eb6dc76eeae5302c0d885906a0e469ef9630a59","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53279","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:19.383","lastModified":"2026-07-08T03:58:26.570","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500/oaktrail_lvds: fix hang on init failure\n\nThe LVDS init code looks up an I2C adapter using i2c_get_adapter() and\ntries to read the EDID before falling back to allocating and registering\nits own adapter.\n\nThe error handling does not separate these cases so on a late init\nfailure it will try to deregister and free also an adapter that had\npreviously been registered. Since i2c_get_adapter() takes another\nreference to the adapter, deregistration hangs indefinitely while\nwaiting for the reference to be released.\n\nFix this by only destroying adapters allocated during LVDS init on\nerrors."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/gma500/oaktrail_lvds.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"5fe9f505d8578852c30668567bc3ce52e776e8c7","versionType":"git","status":"affected"},{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"4e04b564c005c9900643c56656d751ad677889be","versionType":"git","status":"affected"},{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"7877f7e231a8bd5c817af1491276550a5e195cd7","versionType":"git","status":"affected"},{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"ab9256936b58eb178caddcf5b5b1638f079909d2","versionType":"git","status":"affected"},{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"f6fc44af3bbd5ab0fb6bdec6f47decca11b38425","versionType":"git","status":"affected"},{"version":"a57ebfc0b4da16a3f36bfebb158198aab3e340f8","lessThan":"657a091ab6d01d0091b77660c75cfed573c9a53e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/gma500/oaktrail_lvds.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1.175","matchCriteriaId":"58CA276A-38F2-4887-9AE9-787C2AF59753"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4e04b564c005c9900643c56656d751ad677889be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5fe9f505d8578852c30668567bc3ce52e776e8c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/657a091ab6d01d0091b77660c75cfed573c9a53e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7877f7e231a8bd5c817af1491276550a5e195cd7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ab9256936b58eb178caddcf5b5b1638f079909d2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f6fc44af3bbd5ab0fb6bdec6f47decca11b38425","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53280","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:19.500","lastModified":"2026-07-08T03:58:12.227","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()\n\nLocal sashiko review pointed it out that group->domain could be NULL when\na default domain fails to allocate during the first probe, which can crash\nat domain->ops->attach_dev dereference in __iommu_attach_device() invoked\nby pci_dev_reset_iommu_done().\n\npci_dev_reset_iommu_prepare() is fine as an old_domain pointer can be NULL.\n\nSkip the re-attach in pci_dev_reset_iommu_done() to fix the bug."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/iommu/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c279e83953d937470f8a6e69b69f62608714f13f","lessThan":"17194cd0dd236e732d116d50840d795ca50ef196","versionType":"git","status":"affected"},{"version":"c279e83953d937470f8a6e69b69f62608714f13f","lessThan":"d769711fcddd005f1e654b3bde547140917fe696","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/iommu/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"7.0","status":"affected"},{"version":"0","lessThan":"7.0","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.10","matchCriteriaId":"2108AD68-1941-4FEE-96A2-DA53D847EC08"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/17194cd0dd236e732d116d50840d795ca50ef196","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d769711fcddd005f1e654b3bde547140917fe696","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53282","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:20.063","lastModified":"2026-07-08T03:56:56.320","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Push kjump return address even for non-kjump kexec\n\nThe version of purgatory code shipped by kexec-tools attempts to look above\nthe top of its stack to find a return address for a kjump, even in a non-kjump\nkexec.\n\nAfter the commit in Fixes: the word above the stack might not be there,\nleading to a fault (which is at least now caught by my exception-handling code\nin kexec).\n\nThat commit fixed things for the actual kjump path, but no longer\n\"gratuitously\" pushes the unused return address to the stack in the non-kjump\npath. Put that *back* in the non-kjump path, to prevent purgatory from\ncrashing when trying to access it."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/x86/kernel/relocate_kernel_64.S"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e","lessThan":"b0bd7a850e1f082560959707dbf57b0402071646","versionType":"git","status":"affected"},{"version":"2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e","lessThan":"7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c","versionType":"git","status":"affected"},{"version":"2cacf7f23a024ab1fdc603ca6a4f4c8b2de9f64e","lessThan":"786a45757dcdf8f2beb9d4a6db605db16c18b2b4","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/x86/kernel/relocate_kernel_64.S"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.18.33","matchCriteriaId":"E72B69F1-A4CC-4157-A359-3CCD7EEC2ED3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/786a45757dcdf8f2beb9d4a6db605db16c18b2b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7dba9631faa2ee0785e8c2bf0e3d90a05f26dd8c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b0bd7a850e1f082560959707dbf57b0402071646","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53283","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:20.253","lastModified":"2026-07-08T03:56:46.757","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Bounds-check devid in __rlookup_amd_iommu()\n\niommu_device_register() walks every device on the PCI bus via\nbus_for_each_dev() and calls amd_iommu_probe_device() for each. The\ninlined check_device() path computes the device's sbdf, calls\nrlookup_amd_iommu() to find the owning IOMMU, and only afterwards\nverifies devid <= pci_seg->last_bdf. __rlookup_amd_iommu() indexes\nrlookup_table[devid] with no bounds check of its own, so for a PCI\ndevice whose BDF is not described by the IVRS, the lookup reads past\nthe end of the allocation before the caller's bounds check can run.\n\nThis was harmless before commit e874c666b15b (\"iommu/amd: Change\nrlookup, irq_lookup, and alias to use kvalloc()\"): the table was a\nzeroed page-order allocation, so the over-read returned NULL and the\ncaller's NULL check skipped the device. After that commit the table is\na tight kvcalloc() and the over-read returns adjacent slab contents,\nwhich check_device() then dereferences as a struct amd_iommu *,\ncausing a boot-time GPF.\n\nSeen on Google Compute Engine ct6e VMs, where the virtualized IVRS\ndescribes only the four TPU endpoints 00:04.0-07.0; the gVNIC at\n00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation,\ninto the adjacent kmalloc-512 slab object:\n\n  pci 0000:00:04.0: Adding to iommu group 0\n  pci 0000:00:05.0: Adding to iommu group 1\n  pci 0000:00:06.0: Adding to iommu group 2\n  pci 0000:00:07.0: Adding to iommu group 3\n  Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI\n  CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025\n  RIP: 0010:amd_iommu_probe_device+0x54/0x3a0\n  Call Trace:\n   __iommu_probe_device+0x107/0x520\n   probe_iommu_group+0x29/0x50\n   bus_for_each_dev+0x7e/0xe0\n   iommu_device_register+0xc9/0x240\n   iommu_go_to_state+0x9c0/0x1c60\n   amd_iommu_init+0x14/0x40\n   pci_iommu_init+0x16/0x60\n   do_one_initcall+0x47/0x2f0\n\nGuard the array access in __rlookup_amd_iommu(). With the fix applied\non 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"f0a0f01787ecece814414b0665df879b69849d09","versionType":"git","status":"affected"},{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"79db4cbab81f07ce69a93d379ebd40d3709ecfb2","versionType":"git","status":"affected"},{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"07d0f496fe7ec5abe3bee7e38be709521567bb33","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.33","matchCriteriaId":"ECF50DF4-D48C-47E4-A4EC-0D26E6955B6E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07d0f496fe7ec5abe3bee7e38be709521567bb33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/79db4cbab81f07ce69a93d379ebd40d3709ecfb2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f0a0f01787ecece814414b0665df879b69849d09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53284","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:20.790","lastModified":"2026-07-08T03:56:34.357","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: only release the dirty pages io tree after successful writes\n\n[WARNING]\nWith extra warning on dirty extent buffers at umount (aka, the next\npatch in the series), test case generic/388 can trigger the following\nwarning about dirty extent buffers at unmount time:\n\n  BTRFS critical (device dm-2 state E): emergency shutdown\n  BTRFS error (device dm-2 state E): error while writing out transaction: -30\n  BTRFS warning (device dm-2 state E): Skipping commit of aborted transaction.\n  BTRFS error (device dm-2 state EA): Transaction 9 aborted (error -30)\n  BTRFS: error (device dm-2 state EA) in cleanup_transaction:2068: errno=-30 Readonly filesystem\n  BTRFS info (device dm-2 state EA): forced readonly\n  BTRFS info (device dm-2 state EA): last unmount of filesystem 4fbf2e15-f941-49a0-bc7c-716315d2777c\n  ------------[ cut here ]------------\n  WARNING: disk-io.c:3311 at invalidate_and_check_btree_folios+0xfd/0x1ca [btrfs], CPU#8: umount/914368\n  CPU: 8 UID: 0 PID: 914368 Comm: umount Tainted: G           OE       7.1.0-rc1-custom+ #372 PREEMPT(full)  2de38db8d1deae71fde295430a0ff3ab98ccf596\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n  RIP: 0010:invalidate_and_check_btree_folios+0xfd/0x1ca [btrfs]\n  Call Trace:\n   <TASK>\n   close_ctree+0x52e/0x574 [btrfs d2f0b1cd330d1287e7a9919d112eadfc0e914efd]\n   generic_shutdown_super+0x89/0x1a0\n   kill_anon_super+0x16/0x40\n   btrfs_kill_super+0x16/0x20 [btrfs d2f0b1cd330d1287e7a9919d112eadfc0e914efd]\n   deactivate_locked_super+0x2d/0xb0\n   cleanup_mnt+0xdc/0x140\n   task_work_run+0x5a/0xa0\n   exit_to_user_mode_loop+0x123/0x4b0\n   do_syscall_64+0x243/0x7c0\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30539776 owner 9 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30621696 owner 257 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30638080 owner 258 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30654464 owner 7 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30703616 owner 2 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30720000 owner 10 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30736384 owner 4 gen 9 refs 2 flags 0x7\n  BTRFS warning (device dm-2 state EA): unable to release extent buffer 30752768 owner 11 gen 9 refs 2 flags 0x7\n\nI'm using a stripped down version, which seems to trigger the warning\nmore reliably:\n\n  _fsstress_pid=\"\"\n  workload()\n  {\n  \tdmesg -C\n  \tmkfs.btrfs -f -K $dev > /dev/null\n  \techo 1 > /sys/kernel/debug/clear_warn_once\n  \tmount $dev $mnt\n  \t$fsstress -w -n 1024 -p 4 -d $mnt &\n  \t_fsstress_pid=$!