Search criteria
10573 vulnerabilities
CVE-2026-23110 (GCVE-0-2026-23110)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
scsi: core: Wake up the error handler when final completions race against each other
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Wake up the error handler when final completions race against each other
The fragile ordering between marking commands completed or failed so
that the error handler only wakes when the last running command
completes or times out has race conditions. These race conditions can
cause the SCSI layer to fail to wake the error handler, leaving I/O
through the SCSI host stuck as the error state cannot advance.
First, there is an memory ordering issue within scsi_dec_host_busy().
The write which clears SCMD_STATE_INFLIGHT may be reordered with reads
counting in scsi_host_busy(). While the local CPU will see its own
write, reordering can allow other CPUs in scsi_dec_host_busy() or
scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to
see a host busy equal to the host_failed count.
This race condition can be prevented with a memory barrier on the error
path to force the write to be visible before counting host busy
commands.
Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By
counting busy commands before incrementing host_failed, it can race with a
final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does
not see host_failed incremented but scsi_eh_inc_host_failed() counts busy
commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),
resulting in neither waking the error handler task.
This needs the call to scsi_host_busy() to be moved after host_failed is
incremented to close the race condition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < cc872e35c0df80062abc71268d690a2f749e542e
(git)
Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 6d9a367be356101963c249ebf10ea10b32886607 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 9fdc6f28d5e81350ab1d2cac8389062bd09e61e1 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < 219f009ebfd1ef3970888ee9eef4c8a06357f862 (git) Affected: 6eb045e092efefafc6687409a6fa6d1dabf0fb69 , < fe2f8ad6f0999db3b318359a01ee0108c703a8c3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_error.c",
"drivers/scsi/scsi_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc872e35c0df80062abc71268d690a2f749e542e",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "6d9a367be356101963c249ebf10ea10b32886607",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "9fdc6f28d5e81350ab1d2cac8389062bd09e61e1",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "219f009ebfd1ef3970888ee9eef4c8a06357f862",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
},
{
"lessThan": "fe2f8ad6f0999db3b318359a01ee0108c703a8c3",
"status": "affected",
"version": "6eb045e092efefafc6687409a6fa6d1dabf0fb69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/scsi_error.c",
"drivers/scsi/scsi_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Wake up the error handler when final completions race against each other\n\nThe fragile ordering between marking commands completed or failed so\nthat the error handler only wakes when the last running command\ncompletes or times out has race conditions. These race conditions can\ncause the SCSI layer to fail to wake the error handler, leaving I/O\nthrough the SCSI host stuck as the error state cannot advance.\n\nFirst, there is an memory ordering issue within scsi_dec_host_busy().\nThe write which clears SCMD_STATE_INFLIGHT may be reordered with reads\ncounting in scsi_host_busy(). While the local CPU will see its own\nwrite, reordering can allow other CPUs in scsi_dec_host_busy() or\nscsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to\nsee a host busy equal to the host_failed count.\n\nThis race condition can be prevented with a memory barrier on the error\npath to force the write to be visible before counting host busy\ncommands.\n\nSecond, there is a general ordering issue with scsi_eh_inc_host_failed(). By\ncounting busy commands before incrementing host_failed, it can race with a\nfinal command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does\nnot see host_failed incremented but scsi_eh_inc_host_failed() counts busy\ncommands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),\nresulting in neither waking the error handler task.\n\nThis needs the call to scsi_host_busy() to be moved after host_failed is\nincremented to close the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:33.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e"
},
{
"url": "https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607"
},
{
"url": "https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1"
},
{
"url": "https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0"
},
{
"url": "https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862"
},
{
"url": "https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3"
}
],
"title": "scsi: core: Wake up the error handler when final completions race against each other",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23110",
"datePublished": "2026-02-04T16:08:30.158Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-02-06T16:33:33.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23109 (GCVE-0-2026-23109)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()
Above the while() loop in wait_sb_inodes(), we document that we must wait
for all pages under writeback for data integrity. Consequently, if a
mapping, like fuse, traditionally does not have data integrity semantics,
there is no need to wait at all; we can simply skip these inodes.
This restores fuse back to prior behavior where syncs are no-ops. This
fixes a user regression where if a system is running a faulty fuse server
that does not reply to issued write requests, this causes wait_sb_inodes()
to wait forever.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c",
"fs/fuse/file.c",
"include/linux/pagemap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f4ed5e2b8f111553562507ad6202432c7c57731",
"status": "affected",
"version": "0c58a97f919c24fe4245015f4375a39ff05665b6",
"versionType": "git"
},
{
"lessThan": "f9a49aa302a05e91ca01f69031cb79a0ea33031f",
"status": "affected",
"version": "0c58a97f919c24fe4245015f4375a39ff05665b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fs-writeback.c",
"fs/fuse/file.c",
"include/linux/pagemap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()\n\nAbove the while() loop in wait_sb_inodes(), we document that we must wait\nfor all pages under writeback for data integrity. Consequently, if a\nmapping, like fuse, traditionally does not have data integrity semantics,\nthere is no need to wait at all; we can simply skip these inodes.\n\nThis restores fuse back to prior behavior where syncs are no-ops. This\nfixes a user regression where if a system is running a faulty fuse server\nthat does not reply to issued write requests, this causes wait_sb_inodes()\nto wait forever."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:29.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f4ed5e2b8f111553562507ad6202432c7c57731"
},
{
"url": "https://git.kernel.org/stable/c/f9a49aa302a05e91ca01f69031cb79a0ea33031f"
}
],
"title": "fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23109",
"datePublished": "2026-02-04T16:08:29.468Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-02-04T16:08:29.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23108 (GCVE-0-2026-23108)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0024d8ad1639e32d717445c69ca813fd19c2a91c , < feb8243eaea7efd5279b19667d7189fd8654c87a
(git)
Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < ef6e608e5ee71eca0cd3475c737e684cef24f240 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 59ff56992bba28051ad67cd8cc7b0edfe7280796 (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < ea4a98e924164586066b39f29bfcc7cc9da108cd (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < 07e9373739c6388af9d99797cdb2e79dbbcbe92b (git) Affected: 0024d8ad1639e32d717445c69ca813fd19c2a91c , < f7a980b3b8f80fe367f679da376cf76e800f9480 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb8243eaea7efd5279b19667d7189fd8654c87a",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ef6e608e5ee71eca0cd3475c737e684cef24f240",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "59ff56992bba28051ad67cd8cc7b0edfe7280796",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "ea4a98e924164586066b39f29bfcc7cc9da108cd",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "07e9373739c6388af9d99797cdb2e79dbbcbe92b",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
},
{
"lessThan": "f7a980b3b8f80fe367f679da376cf76e800f9480",
"status": "affected",
"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/usb_8dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -\u003e usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -\u003e unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv-\u003erx_submitted anchor."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:31.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a"
},
{
"url": "https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240"
},
{
"url": "https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9"
},
{
"url": "https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796"
},
{
"url": "https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd"
},
{
"url": "https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b"
},
{
"url": "https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480"
}
],
"title": "can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23108",
"datePublished": "2026-02-04T16:08:28.650Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-02-06T16:33:31.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23106 (GCVE-0-2026-23106)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
timekeeping: Adjust the leap state for the correct auxiliary timekeeper
Summary
In the Linux kernel, the following vulnerability has been resolved:
timekeeping: Adjust the leap state for the correct auxiliary timekeeper
When __do_ajdtimex() was introduced to handle adjtimex for any
timekeeper, this reference to tk_core was not updated. When called on an
auxiliary timekeeper, the core timekeeper would be updated incorrectly.
This gets caught by the lock debugging diagnostics because the
timekeepers sequence lock gets written to without holding its
associated spinlock:
WARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125
aux_clock_adj (kernel/time/timekeeping.c:2979)
__do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Update the correct auxiliary timekeeper.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/timekeeping.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f7c9dbeaa0be5810e44d323735967d3dba9239d",
"status": "affected",
"version": "775f71ebedd382da390dc16a4c28cffa5b937f79",
"versionType": "git"
},
{
"lessThan": "e806f7dde8ba28bc72a7a0898589cac79f6362ac",
"status": "affected",
"version": "775f71ebedd382da390dc16a4c28cffa5b937f79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/timekeeping.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimekeeping: Adjust the leap state for the correct auxiliary timekeeper\n\nWhen __do_ajdtimex() was introduced to handle adjtimex for any\ntimekeeper, this reference to tk_core was not updated. When called on an\nauxiliary timekeeper, the core timekeeper would be updated incorrectly.\n\nThis gets caught by the lock debugging diagnostics because the\ntimekeepers sequence lock gets written to without holding its\nassociated spinlock:\n\nWARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125\naux_clock_adj (kernel/time/timekeeping.c:2979)\n__do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nUpdate the correct auxiliary timekeeper."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:27.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f7c9dbeaa0be5810e44d323735967d3dba9239d"
},
{
"url": "https://git.kernel.org/stable/c/e806f7dde8ba28bc72a7a0898589cac79f6362ac"
}
],
"title": "timekeeping: Adjust the leap state for the correct auxiliary timekeeper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23106",
"datePublished": "2026-02-04T16:08:27.046Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-02-04T16:08:27.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23107 (GCVE-0-2026-23107)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
The code to restore a ZA context doesn't attempt to allocate the task's
sve_state before setting TIF_SME. Consequently, restoring a ZA context
can place a task into an invalid state where TIF_SME is set but the
task's sve_state is NULL.
In legitimate but uncommon cases where the ZA signal context was NOT
created by the kernel in the context of the same task (e.g. if the task
is saved/restored with something like CRIU), we have no guarantee that
sve_state had been allocated previously. In these cases, userspace can
enter streaming mode without trapping while sve_state is NULL, causing a
later NULL pointer dereference when the kernel attempts to store the
register state:
| # ./sigreturn-za
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
| Mem abort info:
| ESR = 0x0000000096000046
| EC = 0x25: DABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| FSC = 0x06: level 2 translation fault
| Data abort info:
| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
| CM = 0, WnR = 1, TnD = 0, TagAccess = 0
| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00
| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
| Internal error: Oops: 0000000096000046 [#1] SMP
| Modules linked in:
| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT
| Hardware name: linux,dummy-virt (DT)
| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
| pc : sve_save_state+0x4/0xf0
| lr : fpsimd_save_user_state+0xb0/0x1c0
| sp : ffff80008070bcc0
| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658
| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000
| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40
| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000
| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c
| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020
| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0
| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48
| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000
| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440
| Call trace:
| sve_save_state+0x4/0xf0 (P)
| fpsimd_thread_switch+0x48/0x198
| __switch_to+0x20/0x1c0
| __schedule+0x36c/0xce0
| schedule+0x34/0x11c
| exit_to_user_mode_loop+0x124/0x188
| el0_interrupt+0xc8/0xd8
| __el0_irq_handler_common+0x18/0x24
| el0t_64_irq_handler+0x10/0x1c
| el0t_64_irq+0x198/0x19c
| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)
| ---[ end trace 0000000000000000 ]---
Fix this by having restore_za_context() ensure that the task's sve_state
is allocated, matching what we do when taking an SME trap. Any live
SVE/SSVE state (which is restored earlier from a separate signal
context) must be preserved, and hence this is not zeroed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
39782210eb7e87634d96cacb6ece370bc59d74ba , < c5a5b150992ebab779c1ce54f54676786e47e94c
(git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 70f7f54566afc23f2c71bf1411af81f5d8009e0f (git) Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5a5b150992ebab779c1ce54f54676786e47e94c",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "0af233d66eff90fb8f3e0fc09f2316bba0b72bb9",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "70f7f54566afc23f2c71bf1411af81f5d8009e0f",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
},
{
"lessThan": "ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4",
"status": "affected",
"version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn\u0027t attempt to allocate the task\u0027s\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask\u0027s sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n| ESR = 0x0000000096000046\n| EC = 0x25: DABT (current EL), IL = 32 bits\n| SET = 0, FnV = 0\n| EA = 0, S1PTW = 0\n| FSC = 0x06: level 2 translation fault\n| Data abort info:\n| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n| CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1] SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n| sve_save_state+0x4/0xf0 (P)\n| fpsimd_thread_switch+0x48/0x198\n| __switch_to+0x20/0x1c0\n| __schedule+0x36c/0xce0\n| schedule+0x34/0x11c\n| exit_to_user_mode_loop+0x124/0x188\n| el0_interrupt+0xc8/0xd8\n| __el0_irq_handler_common+0x18/0x24\n| el0t_64_irq_handler+0x10/0x1c\n| el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task\u0027s sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:30.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c"
},
{
"url": "https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"
},
{
"url": "https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"
},
{
"url": "https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f"
},
{
"url": "https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"
}
],
"title": "arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23107",
"datePublished": "2026-02-04T16:08:27.755Z",
"dateReserved": "2026-01-13T15:37:45.967Z",
"dateUpdated": "2026-02-06T16:33:30.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23105 (GCVE-0-2026-23105)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
This is more of a preventive patch to make the code more consistent and
to prevent possible exploits that employ child qlen manipulations on qfq.