\n  \tsleep 0\n  \t$godown $mnt\n  \tpkill --echo -PIPE fsstress > /dev/null\n  \twait $_fsstress_pid\n  \tunset _fsstress_pid\n  \tumount $mnt\n\n  \tif dmesg | grep -q \"WARNING\"; then\n  \t\tfail\n  \tfi\n  }\n\n  for (( i = 0; i < $runtime; i++ )); do\n  \techo \"=== $i/$runtime ===\"\n  \tworkload\n  done\n\n[CAUSE]\nInside btrfs_write_and_wait_transaction(), we first try to write all\ndirty ebs, then wait for them to finish.\n\nAfter that we call btrfs_extent_io_tree_release() to free all\nextent states from dirty_pages io tree.\n\nHowever if we hit an error from btrfs_write_marked_extent(), then we\nstill call btrfs_extent_io_tree_release() to clear that dirty_pages io\ntree, which may contain dirty records that we haven't yet submitted.\n\nFurthermore, the later transaction cleanup path will utilize that\ndirty_pages io tree to properly cleanup those dirty ebs, but since it's\nalready empty, no dirty ebs are properly cleaned up, thus will later\ntrigger the warnings inside invalidate_btree_folios().\n---truncated---"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/btrfs/disk-io.c","fs/btrfs/transaction.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"663dfbb07774e0fe1049e8db3054a08500122f18","lessThan":"9ebb7eba1237dc198768b9c76506a79f924c82bb","versionType":"git","status":"affected"},{"version":"663dfbb07774e0fe1049e8db3054a08500122f18","lessThan":"df03d67dc63722845cb9fe59d815d1225b04fd54","versionType":"git","status":"affected"},{"version":"663dfbb07774e0fe1049e8db3054a08500122f18","lessThan":"4066c55e109475a06d18a1f127c939d551211956","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/btrfs/disk-io.c","fs/btrfs/transaction.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.18.33","matchCriteriaId":"68C45D26-19EE-4D81-80F6-F5A7FDAA20FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4066c55e109475a06d18a1f127c939d551211956","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9ebb7eba1237dc198768b9c76506a79f924c82bb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/df03d67dc63722845cb9fe59d815d1225b04fd54","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53285","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.157","lastModified":"2026-07-08T03:56:22.800","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED\n\n[Why]\ndcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with\nDC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(),\nwhich disables local softirqs.\n\nThe DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to\nallocate ~335 KiB for dc_plane_state. This triggers the vmalloc path,\nwhich calls BUG_ON(in_interrupt()) because it's invoked within the\nFPU-enabled (softirq disabled) region, leading to a kernel crash.\n\n[How]\nWrap the dc_state_create_phantom_plane() call with the\nDC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during\nthis memory allocation.\n\n(cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"235c67634230b0f9ad8c0185272fed36c892b1c4","lessThan":"30bb2ec6695d62f63db4aa6179c4626834ed0cd6","versionType":"git","status":"affected"},{"version":"235c67634230b0f9ad8c0185272fed36c892b1c4","lessThan":"183182235f6d53bac62c6c39014738a54a68dfa6","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"7.0.10","matchCriteriaId":"E194287C-F81A-4C26-98F2-6B65FE3A7283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/183182235f6d53bac62c6c39014738a54a68dfa6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/30bb2ec6695d62f63db4aa6179c4626834ed0cd6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53286","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.353","lastModified":"2026-07-08T03:56:04.073","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix double free and use-after-free in aux device error paths\n\nWhen auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or\nidpf_plug_core_aux_dev(), the err_aux_dev_add label calls\nauxiliary_device_uninit() and falls through to err_aux_dev_init.  The\nuninit call will trigger put_device(), which invokes the release\ncallback (idpf_vport_adev_release / idpf_core_adev_release) that frees\niadev.  The fall-through then reads adev->id from the freed iadev for\nida_free() and double-frees iadev with kfree().\n\nFree the IDA slot and clear the back-pointer before uninit, while adev\nis still valid, then return immediately.\n\nCommit 65637c3a1811 (\"idpf: fix UAF in RDMA core aux dev deinitialization\")\nfixed the same use-after-free in the matching unplug path in this file but\nmissed both probe error paths."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/intel/idpf/idpf_idc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"f4312e6bfa2a98e94dacc75f96f916b76bdf4259","lessThan":"722b91d5086a249318c9d0e2b36aeac80ba8c808","versionType":"git","status":"affected"},{"version":"f4312e6bfa2a98e94dacc75f96f916b76bdf4259","lessThan":"f319de7074e1728a9f9ff7134257360c694ec2b2","versionType":"git","status":"affected"},{"version":"f4312e6bfa2a98e94dacc75f96f916b76bdf4259","lessThan":"6c77b9510829a424d1b74409b7db9456e3522871","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/intel/idpf/idpf_idc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.18.33","matchCriteriaId":"4F0E1027-1081-4E2B-9D56-AF79BAFF146B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6c77b9510829a424d1b74409b7db9456e3522871","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/722b91d5086a249318c9d0e2b36aeac80ba8c808","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f319de7074e1728a9f9ff7134257360c694ec2b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53287","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.457","lastModified":"2026-07-08T03:54:54.707","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix incorrect inheritable capability in CAPSET records\n\n__audit_log_capset() records the effective capability set into the\ninheritable field due to a copy-paste error. Every CAPSET audit\nrecord therefore reports cap_pi (process inheritable) with the value\nof cap_effective instead of cap_inheritable.\n\nThis silently corrupts audit data used for compliance and forensic\nanalysis: an attacker who modifies inheritable capabilities to\nprepare for a privilege-escalating exec would have the change masked\nin the audit trail.\n\nThe bug has been present since the original introduction of CAPSET\naudit records in 2008."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["kernel/auditsc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"75bd76c9eb2de9afeca03dc5152ebca5fb8fc816","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"febb4bf373ac565d3fb8d1f429827bdd983be496","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"95de7bb4bf535a9288549d401ebde83cdcbf2792","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"151ee470edc3d7ed29fe72df678f8357d2ad8ced","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"0a065c51a225854768b772a0b733a44d77162582","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"e35f3550c5b4fab33103c18654c293cee9850b0a","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"d782e4d200cd9036ef353eeb29525bfbfd13a14e","versionType":"git","status":"affected"},{"version":"e68b75a027bb94066576139ee33676264f867b87","lessThan":"e4a640475e43f406fdfd56d370b1f34b0cbbc18d","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["kernel/auditsc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.258","matchCriteriaId":"CE62A641-B2AF-4077-9B44-DCE56A381D1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*","matchCriteriaId":"EC732D08-5F7B-46D9-B154-E60C7F4F0A97"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a065c51a225854768b772a0b733a44d77162582","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/151ee470edc3d7ed29fe72df678f8357d2ad8ced","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/75bd76c9eb2de9afeca03dc5152ebca5fb8fc816","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/95de7bb4bf535a9288549d401ebde83cdcbf2792","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d782e4d200cd9036ef353eeb29525bfbfd13a14e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e35f3550c5b4fab33103c18654c293cee9850b0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e4a640475e43f406fdfd56d370b1f34b0cbbc18d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/febb4bf373ac565d3fb8d1f429827bdd983be496","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53288","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.600","lastModified":"2026-07-08T03:54:34.127","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Reserve an extra page for early kernel mapping\n\nThe final part of [data, end) segment may overflow into the next page of\ninit_pg_end[1] which is the gap page before early_init_stack[2]:\n\n[1]\ncrash_arm64_v9.0.1> vtop ffffffed00601000\nVIRTUAL           PHYSICAL\nffffffed00601000  83401000\n\nPAGE DIRECTORY: ffffffecffd62000\n   PGD: ffffffecffd62da0 => 10000000833fb003\n   PMD: ffffff80033fb018 => 10000000833fe003\n   PTE: ffffff80033fe008 => 68000083401f03\n  PAGE: 83401000\n\n     PTE        PHYSICAL  FLAGS\n68000083401f03  83401000  (VALID|SHARED|AF|NG|PXN|UXN)\n\n      PAGE       PHYSICAL      MAPPING       INDEX CNT FLAGS\nfffffffec00d0040 83401000                0        0  1 4000 reserved\n\n[2]\nffffffed002c8000 (r) __pi__data\nffffffed0054e000 (d) __pi___bss_start\nffffffed005f5000 (b) __pi_init_pg_dir\nffffffed005fe000 (b) __pi_init_pg_end\nffffffed005ff000 (B) early_init_stack\nffffffed00608000 (b) __pi__end\n\nFor 4K pages, the early kernel mapping may use 2MB block entries but the\nkernel segments are only 64KB aligned. Segment boundaries that fall\nwithin a 2MB block therefore require a PTE table so that different\nattributes can be applied on either side of the boundary.\n\nKERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel\nVMAs registered by declare_kernel_vmas(). However, since commit\n5973a62efa34 (\"arm64: map [_text, _stext) virtual address range\nnon-executable+read-only\"), the early mapper also maps [_text, _stext)\nseparately from [_stext, _etext). This adds one more early-only split\nand can require one more page-table page than the existing\nEARLY_SEGMENT_EXTRA_PAGES allowance reserves.\n\nIncrease the 4K-page early mapping allowance by one page to cover that\nadditional split.\n\n[catalin.marinas@arm.com: rewrote part of the commit log]\n[catalin.marinas@arm.com: expanded the code comment]"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/arm64/include/asm/kernel-pgtable.