use cl_is_active instead of relying on the child qdisc's qlen to determine
class activation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < fac2c67bb2bb732eae4283e45fc338af7e08c254
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < b8c24cf5268fb3bfb8d16324c3dbb985f698c835 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f27047abf7cac1b6f90c3ad60de21ef9f717c26d (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 93b8635974fb050c43d07e35e5edfe6e685ca28a (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < abd9fc26ea577561a5ef6241a1b058755ffdad0c (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 77f1afd0bb4d5da95236f6114e6d0dfcde187ff6 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < d837fbee92453fbb829f950c8e7cf76207d73f33 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fac2c67bb2bb732eae4283e45fc338af7e08c254",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "b8c24cf5268fb3bfb8d16324c3dbb985f698c835",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f27047abf7cac1b6f90c3ad60de21ef9f717c26d",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "93b8635974fb050c43d07e35e5edfe6e685ca28a",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "abd9fc26ea577561a5ef6241a1b058755ffdad0c",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "77f1afd0bb4d5da95236f6114e6d0dfcde187ff6",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "d837fbee92453fbb829f950c8e7cf76207d73f33",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag\n\nThis is more of a preventive patch to make the code more consistent and\nto prevent possible exploits that employ child qlen manipulations on qfq.\nuse cl_is_active instead of relying on the child qdisc\u0027s qlen to determine\nclass activation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:28.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254"
},
{
"url": "https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835"
},
{
"url": "https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d"
},
{
"url": "https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a"
},
{
"url": "https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c"
},
{
"url": "https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6"
},
{
"url": "https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33"
}
],
"title": "net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23105",
"datePublished": "2026-02-04T16:08:26.376Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-02-06T16:33:28.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23104 (GCVE-0-2026-23104)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
ice: fix devlink reload call trace
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix devlink reload call trace
Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced
internal temperature sensor reading via HWMON. ice_hwmon_init() was added
to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a
result if devlink reload is used to reinit the device and then the driver
is removed, a call trace can occur.
BUG: unable to handle page fault for address: ffffffffc0fd4b5d
Call Trace:
string+0x48/0xe0
vsnprintf+0x1f9/0x650
sprintf+0x62/0x80
name_show+0x1f/0x30
dev_attr_show+0x19/0x60
The call trace repeats approximately every 10 minutes when system
monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs
attributes that reference freed module memory.
The sequence is:
1. Driver load, ice_hwmon_init() gets called from ice_init_feature()
2. Devlink reload down, flow does not call ice_remove()
3. Devlink reload up, ice_hwmon_init() gets called from
ice_init_feature() resulting in a second instance
4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the
first hwmon instance orphaned with dangling pointer
Fix this by moving ice_hwmon_exit() from ice_remove() to
ice_deinit_features() to ensure proper cleanup symmetry with
ice_hwmon_init().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87c1dacca197cc64e06fedeb269e3dd6699bae60",
"status": "affected",
"version": "4da71a77fc3be1fcb680c8d78e1a1fb8017905ad",
"versionType": "git"
},
{
"lessThan": "d3f867e7a04678640ebcbfb81893c59f4af48586",
"status": "affected",
"version": "4da71a77fc3be1fcb680c8d78e1a1fb8017905ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix devlink reload call trace\n\nCommit 4da71a77fc3b (\"ice: read internal temperature sensor\") introduced\ninternal temperature sensor reading via HWMON. ice_hwmon_init() was added\nto ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a\nresult if devlink reload is used to reinit the device and then the driver\nis removed, a call trace can occur.\n\nBUG: unable to handle page fault for address: ffffffffc0fd4b5d\nCall Trace:\n string+0x48/0xe0\n vsnprintf+0x1f9/0x650\n sprintf+0x62/0x80\n name_show+0x1f/0x30\n dev_attr_show+0x19/0x60\n\nThe call trace repeats approximately every 10 minutes when system\nmonitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs\nattributes that reference freed module memory.\n\nThe sequence is:\n1. Driver load, ice_hwmon_init() gets called from ice_init_feature()\n2. Devlink reload down, flow does not call ice_remove()\n3. Devlink reload up, ice_hwmon_init() gets called from\n ice_init_feature() resulting in a second instance\n4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the\n first hwmon instance orphaned with dangling pointer\n\nFix this by moving ice_hwmon_exit() from ice_remove() to\nice_deinit_features() to ensure proper cleanup symmetry with\nice_hwmon_init()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:25.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60"
},
{
"url": "https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586"
}
],
"title": "ice: fix devlink reload call trace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23104",
"datePublished": "2026-02-04T16:08:25.604Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-02-04T16:08:25.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23102 (GCVE-0-2026-23102)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
arm64/fpsimd: signal: Fix restoration of SVE context
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: signal: Fix restoration of SVE context
When SME is supported, Restoring SVE signal context can go wrong in a
few ways, including placing the task into an invalid state where the
kernel may read from out-of-bounds memory (and may potentially take a
fatal fault) and/or may kill the task with a SIGKILL.
(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into
an invalid state where SVCR.SM is set (and sve_state is non-NULL)
but TIF_SME is clear, consequently resuting in out-of-bounds memory
reads and/or killing the task with SIGKILL.
This can only occur in unusual (but legitimate) cases where the SVE
signal context has either been modified by userspace or was saved in
the context of another task (e.g. as with CRIU), as otherwise the
presence of an SVE signal context with SVE_SIG_FLAG_SM implies that
TIF_SME is already set.
While in this state, task_fpsimd_load() will NOT configure SMCR_ELx
(leaving some arbitrary value configured in hardware) before
restoring SVCR and attempting to restore the streaming mode SVE
registers from memory via sve_load_state(). As the value of
SMCR_ELx.LEN may be larger than the task's streaming SVE vector
length, this may read memory outside of the task's allocated
sve_state, reading unrelated data and/or triggering a fault.
While this can result in secrets being loaded into streaming SVE
registers, these values are never exposed. As TIF_SME is clear,
fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0
accesses to streaming mode SVE registers, so these cannot be
accessed directly at EL0. As fpsimd_save_user_state() verifies the
live vector length before saving (S)SVE state to memory, no secret
values can be saved back to memory (and hence cannot be observed via
ptrace, signals, etc).
When the live vector length doesn't match the expected vector length
for the task, fpsimd_save_user_state() will send a fatal SIGKILL
signal to the task. Hence the task may be killed after executing
userspace for some period of time.
(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the
task's SVCR.SM. If SVCR.SM was set prior to restoring the context,
then the task will be left in streaming mode unexpectedly, and some
register state will be combined inconsistently, though the task will
be left in legitimate state from the kernel's PoV.
This can only occur in unusual (but legitimate) cases where ptrace
has been used to set SVCR.SM after entry to the sigreturn syscall,
as syscall entry clears SVCR.SM.
In these cases, the the provided SVE register data will be loaded
into the task's sve_state using the non-streaming SVE vector length
and the FPSIMD registers will be merged into this using the
streaming SVE vector length.
Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires
ensuring that the task's sme_state has been allocated, but as this could
contain live ZA state, it should not be zeroed. Fix (2) by clearing
SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.
For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,
and fp_type earlier, immediately after the allocation of
sve_state/sme_state, before the restore of the actual register state.
This makes it easier to ensure that these are always modified
consistently, even if a fault is taken while reading the register data
from the signal context. I do not expect any software to depend on the
exact state restored when a fault is taken while reading the context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85ed24dad2904f7c141911d91b7807ab02694b5e , < 9bc3adba8c35119be80ab20217027720446742f2
(git)
Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < ce820dd4e6e2d711242dc4331713b9bb4fe06d09 (git) Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < 7b5a52cf252a0d2e89787b645290ad288878f332 (git) Affected: 85ed24dad2904f7c141911d91b7807ab02694b5e , < d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bc3adba8c35119be80ab20217027720446742f2",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "ce820dd4e6e2d711242dc4331713b9bb4fe06d09",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "7b5a52cf252a0d2e89787b645290ad288878f332",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
},
{
"lessThan": "d2907cbe9ea0a54cbe078076f9d089240ee1e2d9",
"status": "affected",
"version": "85ed24dad2904f7c141911d91b7807ab02694b5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/signal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Fix restoration of SVE context\n\nWhen SME is supported, Restoring SVE signal context can go wrong in a\nfew ways, including placing the task into an invalid state where the\nkernel may read from out-of-bounds memory (and may potentially take a\nfatal fault) and/or may kill the task with a SIGKILL.\n\n(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into\n an invalid state where SVCR.SM is set (and sve_state is non-NULL)\n but TIF_SME is clear, consequently resuting in out-of-bounds memory\n reads and/or killing the task with SIGKILL.\n\n This can only occur in unusual (but legitimate) cases where the SVE\n signal context has either been modified by userspace or was saved in\n the context of another task (e.g. as with CRIU), as otherwise the\n presence of an SVE signal context with SVE_SIG_FLAG_SM implies that\n TIF_SME is already set.\n\n While in this state, task_fpsimd_load() will NOT configure SMCR_ELx\n (leaving some arbitrary value configured in hardware) before\n restoring SVCR and attempting to restore the streaming mode SVE\n registers from memory via sve_load_state(). As the value of\n SMCR_ELx.LEN may be larger than the task\u0027s streaming SVE vector\n length, this may read memory outside of the task\u0027s allocated\n sve_state, reading unrelated data and/or triggering a fault.\n\n While this can result in secrets being loaded into streaming SVE\n registers, these values are never exposed. As TIF_SME is clear,\n fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0\n accesses to streaming mode SVE registers, so these cannot be\n accessed directly at EL0. As fpsimd_save_user_state() verifies the\n live vector length before saving (S)SVE state to memory, no secret\n values can be saved back to memory (and hence cannot be observed via\n ptrace, signals, etc).\n\n When the live vector length doesn\u0027t match the expected vector length\n for the task, fpsimd_save_user_state() will send a fatal SIGKILL\n signal to the task. Hence the task may be killed after executing\n userspace for some period of time.\n\n(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the\n task\u0027s SVCR.SM. If SVCR.SM was set prior to restoring the context,\n then the task will be left in streaming mode unexpectedly, and some\n register state will be combined inconsistently, though the task will\n be left in legitimate state from the kernel\u0027s PoV.\n\n This can only occur in unusual (but legitimate) cases where ptrace\n has been used to set SVCR.SM after entry to the sigreturn syscall,\n as syscall entry clears SVCR.SM.\n\n In these cases, the the provided SVE register data will be loaded\n into the task\u0027s sve_state using the non-streaming SVE vector length\n and the FPSIMD registers will be merged into this using the\n streaming SVE vector length.\n\nFix (1) by setting TIF_SME when setting SVCR.SM. This also requires\nensuring that the task\u0027s sme_state has been allocated, but as this could\ncontain live ZA state, it should not be zeroed. Fix (2) by clearing\nSVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.\n\nFor consistency, I\u0027ve pulled the manipulation of SVCR, TIF_SVE, TIF_SME,\nand fp_type earlier, immediately after the allocation of\nsve_state/sme_state, before the restore of the actual register state.\nThis makes it easier to ensure that these are always modified\nconsistently, even if a fault is taken while reading the register data\nfrom the signal context. I do not expect any software to depend on the\nexact state restored when a fault is taken while reading the context."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:25.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2"
},
{
"url": "https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09"
},
{
"url": "https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332"
},
{
"url": "https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9"
}
],
"title": "arm64/fpsimd: signal: Fix restoration of SVE context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23102",
"datePublished": "2026-02-04T16:08:24.034Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-06T16:33:25.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23103 (GCVE-0-2026-23103)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
ipvlan: Make the addrs_lock be per port
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Make the addrs_lock be per port
Make the addrs_lock be per port, not per ipvlan dev.
Initial code seems to be written in the assumption,
that any address change must occur under RTNL.
But it is not so for the case of IPv6. So
1) Introduce per-port addrs_lock.
2) It was needed to fix places where it was forgotten
to take lock (ipvlan_open/ipvlan_close)
This appears to be a very minor problem though.
Since it's highly unlikely that ipvlan_add_addr() will
be called on 2 CPU simultaneously. But nevertheless,
this could cause:
1) False-negative of ipvlan_addr_busy(): one interface
iterated through all port->ipvlans + ipvlan->addrs
under some ipvlan spinlock, and another added IP
under its own lock. Though this is only possible
for IPv6, since looks like only ipvlan_addr6_event() can be
called without rtnl_lock.
2) Race since ipvlan_ht_addr_add(port) is called under
different ipvlan->addrs_lock locks
This should not affect performance, since add/remove IP
is a rare situation and spinlock is not taken on fast
paths.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8230819494b3bf284ca7262ac5f877333147b937 , < 3c149b662cbb202a450e81f938e702ba333864ad
(git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 70feb16e3fbfb10b15de1396557c38e99f1ab8df (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 88f83e6c9cdb46b8c8ddd0ba01393362963cf589 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 04ba6de6eff61238e5397c14ac26a6578c7735a5 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 1f300c10d92c547c3a7d978e1212ff52f18256ed (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 6a81e2db096913d7e43aada1c350c1282e76db39 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < d3ba32162488283c0a4c5bedd8817aec91748802 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c149b662cbb202a450e81f938e702ba333864ad",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "70feb16e3fbfb10b15de1396557c38e99f1ab8df",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "88f83e6c9cdb46b8c8ddd0ba01393362963cf589",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "04ba6de6eff61238e5397c14ac26a6578c7735a5",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "1f300c10d92c547c3a7d978e1212ff52f18256ed",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "6a81e2db096913d7e43aada1c350c1282e76db39",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
},
{
"lessThan": "d3ba32162488283c0a4c5bedd8817aec91748802",
"status": "affected",
"version": "8230819494b3bf284ca7262ac5f877333147b937",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan.h",
"drivers/net/ipvlan/ipvlan_core.c",
"drivers/net/ipvlan/ipvlan_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:27.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad"
},
{
"url": "https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df"
},
{
"url": "https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589"
},
{
"url": "https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5"
},
{
"url": "https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed"
},
{
"url": "https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39"
},
{
"url": "https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802"
}
],
"title": "ipvlan: Make the addrs_lock be per port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23103",
"datePublished": "2026-02-04T16:08:24.771Z",
"dateReserved": "2026-01-13T15:37:45.966Z",
"dateUpdated": "2026-02-06T16:33:27.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23101 (GCVE-0-2026-23101)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
leds: led-class: Only Add LED to leds_list when it is fully ready
Summary
In the Linux kernel, the following vulnerability has been resolved:
leds: led-class: Only Add LED to leds_list when it is fully ready
Before this change the LED was added to leds_list before led_init_core()
gets called adding it the list before led_classdev.set_brightness_work gets
initialized.