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"fdd380a5950503a07aaaf74536a0c2f223475eb0","lessThan":"a4ff33053da0a34b14abb5c96dc5a48379e26fce","versionType":"git","status":"affected"},{"version":"5973a62efa34c80c9a4e5eac1fca6f6209b902af","lessThan":"dcb89deed40ba55ff7020061712fdabf098cc2cc","versionType":"git","status":"affected"},{"version":"5973a62efa34c80c9a4e5eac1fca6f6209b902af","lessThan":"9fe9e3acaa14921b0cf0d6cc2de5b562499bf721","versionType":"git","status":"affected"},{"version":"5973a62efa34c80c9a4e5eac1fca6f6209b902af","lessThan":"4d8e74ad4585672489da6145b3328d415f50db82","versionType":"git","status":"affected"},{"version":"88025faf2aa08c7468d68d8cb31a53b55aae6ee0","versionType":"git","status":"affected"},{"version":"6.12.54","lessThan":"6.12.91","versionType":"semver","status":"affected"},{"version":"6.17.4","lessThan":"6.18","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/arm64/include/asm/kernel-pgtable.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-674"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.54","versionEndExcluding":"6.12.91","matchCriteriaId":"BECAD95D-655A-4E27-8005-7A599FD0280A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.4","versionEndExcluding":"6.18.33","matchCriteriaId":"3B2D0531-24AE-45F8-BE6F-5DD45B339658"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4d8e74ad4585672489da6145b3328d415f50db82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9fe9e3acaa14921b0cf0d6cc2de5b562499bf721","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a4ff33053da0a34b14abb5c96dc5a48379e26fce","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcb89deed40ba55ff7020061712fdabf098cc2cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53289","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.720","lastModified":"2026-07-08T03:54:43.723","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_reset_all_vfs()\n\nice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().\nWhen the VSI rebuild fails (e.g. during NVM firmware update via\nnvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,\nleaving txq_map and rxq_map as NULL. The subsequent unconditional call\nto ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in\nice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].\n\nThe single-VF reset path in ice_reset_vf() already handles this\ncorrectly by checking the return value of ice_vf_reconfig_vsi() and\nskipping ice_vf_post_vsi_rebuild() on failure.\n\nApply the same pattern to ice_reset_all_vfs(): check the return value\nof ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and\nice_eswitch_attach_vf() on failure. The VF is left safely disabled\n(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can\nbe recovered via a VFLR triggered by a PCI reset of the VF\n(sysfs reset or driver rebind).\n\nNote that this patch does not prevent the VF VSI rebuild from failing\nduring NVM update — the underlying cause is firmware being in a\ntransitional state while the EMP reset is processed, which can cause\nAdmin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This\npatch only prevents the subsequent NULL pointer dereference that\ncrashes the kernel when the rebuild does fail.\n\n crash> bt\n     PID: 50795    TASK: ff34c9ee708dc680  CPU: 1    COMMAND: \"kworker/u512:5\"\n      #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee\n      #1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba\n      #2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540\n      #3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda\n      #4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997\n      #5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595\n      #6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2\n         [exception RIP: ice_ena_vf_q_mappings+0x79]\n         RIP: ffffffffc0a85b29  RSP: ff72159bcfe5bdc8  RFLAGS: 00010206\n         RAX: 00000000000f0000  RBX: ff34c9efc9c00000  RCX: 0000000000000000\n         RDX: 0000000000000000  RSI: 0000000000000010  RDI: ff34c9efc9c00000\n         RBP: ff34c9efc27d4828   R8: 0000000000000093   R9: 0000000000000040\n         R10: ff34c9efc27d4828  R11: 0000000000000040  R12: 0000000000100000\n         R13: 0000000000000010  R14:   R15:\n         ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n      #7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]\n      #8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]\n      #9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]\n     #10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4\n     #11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de\n     #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663\n     #13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9\n\n The panic occurs attempting to dereference the NULL pointer in RDX at\n ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).\n\n The faulting VSI is an allocated slab object but not fully initialized\n after a failed ice_vsi_rebuild():\n\n  crash> struct ice_vsi 0xff34c9efc27d4828\n    netdev = 0x0,\n    rx_rings = 0x0,\n    tx_rings = 0x0,\n    q_vectors = 0x0,\n    txq_map = 0x0,\n    rxq_map = 0x0,\n    alloc_txq = 0x10,\n    num_txq = 0x10,\n    alloc_rxq = 0x10,\n    num_rxq = 0x10,\n\n The nvmupdate64e process was performing NVM firmware update:\n\n  crash> bt 0xff34c9edd1a30000\n  PID: 49858    TASK: ff34c9edd1a30000  CPU: 1    COMMAND: \"nvmupdate64e\"\n   #0 [ff72159bcd617618] __schedule at ffffffffab5333f8\n   #4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]\n   #5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]\n   #6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]\n   #7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]\n   #8 \n---truncated---"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/intel/ice/ice_vf_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"acc76b97902757b63ba5136f787d107647236a19","versionType":"git","status":"affected"},{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"3ad2471e61e9f0c4d25046d08e3d747501c3b0dd","versionType":"git","status":"affected"},{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"4c2ac52eeeb672624b06c7a135301d7b8a21d52e","versionType":"git","status":"affected"},{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"1e9185b13ce57b86844447e092e58abb3be849b1","versionType":"git","status":"affected"},{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"429024f3a407e4137aee825c2a6be0aba857937d","versionType":"git","status":"affected"},{"version":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","lessThan":"54ef02487914c24170c7e1c061e45212dc55365e","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/intel/ice/ice_vf_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.1.175","matchCriteriaId":"3443B74A-1DE6-4267-BC25-4A127F9276DB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1e9185b13ce57b86844447e092e58abb3be849b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3ad2471e61e9f0c4d25046d08e3d747501c3b0dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/429024f3a407e4137aee825c2a6be0aba857937d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4c2ac52eeeb672624b06c7a135301d7b8a21d52e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/54ef02487914c24170c7e1c061e45212dc55365e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/acc76b97902757b63ba5136f787d107647236a19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53290","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.870","lastModified":"2026-07-08T03:54:22.773","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/eustall: Fix drm_dev_put called before stream disable in close\n\nIn xe_eu_stall_stream_close(), drm_dev_put() is called before the\nstream is disabled and its resources are freed. If this drops the\nlast reference, the device structures could be freed while the\nsubsequent cleanup code still accesses them, leading to a\nuse-after-free.\n\nFix this by moving drm_dev_put() after all device accesses are\ncomplete. This matches the ordering in xe_oa_release().\n\n(cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/xe/xe_eu_stall.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"9a0b11d4cf3b4324378c322b7043962e648681ed","lessThan":"bebce43f34b5feb8a760aa832eba81e0f8a38871","versionType":"git","status":"affected"},{"version":"9a0b11d4cf3b4324378c322b7043962e648681ed","lessThan":"84f2bfbe6e38f8b9815ca00826e53b7f51420402","versionType":"git","status":"affected"},{"version":"9a0b11d4cf3b4324378c322b7043962e648681ed","lessThan":"dc2d9842c67d883d3200ae33b9c3859dd9492408","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/xe/xe_eu_stall.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.18.33","matchCriteriaId":"986D4552-0ECA-40C4-9708-6D088AC7A485"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/84f2bfbe6e38f8b9815ca00826e53b7f51420402","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bebce43f34b5feb8a760aa832eba81e0f8a38871","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc2d9842c67d883d3200ae33b9c3859dd9492408","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53291","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:21.967","lastModified":"2026-07-08T03:53:39.047","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/conexant: Fix missing error check for jack detection\n\nIn cx_probe(), the return value of snd_hda_jack_detect_enable_callback()\nis ignored. This function returns a pointer, and if it fails (e.g., due\nto memory allocation failure), it returns an error pointer which must\nbe checked using IS_ERR().\n\nIf the registration fails, the driver continues to probe, but the jack\ndetection callback will not be registered. This can lead to a kernel\ncrash later when the driver attempts to handle jack events or accesses\nthe uninitialized structure.\n\nCheck the return value using IS_ERR() and propagate the error via\nPTR_ERR() to the probe caller."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["sound/hda/codecs/conexant.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"f13b8cb5a6920ad98b751d3134686f29810577d4","lessThan":"49c2c5924552e1d2f8b635dee663abebbb7cf63b","versionType":"git","status":"affected"},{"version":"2cb659ef0ac744545499e7c37665b276d9e405da","lessThan":"a2a33e87a2ffce3046c574d24eec4390c27c9365","versionType":"git","status":"affected"},{"version":"24d748413cc4e1d97074bae1f335d32d30912f10","lessThan":"d68f753d89f4ef6e410d7e8b7e8ab2fdde921b80","versionType":"git","status":"affected"},{"version":"7aeb259086487417f0fecf66e325bee133e8813a","lessThan":"dd110cc00cf854a8ecd8d003127a4178c28574ea","versionType":"git","status":"affected"},{"version":"7aeb259086487417f0fecf66e325bee133e8813a","lessThan":"f837c7b85143a7c54140ff41ad5c076b73cd9933","versionType":"git","status":"affected"},{"version":"7aeb259086487417f0fecf66e325bee133e8813a","lessThan":"1da5c73f3793b224696617a2a21def7500ba18d6","versionType":"git","status":"affected"},{"version":"7aeb259086487417f0fecf66e325bee133e8813a","lessThan":"b0e2333a231107adedd38c6fcfe1adc6162716fc","versionType":"git","status":"affected"},{"version":"4a28302b2c681e3cf85e3b41231fff363c4c6a0e","versionType":"git","status":"affected"},{"version":"5.15.149","lessThan":"5.15.209","versionType":"semver","status":"affected"},{"version":"6.1.77","lessThan":"6.1.175","versionType":"semver","status":"affected"},{"version":"6.6.16","lessThan":"6.6.141","versionType":"semver","status":"affected"},{"version":"6.7.4","lessThan":"6.8","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["sound/hda/codecs/conexant.