This leaves a window where led_trigger_register() of a LED's default
trigger will call led_trigger_set() which calls led_set_brightness()
which in turn will end up queueing the *uninitialized*
led_classdev.set_brightness_work.
This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
succession. The first led_classdev_register() causes an async modprobe of
snd_ctl_led to run and that async modprobe manages to exactly hit
the window where the second LED is on the leds_list without led_init_core()
being called for it, resulting in:
------------[ cut here ]------------
WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
...
Call trace:
__flush_work+0x344/0x390 (P)
flush_work+0x2c/0x50
led_trigger_set+0x1c8/0x340
led_trigger_register+0x17c/0x1c0
led_trigger_register_simple+0x84/0xe8
snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
do_one_initcall+0x5c/0x318
do_init_module+0x9c/0x2b8
load_module+0x7e0/0x998
Close the race window by moving the adding of the LED to leds_list to
after the led_init_core() call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d23a22a74fded23a12434c9463fe66cec2b0afcd , < f7a6df659af777058833802c29b3b7974db5e78a
(git)
Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < d117fdcb21b05c0e0460261d017b92303cd9ba77 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < e90c861411fc84629a240384b0a72830539d3386 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < 2757f7748ce2d0fa44112024907bafb37e104d6e (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < 78822628165f3d817382f67f91129161159ca234 (git) Affected: d23a22a74fded23a12434c9463fe66cec2b0afcd , < d1883cefd31752f0504b94c3bcfa1f6d511d6e87 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a6df659af777058833802c29b3b7974db5e78a",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d117fdcb21b05c0e0460261d017b92303cd9ba77",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "e90c861411fc84629a240384b0a72830539d3386",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "2757f7748ce2d0fa44112024907bafb37e104d6e",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "da565bf98c9ad0eabcb09fc97859e0b52f98b7c3",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "78822628165f3d817382f67f91129161159ca234",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
},
{
"lessThan": "d1883cefd31752f0504b94c3bcfa1f6d511d6e87",
"status": "affected",
"version": "d23a22a74fded23a12434c9463fe66cec2b0afcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED\u0027s default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:23.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a"
},
{
"url": "https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77"
},
{
"url": "https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386"
},
{
"url": "https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e"
},
{
"url": "https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3"
},
{
"url": "https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234"
},
{
"url": "https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87"
}
],
"title": "leds: led-class: Only Add LED to leds_list when it is fully ready",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23101",
"datePublished": "2026-02-04T16:08:23.329Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-06T16:33:23.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23100 (GCVE-0-2026-23100)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
mm/hugetlb: fix hugetlb_pmd_shared()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix hugetlb_pmd_shared()
Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using
mmu_gather)", v3.
One functional fix, one performance regression fix, and two related
comment fixes.
I cleaned up my prototype I recently shared [1] for the performance fix,
deferring most of the cleanups I had in the prototype to a later point.
While doing that I identified the other things.
The goal of this patch set is to be backported to stable trees "fairly"
easily. At least patch #1 and #4.
Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing
Patch #2 + #3 are simple comment fixes that patch #4 interacts with.
Patch #4 is a fix for the reported performance regression due to excessive
IPI broadcasts during fork()+exit().
The last patch is all about TLB flushes, IPIs and mmu_gather.
Read: complicated
There are plenty of cleanups in the future to be had + one reasonable
optimization on x86. But that's all out of scope for this series.
Runtime tested, with a focus on fixing the performance regression using
the original reproducer [2] on x86.
This patch (of 4):
We switched from (wrongly) using the page count to an independent shared
count. Now, shared page tables have a refcount of 1 (excluding
speculative references) and instead use ptdesc->pt_share_count to identify
sharing.
We didn't convert hugetlb_pmd_shared(), so right now, we would never
detect a shared PMD table as such, because sharing/unsharing no longer
touches the refcount of a PMD table.
Page migration, like mbind() or migrate_pages() would allow for migrating
folios mapped into such shared PMD tables, even though the folios are not
exclusive. In smaps we would account them as "private" although they are
"shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the
pagemap interface.
Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
59d9094df3d79443937add8700b2ef1a866b1081 , < 69c4e241ff13545d410a8b2a688c932182a858bf
(git)
Affected: 59d9094df3d79443937add8700b2ef1a866b1081 , < ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 (git) Affected: 94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133 (git) Affected: 8410996eb6fea116fe1483ed977aacf580eee7b4 (git) Affected: 02333ac1c35370517a19a4a131332a9690c6a5c7 (git) Affected: 56b274473d6e7e7375f2d0a2b4aca11d67c6b52f (git) Affected: 2e31443a0d18ae43b9d29e02bf0563f07772193d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69c4e241ff13545d410a8b2a688c932182a858bf",
"status": "affected",
"version": "59d9094df3d79443937add8700b2ef1a866b1081",
"versionType": "git"
},
{
"lessThan": "ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216",
"status": "affected",
"version": "59d9094df3d79443937add8700b2ef1a866b1081",
"versionType": "git"
},
{
"status": "affected",
"version": "94b4b41d0cdf5cfd4d4325bc0e6e9e0d0e996133",
"versionType": "git"
},
{
"status": "affected",
"version": "8410996eb6fea116fe1483ed977aacf580eee7b4",
"versionType": "git"
},
{
"status": "affected",
"version": "02333ac1c35370517a19a4a131332a9690c6a5c7",
"versionType": "git"
},
{
"status": "affected",
"version": "56b274473d6e7e7375f2d0a2b4aca11d67c6b52f",
"versionType": "git"
},
{
"status": "affected",
"version": "2e31443a0d18ae43b9d29e02bf0563f07772193d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/hugetlb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.239",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl. using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that\u0027s all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount. Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc-\u003ept_share_count to identify\nsharing.\n\nWe didn\u0027t convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive. In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:22.592Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf"
},
{
"url": "https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216"
}
],
"title": "mm/hugetlb: fix hugetlb_pmd_shared()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23100",
"datePublished": "2026-02-04T16:08:22.592Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-04T16:08:22.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23099 (GCVE-0-2026-23099)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
bonding: limit BOND_MODE_8023AD to Ethernet devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: limit BOND_MODE_8023AD to Ethernet devices
BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
syzbot reported:
BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
__hw_addr_create net/core/dev_addr_lists.c:63 [inline]
__hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:868 [inline]
dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x820 net/socket.c:2592
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
__sys_sendmsg+0x164/0x220 net/socket.c:2678
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
</TASK>
The buggy address belongs to the variable:
lacpdu_mcast_addr+0x0/0x40
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
872254dd6b1f80cb95ee9e2e22980888533fc293 , < 72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4
(git)
Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 5063b2cd9b27d35ab788d707d7858ded0acc8f1d (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < ef68afb1bee8d35a18896c27d7358079353d8d8a (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < 43dee6f7ef1d228821de1b61c292af3744c8d7da (git) Affected: 872254dd6b1f80cb95ee9e2e22980888533fc293 , < c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "5063b2cd9b27d35ab788d707d7858ded0acc8f1d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "ef68afb1bee8d35a18896c27d7358079353d8d8a",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "43dee6f7ef1d228821de1b61c292af3744c8d7da",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
},
{
"lessThan": "c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6",
"status": "affected",