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.149","versionEndExcluding":"5.15.209","matchCriteriaId":"286247A3-F36D-4F29-8F03-F953D17E8728"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.77","versionEndExcluding":"6.1.175","matchCriteriaId":"05C9D64C-6DC2-42EC-BBEB-1E22FB100C86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.16","versionEndExcluding":"6.6.141","matchCriteriaId":"E5A7ADC0-9D31-41EE-8D60-AFF2D12C1D3D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.4","versionEndExcluding":"6.12.91","matchCriteriaId":"F3406767-E329-4EA5-941A-2EA0D58FD04C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1da5c73f3793b224696617a2a21def7500ba18d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/49c2c5924552e1d2f8b635dee663abebbb7cf63b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a2a33e87a2ffce3046c574d24eec4390c27c9365","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b0e2333a231107adedd38c6fcfe1adc6162716fc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d68f753d89f4ef6e410d7e8b7e8ab2fdde921b80","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dd110cc00cf854a8ecd8d003127a4178c28574ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f837c7b85143a7c54140ff41ad5c076b73cd9933","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53292","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.090","lastModified":"2026-07-08T03:53:29.763","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind\n\nsyzbot reported a kernel BUG triggered from pn_socket_sendmsg() via\npn_socket_autobind():\n\n  kernel BUG at net/phonet/socket.c:213!\n  RIP: 0010:pn_socket_autobind net/phonet/socket.c:213 [inline]\n  RIP: 0010:pn_socket_sendmsg+0x240/0x250 net/phonet/socket.c:421\n  Call Trace:\n   sock_sendmsg_nosec+0x112/0x150 net/socket.c:797\n   __sock_sendmsg net/socket.c:812 [inline]\n   __sys_sendto+0x402/0x590 net/socket.c:2280\n   ...\n\npn_socket_autobind() calls pn_socket_bind() with port 0 and, on\n-EINVAL, assumes the socket was already bound and asserts that the\nport is non-zero:\n\n  err = pn_socket_bind(sock, ..., sizeof(struct sockaddr_pn));\n  if (err != -EINVAL)\n          return err;\n  BUG_ON(!pn_port(pn_sk(sock->sk)->sobject));\n  return 0; /* socket was already bound */\n\nHowever pn_socket_bind() also returns -EINVAL when sk->sk_state is not\nTCP_CLOSE, even when the socket has never been bound and pn_port() is\nstill 0.  In that case the BUG_ON() fires and panics the kernel from a\nuser-triggerable path.\n\nTreat the \"bind returned -EINVAL but pn_port() is still 0\" case as a\nregular error and propagate -EINVAL to the caller instead of crashing.\nExisting callers already translate a non-zero return from\npn_socket_autobind() into -ENOBUFS/-EAGAIN, so returning -EINVAL here\nonly changes behaviour from panic to a normal errno."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/phonet/socket.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ba113a94b7503ee23ffe819e7045134b0c1d31de","lessThan":"6db58ee730bf434d1afca91b91826e26688856ed","versionType":"git","status":"affected"},{"version":"ba113a94b7503ee23ffe819e7045134b0c1d31de","lessThan":"5b0c911bcdbd982f7748d11c0b39ec5808eae2de","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/phonet/socket.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.28","status":"affected"},{"version":"0","lessThan":"2.6.28","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"7.0.10","matchCriteriaId":"6A5E1EB0-126A-446F-8A99-DF25FE9D5FF2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5b0c911bcdbd982f7748d11c0b39ec5808eae2de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6db58ee730bf434d1afca91b91826e26688856ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53293","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.190","lastModified":"2026-07-08T03:53:12.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG\n\nThere were multiple issues in that code.\n\nFirst of all the order between the reset semaphore and the mm_lock was\nwrong (e.g. copy_to_user) was called while holding the lock.\n\nThen we allocated memory while holding the reset semaphore which is also\na pretty big bug and can deadlock.\n\nThen we used down_read_trylock() instead of waiting for the reset to\nfinish.\n\n(cherry picked from commit 361b6e6b303d4b691f6c5974d3eaab67ca6dd90e)"}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8361e3f7882876d98ba98cae0d3149450dd80912","lessThan":"8c4254c8f5836e77ae83e7fc037f02b69f7a0977","versionType":"git","status":"affected"},{"version":"9e823f307074c0f82b5f6044943b0086e3079bed","lessThan":"61957c2e467b39b528a290016367d32a433fa846","versionType":"git","status":"affected"},{"version":"9e823f307074c0f82b5f6044943b0086e3079bed","lessThan":"a31c3feb54b15a90232e497ad0e27e8a82052d8d","versionType":"git","status":"affected"},{"version":"9e823f307074c0f82b5f6044943b0086e3079bed","lessThan":"5c29d20470d4566d1b68df57097d642d01f8b427","versionType":"git","status":"affected"},{"version":"9e823f307074c0f82b5f6044943b0086e3079bed","lessThan":"0ef196a208385b7d7da79f411c161b04e97283e2","versionType":"git","status":"affected"},{"version":"17a98c942cb106ec08564e8f43b5470a4dd5d3f6","versionType":"git","status":"affected"},{"version":"9a98563345697bdb1d3410ff428473b2e781f4db","versionType":"git","status":"affected"},{"version":"6.6.55","lessThan":"6.6.141","versionType":"semver","status":"affected"},{"version":"6.10.14","lessThan":"6.11","versionType":"semver","status":"affected"},{"version":"6.11.3","lessThan":"6.12","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.55","versionEndExcluding":"6.6.141","matchCriteriaId":"A3646203-766C-4AA4-9AF0-C2F767E8ADC4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.14","versionEndExcluding":"6.11","matchCriteriaId":"41AB04F0-1096-4B39-8148-796AB65AA193"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.3","versionEndExcluding":"6.12.91","matchCriteriaId":"4CE2E5D2-EC60-4E49-A798-25CE40EDDAD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0ef196a208385b7d7da79f411c161b04e97283e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5c29d20470d4566d1b68df57097d642d01f8b427","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/61957c2e467b39b528a290016367d32a433fa846","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8c4254c8f5836e77ae83e7fc037f02b69f7a0977","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a31c3feb54b15a90232e497ad0e27e8a82052d8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53294","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.310","lastModified":"2026-07-08T03:53:18.990","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mailbox-test: don't free the reused channel\n\nThe RX channel can be aliased to the TX channel if it has a different\nMMIO. This special case needs to be handled when freeing the channels\notherwise a double-free occurs."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/mailbox/mailbox-test.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"fc0089f82c3e36060c2c79156bc2018bfb16b56b","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"5d4f3d0f64f1016cb78b400a70b67df91fac99b5","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"c494a11da45ad7ec9b0ff216c3e3ace351193bb6","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"3afca89fae501dbd7421e1777b5b8f033b1d98d0","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"5c209299b0113e289e238fa5f2e8f00c59f76060","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"82f6dcea46cf5de65c4ba7283f7c7b34de4a324d","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"240c71a2aea36a1a4210f911a1c32ea88777e8e4","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"88ebadbf0deefdaccdab868b44ff70a0a257f473","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/mailbox/mailbox-test.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.4","status":"affected"},{"version":"0","lessThan":"4.4","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"5.10.258","matchCriteriaId":"D6C1561F-0BF1-42DA-A577-60FF03568245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/240c71a2aea36a1a4210f911a1c32ea88777e8e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3afca89fae501dbd7421e1777b5b8f033b1d98d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5c209299b0113e289e238fa5f2e8f00c59f76060","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d4f3d0f64f1016cb78b400a70b67df91fac99b5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82f6dcea46cf5de65c4ba7283f7c7b34de4a324d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/88ebadbf0deefdaccdab868b44ff70a0a257f473","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c494a11da45ad7ec9b0ff216c3e3ace351193bb6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fc0089f82c3e36060c2c79156bc2018bfb16b56b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53295","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.427","lastModified":"2026-07-08T03:53:05.573","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: add sanity check for channel array\n\nFail gracefully if there is no channel array attached to the mailbox\ncontroller. Otherwise the later dereference will cause an OOPS which\nmight not be seen because mailbox controllers might instantiate very\nearly. Remove the comment explaining the obvious while here."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/mailbox/mailbox.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"5cc3300fab262b26c28bc2fc06df693410c3840b","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"0f11444271110d9b5bc6316a153c6431abda899c","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"d44872a569b8fbacde457ff2587a775e5004bb79","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"14aed0d4e58389cc6a88acf8610b12d3e476272b","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"6362c4a7d7e21e68cd9aa04df7cde16befba3a4b","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"9dd7489943324298bb0f385495795a82f1dd6507","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"37792091ab28ba030fd8d61184c47d4d51294170","versionType":"git","status":"affected"},{"version":"2b6d83e2b8b7de82331a6a1dcd64b51020a6031c","lessThan":"c1aad75595fb67edc7fda8af249d3b886efa1be9","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/mailbox/mailbox.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"3.18","status":"affected"},{"version":"0","lessThan":"3.18","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.1","versionEndExcluding":"5.10.258","matchCriteriaId":"D36936DE-7EC9-4AB7-91F8-90295F05E2EB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*","matchCriteriaId":"2C941823-DB24-432E-8F78-90665662756A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc2:*:*:*:*:*:*","matchCriteriaId":"E909F0A0-2398-4420-AA63-605C42F5CADF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc3:*:*:*:*:*:*","matchCriteriaId":"77E4C479-2D2C-4009-8D71-18AF50454D7B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc4:*:*:*:*:*:*","matchCriteriaId":"C5AE67DB-5E94-4439-98E9-761ACCC48A4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc5:*:*:*:*:*:*","matchCriteriaId":"777DE673-1457-420F-AAAF-9B1E3AC79328"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc6:*:*:*:*:*:*","matchCriteriaId":"222D33AD-EC2D-4813-83C2-B904534BFCFE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc7:*:*:*:*:*:*","matchCriteriaId":"A5F9AEA5-34CE-4ED3-9821-6C7435CE3320"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f11444271110d9b5bc6316a153c6431abda899c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/14aed0d4e58389cc6a88acf8610b12d3e476272b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/37792091ab28ba030fd8d61184c47d4d51294170","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5cc3300fab262b26c28bc2fc06df693410c3840b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6362c4a7d7e21e68cd9aa04df7cde16befba3a4b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9dd7489943324298bb0f385495795a82f1dd6507","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c1aad75595fb67edc7fda8af249d3b886efa1be9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d44872a569b8fbacde457ff2587a775e5004bb79","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53296","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.557","lastModified":"2026-07-08T03:52:56.463","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mailbox-test: free channels on probe error\n\nOn probe error, free the previously obtained channels. This not only\nprevents a leak, but also UAF scenarios because the client structure\nwill be removed nonetheless because it was allocated with devm."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/mailbox/mailbox-test.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"0ad8c4a03a358de7811ba1ab8cbd1fe76ad0ff6b","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"15c4cc3850cfe1b973eb7b63c02314b267f06a64","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"187069ccc3474516af32350e20d7e449160fa6de","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"81c9e7e4030e71391ab479c4c6e17b64802577aa","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"6c6ce2ccb4fcf1617fec83f91b21aa0265f30701","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"742001919653e7313b4e91780c5d108be1692365","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"02beb178e2e159daeb8f992d7abb16a37da31664","versionType":"git","status":"affected"},{"version":"8ea4484d0c2bb4e2152261943fa1a3522654b1c7","lessThan":"c02053a9055d5fdfd32432287cca8958db1d5bc5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/mailbox/mailbox-test.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.4","status":"affected"},{"version":"0","lessThan":"4.4","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"5.10.258","matchCriteriaId":"D6C1561F-0BF1-42DA-A577-60FF03568245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.141","matchCriteriaId":"97A9FFFA-22BB-4D5C-9790-5A2286E392F7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.91","matchCriteriaId":"C918746B-DE6F-448F-A93E-A04C5481688D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/02beb178e2e159daeb8f992d7abb16a37da31664","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0ad8c4a03a358de7811ba1ab8cbd1fe76ad0ff6b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/15c4cc3850cfe1b973eb7b63c02314b267f06a64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/187069ccc3474516af32350e20d7e449160fa6de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c6ce2ccb4fcf1617fec83f91b21aa0265f30701","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/742001919653e7313b4e91780c5d108be1692365","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/81c9e7e4030e71391ab479c4c6e17b64802577aa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c02053a9055d5fdfd32432287cca8958db1d5bc5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53297","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:22.900","lastModified":"2026-07-08T03:52:48.450","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Guard mana_remove against double invocation\n\nIf PM resume fails (e.g., mana_attach() returns an error), mana_probe()\ncalls mana_remove(), which tears down the device and sets\ngd->gdma_context = NULL and gd->driver_data = NULL.\n\nHowever, a failed resume callback does not automatically unbind the\ndriver. When the device is eventually unbound, mana_remove() is invoked\na second time. Without a NULL check, it dereferences gc->dev with\ngc == NULL, causing a kernel panic.\n\nAdd an early return if gdma_context or driver_data is NULL so the second\ninvocation is harmless. Move the dev = gc->dev assignment after the\nguard so it cannot dereference NULL."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/microsoft/mana/mana_en.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"635096a86edb067d55a1e04b4a918f5c6dac0c51","lessThan":"a1ddfd2c0b7a48e5239fadd2a24cc4bc2cda90e6","versionType":"git","status":"affected"},{"version":"635096a86edb067d55a1e04b4a918f5c6dac0c51","lessThan":"bbe5c3c570645a4ceb120979d3ee203a1583d775","versionType":"git","status":"affected"},{"version":"635096a86edb067d55a1e04b4a918f5c6dac0c51","lessThan":"50271d7ec95144d26808025b508f463780517d3c","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/microsoft/mana/mana_en.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.16","status":"affected"},{"version":"0","lessThan":"5.16","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.18.33","matchCriteriaId":"5F007609-E647-45D7-9570-2ADD4F3A2C07"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/50271d7ec95144d26808025b508f463780517d3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a1ddfd2c0b7a48e5239fadd2a24cc4bc2cda90e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bbe5c3c570645a4ceb120979d3ee203a1583d775","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53298","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:23.003","lastModified":"2026-07-08T03:39:49.683","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()\n\nIf queue entry or DMA descriptor list allocation fails in\nairoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a\nNULL pointer dereference running netif_napi_del() for RX queue NAPIs\nsince netif_napi_add() has never been executed to this particular RX NAPI.\nThe issue is due to the early ndesc initialization in\nairoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc\nvalue to check if the queue is properly initialized. Fix the issue moving\nndesc initialization at end of airoha_qdma_init_tx routine.\nMove page_pool allocation after descriptor list allocation in order to\navoid memory leaks if desc allocation fails."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/airoha/airoha_eth.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"23020f04932701d5c8363e60756f12b43b8ed752","lessThan":"d36be272adda7f313e39dd118086955d993bf6a7","versionType":"git","status":"affected"},{"version":"23020f04932701d5c8363e60756f12b43b8ed752","lessThan":"4d4acfa348a1d8c0941004823662ede0fdb5dea5","versionType":"git","status":"affected"},{"version":"23020f04932701d5c8363e60756f12b43b8ed752","lessThan":"14dc48e5ba73d5c69559bf1a1a6884f7843aade7","versionType":"git","status":"affected"},{"version":"23020f04932701d5c8363e60756f12b43b8ed752","lessThan":"379050947a1828826ad7ea50c95245a56929b35a","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/airoha/airoha_eth.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12.91","matchCriteriaId":"88847604-FD87-4DC8-8370-F07E77FD74A2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.33","matchCriteriaId":"96D99E49-380D-43AB-BDBA-25C3AD018A9C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14dc48e5ba73d5c69559bf1a1a6884f7843aade7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/379050947a1828826ad7ea50c95245a56929b35a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d4acfa348a1d8c0941004823662ede0fdb5dea5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d36be272adda7f313e39dd118086955d993bf6a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53299","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:23.110","lastModified":"2026-07-08T03:39:12.120","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()\n\nIf queue entry list allocation fails in airoha_qdma_init_tx_queue routine,\nairoha_qdma_cleanup_tx_queue() will trigger a NULL pointer dereference\naccessing the queue entry array. The issue is due to the early ndesc\ninitialization in airoha_qdma_init_tx_queue(). Fix the issue moving ndesc\ninitialization at end of airoha_qdma_init_tx routine."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/airoha/airoha_eth.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"ad02cb61c52cae5afa3e2de6adbb49ad884c26e9","lessThan":"90619fdedfb9cc8a80f217d882ee7a84d3703e72","versionType":"git","status":"affected"},{"version":"3f47e67dff1f7266e112c50313d63824f6f17102","lessThan":"ece31f9dae0c3cd3277e66667e7b8ab2577cf34a","versionType":"git","status":"affected"},{"version":"3f47e67dff1f7266e112c50313d63824f6f17102","lessThan":"f329924bb49458c65297f1361f545816a5b90998","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/airoha/airoha_eth.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/90619fdedfb9cc8a80f217d882ee7a84d3703e72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ece31f9dae0c3cd3277e66667e7b8ab2577cf34a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f329924bb49458c65297f1361f545816a5b90998","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-53300","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-26T20:17:23.200","lastModified":"2026-07-08T03:38:42.627","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix NTMP DMA use-after-free issue\n\nThe AI-generated review reported a potential DMA use-after-free issue\n[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending\ncommand is not explicitly aborted, while ntmp_free_data_mem()\nunconditionally frees the DMA buffer. If the buffer has already been\nreallocated elsewhere, this may lead to silent memory corruption. Because\nthe hardware eventually processes the pending command and perform a DMA\nwrite of the response to the physical address of the freed buffer.\n\nTo resolve this issue, this patch does the following modifications:\n\n1. Convert cbdr->ring_lock from a spinlock to a mutex\n\nThe lock was originally a spinlock in case NTMP operations might be\ninvoked from atomic context. After downstream support for all NTMP\ntables, no such usage has materialized. A mutex lock is now required\nbecause the driver now needs to reclaim used BDs and release associated\nDMA memory within the lock's context, while dma_free_coherent() might\nsleep.