"version": "872254dd6b1f80cb95ee9e2e22980888533fc293",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: limit BOND_MODE_8023AD to Ethernet devices\n\nBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.\n\nsyzbot reported:\n\n BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nRead of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n __sys_sendmsg+0x164/0x220 net/socket.c:2678\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n \u003c/TASK\u003e\n\nThe buggy address belongs to the variable:\n lacpdu_mcast_addr+0x0/0x40"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:22.218Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4"
},
{
"url": "https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d"
},
{
"url": "https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d"
},
{
"url": "https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a"
},
{
"url": "https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da"
},
{
"url": "https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6"
}
],
"title": "bonding: limit BOND_MODE_8023AD to Ethernet devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23099",
"datePublished": "2026-02-04T16:08:21.601Z",
"dateReserved": "2026-01-13T15:37:45.965Z",
"dateUpdated": "2026-02-06T16:33:22.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23098 (GCVE-0-2026-23098)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
netrom: fix double-free in nr_route_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: fix double-free in nr_route_frame()
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25aab6bfc31017a7e52035b99aef5c2b6bde8ffb
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6e0110ea90313b7c0558a0b77038274a6821caf8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7c48fdf2d1349bb54815b56fb012b9d577707708 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd8955337e3764f912f49b360e176d8aaecf7016 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9f5fa78d9980fe75a69835521627ab7943cb3d67 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba1096c315283ee3292765f6aea4cca15816c4f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25aab6bfc31017a7e52035b99aef5c2b6bde8ffb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e0110ea90313b7c0558a0b77038274a6821caf8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c48fdf2d1349bb54815b56fb012b9d577707708",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd8955337e3764f912f49b360e176d8aaecf7016",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9f5fa78d9980fe75a69835521627ab7943cb3d67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba1096c315283ee3292765f6aea4cca15816c4f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix double-free in nr_route_frame()\n\nIn nr_route_frame(), old_skb is immediately freed without checking if\nnr_neigh-\u003eax25 pointer is NULL. Therefore, if nr_neigh-\u003eax25 is NULL,\nthe caller function will free old_skb again, causing a double-free bug.\n\nTherefore, to prevent this, we need to modify it to check whether\nnr_neigh-\u003eax25 is NULL before freeing old_skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:20.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb"
},
{
"url": "https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8"
},
{
"url": "https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708"
},
{
"url": "https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016"
},
{
"url": "https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c"
},
{
"url": "https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67"
},
{
"url": "https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7"
}
],
"title": "netrom: fix double-free in nr_route_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23098",
"datePublished": "2026-02-04T16:08:20.692Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-06T16:33:20.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23097 (GCVE-0-2026-23097)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
migrate: correct lock ordering for hugetlb file folios
Summary
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
336bf30eb76580b579dc711ded5d599d905c0217 , < e7396d23f9d5739f56cf9ab430c3a169f5508394
(git)
Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < ad97b9a55246eb940a26ac977f80892a395cabf9 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 5edb9854f8df5428b40990a1c7d60507da5bd330 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 526394af4e8ade89cacd1a9ce2b97712712fcc34 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b75070823b89009f5123fd0e05a8e0c3d39937c1 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 1b68efce6dd483d22f50d0d3800c4cfda14b1305 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b7880cb166ab62c2409046b2347261abf701530e (git) Affected: ef792d6ce0db6a56e56743b1de1716a982c3b851 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b7880cb166ab62c2409046b2347261abf701530e",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"status": "affected",
"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:19.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"
},
{
"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"
},
{
"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"
},
{
"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"
},
{
"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"
},
{
"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"
},
{
"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"
}
],
"title": "migrate: correct lock ordering for hugetlb file folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23097",
"datePublished": "2026-02-04T16:08:19.815Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-06T16:33:19.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23096 (GCVE-0-2026-23096)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
uacce: fix cdev handling in the cleanup path
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: fix cdev handling in the cleanup path
When cdev_device_add fails, it internally releases the cdev memory,
and if cdev_device_del is then executed, it will cause a hang error.
To fix it, we check the return value of cdev_device_add() and clear
uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
015d239ac0142ad0e26567fd890ef8d171f13709 , < c94c7188d325bc5137d447d67a2f18f7d4f2f4a3
(git)
Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 1bc3e51367c420e6db31f41efa874c7a8e12194a (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 819d647406200d0e83e56fd2df8f451b11290559 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < d9031575a2f8aabc53af3025dd79af313a2e046b (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < 98d67a1bd6caddd0a8b8c82a0b925742cf500936 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < bd2393ed7712513e7e2dbcb6e21464a67ff9e702 (git) Affected: 015d239ac0142ad0e26567fd890ef8d171f13709 , < a3bece3678f6c88db1f44c602b2a63e84b4040ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c94c7188d325bc5137d447d67a2f18f7d4f2f4a3",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "1bc3e51367c420e6db31f41efa874c7a8e12194a",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "819d647406200d0e83e56fd2df8f451b11290559",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "d9031575a2f8aabc53af3025dd79af313a2e046b",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "98d67a1bd6caddd0a8b8c82a0b925742cf500936",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "bd2393ed7712513e7e2dbcb6e21464a67ff9e702",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
},
{
"lessThan": "a3bece3678f6c88db1f44c602b2a63e84b4040ac",
"status": "affected",
"version": "015d239ac0142ad0e26567fd890ef8d171f13709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix cdev handling in the cleanup path\n\nWhen cdev_device_add fails, it internally releases the cdev memory,\nand if cdev_device_del is then executed, it will cause a hang error.\nTo fix it, we check the return value of cdev_device_add() and clear\nuacce-\u003ecdev to avoid calling cdev_device_del in the uacce_remove."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:17.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3"
},
{
"url": "https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a"
},
{
"url": "https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559"
},
{
"url": "https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b"
},
{
"url": "https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936"
},
{
"url": "https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702"
},
{
"url": "https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac"
}
],
"title": "uacce: fix cdev handling in the cleanup path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23096",
"datePublished": "2026-02-04T16:08:18.785Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-06T16:33:17.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23094 (GCVE-0-2026-23094)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
uacce: fix isolate sysfs check condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
uacce: fix isolate sysfs check condition
uacce supports the device isolation feature. If the driver
implements the isolate_err_threshold_read and
isolate_err_threshold_write callback functions, uacce will create
sysfs files now. Users can read and configure the isolation policy
through sysfs. Currently, sysfs files are created as long as either
isolate_err_threshold_read or isolate_err_threshold_write callback
functions are present.