\n\n2. Introduce software command BD (struct netc_swcbd)\n\nThe hardware write-back overwrites the addr and len fields of the BD,\nso the driver cannot rely on the hardware BD to free the associated DMA\nmemory. The driver now maintains a software shadow BD storing the DMA\nbuffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only\nreclaims older BDs when the number of used BDs reaches\nNETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory\nrelease. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no\nlonger needed and are removed.\n\n3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()\n\nnetc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes\nconsuming the response. At this point, if a concurrent thread submits\na new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer\nwhile it is still in use. Move ring_lock ownership to the caller to\nensure the response buffer cannot be reclaimed prematurely. So the\nhelpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.\n\nThese changes eliminate the DMA use-after-free condition and ensure safe\nand consistent BD reclamation and DMA buffer lifecycle management."}],"affected":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","affectedData":[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/net/ethernet/freescale/enetc/ntmp.c","drivers/net/ethernet/freescale/enetc/ntmp_private.h","include/linux/fsl/ntmp.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","lessThan":"37c8933064be714ee672b0a0523c2fd045b73b3d","versionType":"git","status":"affected"},{"version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","lessThan":"655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","versionType":"git","status":"affected"},{"version":"4701073c3debd16d7f534f3eb808bd9b50601c0c","lessThan":"3cade698881eb238f88cbbfec82acc2110440a3f","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/net/ethernet/freescale/enetc/ntmp.c","drivers/net/ethernet/freescale/enetc/ntmp_private.h","include/linux/fsl/ntmp.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.33","matchCriteriaId":"ECF50DF4-D48C-47E4-A4EC-0D26E6955B6E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.10","matchCriteriaId":"A13475D2-59BF-4716-94B5-7C1D239A2CF4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/37c8933064be714ee672b0a0523c2fd045b73b3d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3cade698881eb238f88cbbfec82acc2110440a3f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/655d9ce9b1d3db0aa5271acb5e5101c66bd0d58b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-13595","sourceIdentifier":"secalert@redhat.com","published":"2026-06-29T09:16:28.303","lastModified":"2026-07-08T03:37:21.637","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service."}],"affected":[{"source":"secalert@redhat.com","affectedData":[{"vendor":"Red Hat","product":"Red Hat Hardened Images","defaultStatus":"affected","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"util-linux-main","cpes":["cpe:/a:redhat:hummingbird:1"],"versions":[{"version":"2.42.2-1.hum1","lessThan":"*","versionType":"rpm","status":"unaffected"}]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"util-linux","cpes":["cpe:/o:redhat:enterprise_linux:10"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"util-linux","cpes":["cpe:/o:redhat:enterprise_linux:7"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"util-linux","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"util-linux","cpes":["cpe:/o:redhat:enterprise_linux:9"]},{"vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhcos","cpes":["cpe:/a:redhat:openshift:4"]}]}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T13:50:15.269617Z","id":"CVE-2026-13595","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*","matchCriteriaId":"87DEB507-5B64-47D7-9A50-3B87FD1E571F"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndIncluding":"4.22.1","matchCriteriaId":"3F70390E-5DD6-42E4-AEA8-1C03337DDABC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*","versionEndExcluding":"2.42.2","matchCriteriaId":"D2EA765F-335C-4CC8-A956-8A748F5AA045"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:26573","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-13595","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2494101","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c","source":"secalert@redhat.com","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-57965","sourceIdentifier":"secalert@redhat.com","published":"2026-06-29T09:16:31.283","lastModified":"2026-07-08T03:36:51.790","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow, causing the spice-vdagent daemon to crash and resulting in a Denial of Service (DoS) for the virtual machine. This issue requires the SPICE host to be untrusted or compromised for exploitation."}],"affected":[{"source":"secalert@redhat.com","affectedData":[{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:10"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:6"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:7"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"mingw-spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:9"]}]}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T10:43:01.020584Z","id":"CVE-2026-57965","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-190"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:spice-space:spice-vdagent:-:*:*:*:*:*:*:*","matchCriteriaId":"E6E6AC9A-9FC1-4476-A01D-9E5EE7084FB8"}]}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-57965","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2493581","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-57966","sourceIdentifier":"secalert@redhat.com","published":"2026-06-29T09:16:31.403","lastModified":"2026-07-08T03:36:29.930","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation."}],"affected":[{"source":"secalert@redhat.com","affectedData":[{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:10"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:6"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:7"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"mingw-spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","defaultStatus":"affected","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"spice-vdagent","cpes":["cpe:/o:redhat:enterprise_linux:9"]}]}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":0.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-29T12:53:14.671684Z","id":"CVE-2026-57966","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:spice-space:spice-vdagent:-:*:*:*:*:*:*:*","matchCriteriaId":"E6E6AC9A-9FC1-4476-A01D-9E5EE7084FB8"}]}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-57966","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2493582","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-46454","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:36.457","lastModified":"2026-07-08T03:15:21.903","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation vulnerability in Apache Camel Cometd Component.\n\nThe camel-cometd component maps inbound Bayeux (CometD) message headers into the Camel Exchange without applying a HeaderFilterStrategy. CometdBinding.populateExchangeFromMessage copies the entire ext.CamelHeaders map supplied by the CometD client directly onto the Camel message (message.setHeaders), so any header name - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName - is accepted unmodified. Because a CometdComponent installs no Bayeux SecurityPolicy by default, any client that can complete the Bayeux handshake against the CometD endpoint can publish such a message without authentication. An attacker can therefore inject arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a JMS destination); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix implements a HeaderFilterStrategy in the camel-cometd binding (a long-standing TODO in the code) that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound CometD messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and install an explicit Bayeux SecurityPolicy on the CometdComponent so that only authenticated clients can publish."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-cometd","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T17:41:16.224857Z","id":"CVE-2026-46454","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-46454.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-46455","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:36.573","lastModified":"2026-07-08T03:15:29.090","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\n\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token's validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token's exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-keycloak","versions":[{"version":"4.18.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:29:09.924590Z","id":"CVE-2026-46455","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-613"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18.0","versionEndExcluding":"4.18.3","matchCriteriaId":"3F672322-AA52-4621-B687-76B5AC9D619F"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-46455.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/8","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-46456","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:36.683","lastModified":"2026-07-08T03:15:11.683","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component.\n\n\nThe camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses.\n\n\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-aws2-sqs","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:28:14.313666Z","id":"CVE-2026-46456","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-46456.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/9","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-46457","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:36.807","lastModified":"2026-07-08T03:14:59.887","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation vulnerability in Apache Camel NATS component.\n\nThe camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - unmodified onto the Camel message. A client able to publish to the consumed NATS subject can therefore inject arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. NATS message headers require NATS 2.2 or later, and the issue is reachable without credentials when the NATS server is configured without authentication (the NATS server default).\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound NATS messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and enable authentication on the NATS server so that only trusted clients can publish to the consumed subject."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-nats","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:26:49.615569Z","id":"CVE-2026-46457","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-46457.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/10","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-48203","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:37.633","lastModified":"2026-07-08T03:14:47.170","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel Solr component.