However, accessing a non-existent callback function may cause the
system to crash. Therefore, intercept the creation of sysfs if
neither read nor write exists; create sysfs if either is supported,
but intercept unsupported operations at the call site.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 9ab05cdcac354b1b1139918f49c6418b9005d042
(git)
Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < fdbbb47d15ae17bf39fafec7e2028c1f8efba15e (git) Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 82821a681d5dcce31475a65190fc39ea8f372cc0 (git) Affected: e3e289fbc0b520cf469469e8cdba84a50424eb65 , < 98eec349259b1fd876f350b1c600403bcef8f85d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ab05cdcac354b1b1139918f49c6418b9005d042",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "fdbbb47d15ae17bf39fafec7e2028c1f8efba15e",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "82821a681d5dcce31475a65190fc39ea8f372cc0",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
},
{
"lessThan": "98eec349259b1fd876f350b1c600403bcef8f85d",
"status": "affected",
"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/uacce/uacce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix isolate sysfs check condition\n\nuacce supports the device isolation feature. If the driver\nimplements the isolate_err_threshold_read and\nisolate_err_threshold_write callback functions, uacce will create\nsysfs files now. Users can read and configure the isolation policy\nthrough sysfs. Currently, sysfs files are created as long as either\nisolate_err_threshold_read or isolate_err_threshold_write callback\nfunctions are present.\n\nHowever, accessing a non-existent callback function may cause the\nsystem to crash. Therefore, intercept the creation of sysfs if\nneither read nor write exists; create sysfs if either is supported,\nbut intercept unsupported operations at the call site."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:17.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042"
},
{
"url": "https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e"
},
{
"url": "https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0"
},
{
"url": "https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d"
}
],
"title": "uacce: fix isolate sysfs check condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23094",
"datePublished": "2026-02-04T16:08:17.061Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-02-04T16:08:17.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23095 (GCVE-0-2026-23095)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
gue: Fix skb memleak with inner IP protocol 0.
Summary
In the Linux kernel, the following vulnerability has been resolved:
gue: Fix skb memleak with inner IP protocol 0.
syzbot reported skb memleak below. [0]
The repro generated a GUE packet with its inner protocol 0.
gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
in ip_protocol_deliver_rcu(), but this only works with
non-zero protocol number.
Let's drop such packets.
Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
I think it is not practical to encap HOPOPT in GUE, so once
someone starts to complain, we could pass down a resubmit
flag pointer to distinguish two zeros from the upper layer:
* no error
* resubmit HOPOPT
[0]
BUG: memory leak
unreferenced object 0xffff888109695a00 (size 240):
comm "syz.0.17", pid 6088, jiffies 4294943096
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace (crc a84b336f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
__build_skb+0x23/0x60 net/core/skbuff.c:474
build_skb+0x20/0x190 net/core/skbuff.c:490
__tun_build_skb drivers/net/tun.c:1541 [inline]
tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0xa7/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 886f186328b718400dbf79e1bc8cbcbd710ab766
(git)
Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 380a82d36e37db49fd41ecc378c22fd29392e96a (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 536f5bbc322eb1e175bdd1ced22b236a951c4d8f (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < f87b9b7a618c82e7465e872eb10e14c803871892 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < ce569b389a5c78d64788a5ea94560e17fa574b35 (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 5437a279804ced8088cabb945dba88a26d828f8c (git) Affected: 37dd0247797b168ad1cc7f5dbec825a1ee66535b , < 9a56796ad258786d3624eef5aefba394fc9bdded (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "886f186328b718400dbf79e1bc8cbcbd710ab766",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "380a82d36e37db49fd41ecc378c22fd29392e96a",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "536f5bbc322eb1e175bdd1ced22b236a951c4d8f",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "f87b9b7a618c82e7465e872eb10e14c803871892",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "ce569b389a5c78d64788a5ea94560e17fa574b35",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "5437a279804ced8088cabb945dba88a26d828f8c",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
},
{
"lessThan": "9a56796ad258786d3624eef5aefba394fc9bdded",
"status": "affected",
"version": "37dd0247797b168ad1cc7f5dbec825a1ee66535b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fou_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet\u0027s drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:16.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766"
},
{
"url": "https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a"
},
{
"url": "https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f"
},
{
"url": "https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892"
},
{
"url": "https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35"
},
{
"url": "https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c"
},
{
"url": "https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded"
}
],
"title": "gue: Fix skb memleak with inner IP protocol 0.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23095",
"datePublished": "2026-02-04T16:08:17.990Z",
"dateReserved": "2026-01-13T15:37:45.963Z",
"dateUpdated": "2026-02-06T16:33:16.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23093 (GCVE-0-2026-23093)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
ksmbd: smbd: fix dma_unmap_sg() nents
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: smbd: fix dma_unmap_sg() nents
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6ececffd3e9fe93a87738625dc0671165d27bf96 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 4d1e9a4a450aae47277763562122cc80ed703ab2 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 70ba85e439221a5d6dda34a3004db6640f0525e6 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < d1943bc9dc9508f5933788a76f8a35d10e43a646 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 98e3e2b561bc88f4dd218d1c05890672874692f6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "6ececffd3e9fe93a87738625dc0671165d27bf96",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4d1e9a4a450aae47277763562122cc80ed703ab2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "70ba85e439221a5d6dda34a3004db6640f0525e6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "d1943bc9dc9508f5933788a76f8a35d10e43a646",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98e3e2b561bc88f4dd218d1c05890672874692f6",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbd: fix dma_unmap_sg() nents\n\nThe dma_unmap_sg() functions should be called with the same nents as the\ndma_map_sg(), not the value the map function returned."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:14.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec"
},
{
"url": "https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96"
},
{
"url": "https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2"
},
{
"url": "https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6"
},
{
"url": "https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646"
},
{
"url": "https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6"
}
],
"title": "ksmbd: smbd: fix dma_unmap_sg() nents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23093",
"datePublished": "2026-02-04T16:08:16.159Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-06T16:33:14.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23092 (GCVE-0-2026-23092)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
When simple_write_to_buffer() succeeds, it returns the number of bytes
actually copied to the buffer. The code incorrectly uses 'count'
as the index for null termination instead of the actual bytes copied.
If count exceeds the buffer size, this leads to out-of-bounds write.
Add a check for the count and use the return value as the index.
The bug was validated using a demo module that mirrors the original
code and was tested under QEMU.
Pattern of the bug:
- A fixed 64-byte stack buffer is filled using count.
- If count > 64, the code still does buf[count] = '\0', causing an
- out-of-bounds write on the stack.
Steps for reproduce:
- Opens the device node.
- Writes 128 bytes of A to it.
- This overflows the 64-byte stack buffer and KASAN reports the OOB.