\n\nThe camel-solr producer copies Exchange message headers whose names begin with the SolrParam. prefix into the parameters of the Solr request, and headers whose names begin with the SolrField. prefix into the fields of the indexed Solr document. The prefix constants (SolrConstants.HEADER_PARAM_PREFIX / HEADER_FIELD_PREFIX) were the plain strings SolrParam. / SolrField.. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a solr: producer, any HTTP client could therefore set SolrParam.* headers to inject arbitrary Solr request parameters - including shards or stream.url, which cause the Solr server to issue server-side requests to an attacker-chosen URL (server-side request forgery, for example to an internal service or a cloud metadata endpoint), or qt to reach administrative request handlers - and set SolrField.* headers to inject arbitrary fields into indexed documents. No credentials are required when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Solr parameters or fields via the raw header prefixes must use CamelSolrParam. / CamelSolrField. instead of SolrParam. / SolrField.. For deployments that cannot upgrade immediately, strip the SolrParam.* and SolrField.* headers from any untrusted ingress before the solr: producer, and set the required Solr parameters and fields from a trusted source in the route."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-solr","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:17:14.778965Z","id":"CVE-2026-48203","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"http://camel.apache.org/security/CVE-2026-48203.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/17","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-48204","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:37.760","lastModified":"2026-07-08T03:14:37.690","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component.\n\nThe camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a mongodb-gridfs: producer with no explicit operation, any HTTP client could therefore set the gridfs.operation header to override the route's intended operation - switching, for example, a file upload to remove (deleting a file identified by the attacker-supplied gridfs.objectid), listAll (enumerating every file in the bucket) or findOne (reading a file) - and supply a gridfs.metadata value that is parsed as a MongoDB document, enabling NoSQL operator injection. No credentials are required when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of the gridfs.* names. For deployments that cannot upgrade immediately, set an explicit operation on the mongodb-gridfs: endpoint so the operation is not taken from a header, and strip the gridfs.* headers from any untrusted ingress before the producer."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-mongodb-gridfs","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:07:54.223976Z","id":"CVE-2026-48204","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-48204.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/18","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-48205","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:37.880","lastModified":"2026-07-08T03:14:28.607","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component.\n\nThe camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel DNS","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-dns","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:06:55.841082Z","id":"CVE-2026-48205","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-48205.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/19","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-48206","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:38.000","lastModified":"2026-07-08T03:14:18.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel JIRA component.\n\nThe camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a jira: producer, any HTTP client could therefore supply these headers and override the values the route intended, driving JIRA operations against the configured JIRA instance with the endpoint's configured service-account credentials - for example deleting or transitioning an arbitrary issue (via IssueKey / IssueTransitionId), creating an issue in a different project (via ProjectKey), modifying issue fields, adding or removing watchers, or logging work. The operations are bounded by what the configured service account is permitted to do. No credentials are required from the attacker when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip the camel-jira control headers from any untrusted ingress before the jira: producer (for example removing the IssueKey, ProjectKey, IssueTransitionId and related headers at the start of the route), and set the required JIRA operation parameters from a trusted source."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel JIRA","defaultStatus":"unaffected","packageName":"org.apache.camel:camel-jira","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:05:49.833194Z","id":"CVE-2026-48206","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-48206.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/20","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49097","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:38.240","lastModified":"2026-07-08T03:12:14.387","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel IRC component.\n\nThe camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into an irc: producer, any HTTP client could therefore set the irc.sendTo header and redirect a message that the route intended for a configured channel to an arbitrary IRC channel or user - exfiltrating the message content to an attacker-chosen nickname, leaking it into a public channel, or delivering messages that appear to come from the bot. No credentials are required when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the irc.* headers from any untrusted ingress before the irc: producer (for example removeHeaders('irc.*') at the start of the route), and set the IRC destination from a trusted source."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","packageName":"org.apache.camel:camel-irc","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T19:02:00.670679Z","id":"CVE-2026-49097","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-49097.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/22","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49098","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:38.357","lastModified":"2026-07-08T03:11:33.087","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel Kafka Component.\n\nThe camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own KafkaHeaderFilterStrategy does filter the kafka.* namespace, but only on the Kafka-to-Exchange serialization boundary (reading Kafka record headers into the Exchange, and writing Exchange headers into a Kafka record); it does not apply to headers that arrive from an upstream consumer in a multi-component route. The upstream HTTP consumer uses HttpHeaderFilterStrategy, which blocks only the Camel / camel namespace, so a kafka.* header passes through unfiltered. As a result, in a route that bridges an HTTP consumer (for example platform-http) into a kafka: producer, any HTTP client could set the kafka.OVERRIDE_TOPIC header and cause the message to be published to an arbitrary Kafka topic instead of the configured one - redirecting it to a sensitive internal topic, or injecting attacker-crafted messages into a topic consumed by a critical downstream service. The related kafka.OVERRIDE_TIMESTAMP and kafka.PARTITION_KEY headers could likewise be injected to backdate messages or target specific partitions. No credentials are required when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments that cannot upgrade immediately, strip the kafka.* headers from any untrusted ingress before the kafka: producer (for example removeHeaders('kafka.*') at the start of the route), and set the target topic from a trusted source."},{"lang":"es","value":"Vulnerabilidad por validación inadecuada de entradas y neutralización incorrecta de elementos especiales en la salida utilizada por un componente posterior (inyección) en el componente Apache Camel Kafka. El productor camel-kafka puede anular el tema de destino configurado en tiempo de ejecución a través del encabezado kafka.OVERRIDE_TOPIC de Exchange: KafkaProducer.evaluateTopic() devuelve el valor del encabezado en lugar del tema configurado en el punto final. Las constantes de los encabezados de control en KafkaConstants (por ejemplo, OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka. PARTITION_KEY) utilizan valores simples, sin prefijo Camel. La propia estrategia KafkaHeaderFilterStrategy de camel-kafka filtra el espacio de nombres kafka.*, pero solo en el límite de serialización de Kafka a Exchange (al leer los encabezados de los registros de Kafka en Exchange y al escribir los encabezados de Exchange en un registro de Kafka); no se aplica a los encabezados que llegan desde un consumidor anterior en una ruta de múltiples componentes. El consumidor HTTP anterior utiliza HttpHeaderFilterStrategy, que solo bloquea el espacio de nombres Camel / camel, por lo que un encabezado kafka.* pasa sin ser filtrado. Como resultado, en una ruta que conecta un consumidor HTTP (por ejemplo, platform-http) con un productor kafka:, cualquier cliente HTTP podría establecer el encabezado kafka.OVERRIDE_TOPIC y provocar que el mensaje se publique en un tema de Kafka arbitrario en lugar del configurado, redirigiéndolo a un tema interno sensible o inyectando mensajes creados por un atacante en un tema consumido por un servicio crítico posterior. Los encabezados relacionados kafka.OVERRIDE_TIMESTAMP y kafka.PARTITION_KEY también podrían inyectarse para antedatar mensajes o dirigirlos a particiones específicas. No se requieren credenciales cuando el consumidor puente no está autenticado. Este problema afecta a Apache Camel: desde la versión 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versión 4.21.0, que corrige el problema. Si los usuarios utilizan las versiones LTS de la rama 4.14.x, se les sugiere que actualicen a la 4.14.8. Si los usuarios utilizan las versiones de la rama 4.18.x, se les sugiere que actualicen a la 4.18.3. Tras la actualización, las rutas que establezcan o lean encabezados de Kafka mediante los nombres de encabezado sin formato deben utilizar los nombres CamelKafka* (por ejemplo, CamelKafkaOverrideTopic y CamelKafkaTopic) en lugar de los antiguos valores kafka.*. En el caso de las implementaciones que no puedan actualizarse de inmediato, elimine los encabezados «kafka.*» de cualquier entrada no fiable antes del productor kafka: (por ejemplo, removeHeaders(“kafka.*”) al inicio de la ruta) y establezca el tema de destino a partir de una fuente fiable."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-kafka","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T12:24:16.922525Z","id":"CVE-2026-49098","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-49098.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/23","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49099","sourceIdentifier":"security@apache.org","published":"2026-07-06T09:16:38.487","lastModified":"2026-07-08T03:10:36.587","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component.\n\nThe camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source."},{"lang":"es","value":"Neutralización incorrecta de elementos especiales en la salida utilizada por un componente posterior (inyección), vulnerabilidad que permite eludir la autorización mediante una clave controlada por el usuario en el componente Apache Camel para Salesforce. El productor camel-salesforce resuelve sus parámetros de funcionamiento —la consulta SOQL, la búsqueda SOSL, el nombre y el identificador del SObject de destino, la URL y el método REST de Apex, y los parámetros de consulta de Apex— a partir de los encabezados de los mensajes de Exchange, dando prioridad a la lectura del encabezado frente al valor configurado en el punto final (AbstractSalesforceProcessor.getParameter() lee primero el encabezado y utiliza la configuración del punto final solo como alternativa). Las constantes de los encabezados de control en SalesforceEndpointConfig (por ejemplo, SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod y el prefijo apexQueryParam. prefijo) utilizaban valores simples, sin prefijo Camel. Dado que estos nombres no comienzan con el prefijo Camel / camel, HttpHeaderFilterStrategy —que bloquea únicamente el espacio de nombres de encabezados Camel en el límite HTTP— permitía que pasaran directamente desde una solicitud HTTP entrante al Exchange. En una ruta que conecta a un consumidor HTTP (por ejemplo, platform-http) con un salesforce: cualquier cliente HTTP podría, por lo tanto, establecer estos encabezados y anular lo que la ruta pretendía: proporcionar su propia consulta SOQL o búsqueda SOSL para leer datos de cualquier SObject al que pueda acceder el usuario de Salesforce conectado, anular el nombre y el ID del SObject de destino para operaciones CRUD, o redirigir una llamada REST de Apex a un punto final y un método HTTP diferentes (incluidos métodos destructivos) con parámetros de consulta inyectados. Todas estas operaciones se ejecutan con todos los permisos del usuario conectado a Salesforce (de integración), que suelen ser amplios. El atacante no necesita credenciales cuando el consumidor puente no está autenticado. Este problema afecta a Apache Camel: desde la versión 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versión 4.21.0, que corrige el problema. Si los usuarios utilizan las versiones LTS de la rama 4.14.x, se les sugiere que actualicen a la 4.14.8. Si los usuarios utilizan las versiones de la rama 4.18.x, se les sugiere que actualicen a la 4.18.3. Tras la actualización, las rutas que configuren los parámetros de operación de Salesforce mediante los nombres de encabezado sin formato deben utilizar los nombres CamelSalesforce* (por ejemplo, CamelSalesforceSObjectQuery y CamelSalesforceApexUrl) en lugar de los antiguos valores sObject* / apex*; la ortografía de las opciones de punto final no ha cambiado. En el caso de las implementaciones que no puedan actualizarse de inmediato, elimine los encabezados de control de Salesforce de cualquier entrada no fiable antes del productor salesforce: (por ejemplo, removeHeaders(“sObject*”) y removeHeaders(“apex*”) al inicio de la ruta) y configure los parámetros de consulta, SObject y Apex a partir de una fuente fiable."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Camel Salesforce","defaultStatus":"unaffected","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"org.apache.camel:camel-salesforce","versions":[{"version":"4.0.0","lessThan":"4.14.8","versionType":"semver","status":"affected"},{"version":"4.15.0","lessThan":"4.18.3","versionType":"semver","status":"affected"},{"version":"4.19.0","lessThan":"4.21.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T12:30:20.388517Z","id":"CVE-2026-49099","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.14.8","matchCriteriaId":"7662EB25-EAB6-493F-924C-5CA8A6F462B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.0","versionEndExcluding":"4.18.3","matchCriteriaId":"0AEE4159-4465-4ACD-B94A-1E4682C85270"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0","versionEndExcluding":"4.21.0","matchCriteriaId":"1C2A1A7A-FADC-470F-8265-FA126AFD94ED"}]}]}],"references":[{"url":"https://camel.apache.org/security/CVE-2026-49099.html","source":"security@apache.org","tags":["Mitigation","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/07/05/24","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-50133","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T20:16:37.043","lastModified":"2026-07-08T03:08:33.383","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = \"text/html\") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gohugoio","product":"hugo","versions":[{"version":"< 0.162.0","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T14:44:22.813847Z","id":"CVE-2026-50133","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*","versionEndExcluding":"0.162.0","matchCriteriaId":"04E0F491-D2EB-4F67-B86B-038519EF0728"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gohugoio/hugo/releases/tag/v0.162.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-50134","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T20:16:37.197","lastModified":"2026-07-08T03:08:10.280","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gohugoio","product":"hugo","versions":[{"version":">= 0.91.0, < 0.162.0","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T16:52:13.588144Z","id":"CVE-2026-50134","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*","versionStartIncluding":"0.91.0","versionEndExcluding":"0.162.0","matchCriteriaId":"5AEFC1B8-E491-4F22-AB09-CBE326174288"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gohugoio/hugo/releases/tag/v0.162.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-58402","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T20:16:38.040","lastModified":"2026-07-08T03:06:03.630","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class=\"language-…\" data-lang=\"…\" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gohugoio","product":"hugo","versions":[{"version":">= 0.60.0, < 0.163.3","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T20:52:58.622823Z","id":"CVE-2026-58402","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*","versionStartIncluding":"0.60.0","versionEndExcluding":"0.163.3","matchCriteriaId":"7DFF8755-C251-4C10-BAB6-96F8C8014132"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gohugoio/hugo/pull/15051","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/gohugoio/hugo/releases/tag/v0.163.3","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-58403","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T20:16:38.173","lastModified":"2026-07-08T03:05:34.933","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile \"somefile\" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gohugoio","product":"hugo","versions":[{"version":">= 0.123.0, < 0.163.1","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T20:51:16.911843Z","id":"CVE-2026-58403","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-59"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*","versionStartIncluding":"0.123.0","versionEndExcluding":"0.163.1","matchCriteriaId":"401A6BFD-75B5-4CE4-91C2-EE8A320AA8FB"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gohugoio/hugo/pull/15020","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/gohugoio/hugo/releases/tag/v0.163.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-58404","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T20:16:38.307","lastModified":"2026-07-08T03:05:00.160","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gohugoio","product":"hugo","versions":[{"version":">= v0.162.0, < v0.163.1","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.0}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T15:08:15.371330Z","id":"CVE-2026-58404","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*","versionStartIncluding":"0.162.0","versionEndExcluding":"0.163.1","matchCriteriaId":"1CB7366F-0554-4DD8-9B29-A06D72CB6070"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gohugoio/hugo/pull/15020","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/gohugoio/hugo/releases/tag/v0.163.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-54764","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T21:16:56.930","lastModified":"2026-07-08T03:01:46.417","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of the sanitized forwarded request. As a result, an unauthenticated remote attacker can inject an X-Forwarded-Proto: https header over a plain HTTP connection and cause Traefik to forward X-Forwarded-Port: 443 to the authentication service, bypassing port-based authorization checks. This issue is fixed in versions v2.11.51, v3.6.22, and v3.7.6."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"traefik","product":"traefik","versions":[{"version":"< 2.11.51","status":"affected"},{"version":">= 3.0.0, < 3.6.22","status":"affected"},{"version":">= 3.7.0, < 3.7.6","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T14:03:07.994154Z","id":"CVE-2026-54764","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-345"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.51","matchCriteriaId":"5AEF8E00-6A9F-4F16-BEC2-9CCF183AC647"},{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.6.22","matchCriteriaId":"A035A58C-BBD8-4E57-B6F3-A42E2F9CC4BC"},{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7.0","versionEndExcluding":"3.7.6","matchCriteriaId":"359A11C2-8FAA-436F-BB24-C2B166473FDC"}]}]}],"references":[{"url":"https://github.com/traefik/traefik/commit/7ae92d8c2c10ac04ef5a03df0ed5019ce0f44b2d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/traefik/traefik/pull/13344","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/traefik/traefik/security/advisories/GHSA-3q9r-p662-5j8m","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-54765","sourceIdentifier":"security-advisories@github.com","published":"2026-07-06T21:16:57.067","lastModified":"2026-07-08T03:01:20.093","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"traefik","product":"traefik","versions":[{"version":">= 3.7.0, < 3.7.6","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T14:18:17.134061Z","id":"CVE-2026-54765","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7.0","versionEndExcluding":"3.7.6","matchCriteriaId":"359A11C2-8FAA-436F-BB24-C2B166473FDC"}]}]}],"references":[{"url":"https://github.com/traefik/traefik/commit/8aada7a7d52e4588a75386d8b86d270f6fe8d549","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/traefik/traefik/pull/13367","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/traefik/traefik/releases/tag/v3.7.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/traefik/traefik/security/advisories/GHSA-6p8f-p8j2-rqmv","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}