Found via static analysis. This is similar to the
commit da9374819eb3 ("iio: backend: fix out-of-bound write")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/dac/ad3552r-hs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db16e7c52032c79156930a337ee17232931794ba",
"status": "affected",
"version": "b1c5d68ea66e511dfb16cd0e6a730488bd3c3317",
"versionType": "git"
},
{
"lessThan": "978d28136c53df38f8f0b747191930e2f95e9084",
"status": "affected",
"version": "b1c5d68ea66e511dfb16cd0e6a730488bd3c3317",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/dac/ad3552r-hs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source\n\nWhen simple_write_to_buffer() succeeds, it returns the number of bytes\nactually copied to the buffer. The code incorrectly uses \u0027count\u0027\nas the index for null termination instead of the actual bytes copied.\nIf count exceeds the buffer size, this leads to out-of-bounds write.\nAdd a check for the count and use the return value as the index.\n\nThe bug was validated using a demo module that mirrors the original\ncode and was tested under QEMU.\n\nPattern of the bug:\n- A fixed 64-byte stack buffer is filled using count.\n- If count \u003e 64, the code still does buf[count] = \u0027\\0\u0027, causing an\n- out-of-bounds write on the stack.\n\nSteps for reproduce:\n- Opens the device node.\n- Writes 128 bytes of A to it.\n- This overflows the 64-byte stack buffer and KASAN reports the OOB.\n\nFound via static analysis. This is similar to the\ncommit da9374819eb3 (\"iio: backend: fix out-of-bound write\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:15.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba"
},
{
"url": "https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084"
}
],
"title": "iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23092",
"datePublished": "2026-02-04T16:08:15.203Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-04T16:08:15.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23091 (GCVE-0-2026-23091)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
intel_th: fix device leak on output open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
intel_th: fix device leak on output open()
Make sure to drop the reference taken when looking up the th device
during output device open() on errors and on close().
Note that a recent commit fixed the leak in a couple of open() error
paths but not all of them, and the reference is still leaking on
successful open().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
39f4034693b7c7bd1fe4cb58c93259d600f55561 , < af4b9467296b9a16ebc008147238070236982b6d
(git)
Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 64015cbf06e8bb75b81ae95b997e847b55280f7f (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < b71e64ef7ff9443835d1333e3e80ab1e49e5209f (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < bf7785434b5d05d940d936b78925080950bd54dd (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 0fca16c5591534cc1fec8b6181277ee3a3d0f26c (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < f9b059bda4276f2bb72cb98ec7875a747f042ea2 (git) Affected: 39f4034693b7c7bd1fe4cb58c93259d600f55561 , < 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4b9467296b9a16ebc008147238070236982b6d",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "64015cbf06e8bb75b81ae95b997e847b55280f7f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "b71e64ef7ff9443835d1333e3e80ab1e49e5209f",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "bf7785434b5d05d940d936b78925080950bd54dd",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "0fca16c5591534cc1fec8b6181277ee3a3d0f26c",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "f9b059bda4276f2bb72cb98ec7875a747f042ea2",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
},
{
"lessThan": "95fc36a234da24bbc5f476f8104a5a15f99ed3e3",
"status": "affected",
"version": "39f4034693b7c7bd1fe4cb58c93259d600f55561",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/intel_th/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: fix device leak on output open()\n\nMake sure to drop the reference taken when looking up the th device\nduring output device open() on errors and on close().\n\nNote that a recent commit fixed the leak in a couple of open() error\npaths but not all of them, and the reference is still leaking on\nsuccessful open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:13.220Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d"
},
{
"url": "https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f"
},
{
"url": "https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f"
},
{
"url": "https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd"
},
{
"url": "https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c"
},
{
"url": "https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2"
},
{
"url": "https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3"
}
],
"title": "intel_th: fix device leak on output open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23091",
"datePublished": "2026-02-04T16:08:14.295Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-06T16:33:13.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23090 (GCVE-0-2026-23090)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
slimbus: core: fix device reference leak on report present
Summary
In the Linux kernel, the following vulnerability has been resolved:
slimbus: core: fix device reference leak on report present
Slimbus devices can be allocated dynamically upon reception of
report-present messages.
Make sure to drop the reference taken when looking up already registered
devices.
Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < b1217e40705b2f6d311c197b12866752656217ff
(git)
Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 948615429c9f2ac9d25d4e1f1a4472926b217a9a (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 02b78bbfbafe49832e508079148cb87cdfa55825 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 6602bb4d1338e92b5838e50322b87697bdbd2ee0 (git) Affected: 46a2bb5a7f7ea2728be50f8f5b29a20267f700fe , < 9391380eb91ea5ac792aae9273535c8da5b9aa01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1217e40705b2f6d311c197b12866752656217ff",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "948615429c9f2ac9d25d4e1f1a4472926b217a9a",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "02b78bbfbafe49832e508079148cb87cdfa55825",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "6602bb4d1338e92b5838e50322b87697bdbd2ee0",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
},
{
"lessThan": "9391380eb91ea5ac792aae9273535c8da5b9aa01",
"status": "affected",
"version": "46a2bb5a7f7ea2728be50f8f5b29a20267f700fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/slimbus/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: core: fix device reference leak on report present\n\nSlimbus devices can be allocated dynamically upon reception of\nreport-present messages.\n\nMake sure to drop the reference taken when looking up already registered\ndevices.\n\nNote that this requires taking an extra reference in case the device has\nnot yet been registered and has to be allocated."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:11.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff"
},
{
"url": "https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a"
},
{
"url": "https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825"
},
{
"url": "https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6"
},
{
"url": "https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9"
},
{
"url": "https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0"
},
{
"url": "https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01"
}
],
"title": "slimbus: core: fix device reference leak on report present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23090",
"datePublished": "2026-02-04T16:08:13.438Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-06T16:33:11.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23089 (GCVE-0-2026-23089)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
mixer->id_elems but the controls already added to the card still
reference the freed memory. Later when snd_card_register() runs,
the OSS mixer layer calls their callbacks and hits a use-after-free read.
Call trace:
get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
...
snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
Fix by calling snd_ctl_remove() for all mixer controls before freeing
id_elems. We save the next pointer first because snd_ctl_remove()
frees the current element.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 51b1aa6fe7dc87356ba58df06afb9677c9b841ea
(git)
Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 56fb6efd5d04caf6f14994d51ec85393b9a896c6 (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 7009daeefa945973a530b2f605fe445fc03747af (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 7bff0156d13f0ad9436e5178b979b063d59f572a (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < e6f103a22b08daf5df2f4aa158081840e5910963 (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < dc1a5dd80af1ee1f29d8375b12dd7625f6294dad (git) Affected: 6639b6c2367f884ca172b78d69f7da17bfab2e5e , < 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51b1aa6fe7dc87356ba58df06afb9677c9b841ea",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "56fb6efd5d04caf6f14994d51ec85393b9a896c6",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7009daeefa945973a530b2f605fe445fc03747af",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "7bff0156d13f0ad9436e5178b979b063d59f572a",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "e6f103a22b08daf5df2f4aa158081840e5910963",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "dc1a5dd80af1ee1f29d8375b12dd7625f6294dad",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
},
{
"lessThan": "930e69757b74c3ae083b0c3c7419bfe7f0edc7b2",
"status": "affected",
"version": "6639b6c2367f884ca172b78d69f7da17bfab2e5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()\n\nWhen snd_usb_create_mixer() fails, snd_usb_mixer_free() frees\nmixer-\u003eid_elems but the controls already added to the card still\nreference the freed memory. Later when snd_card_register() runs,\nthe OSS mixer layer calls their callbacks and hits a use-after-free read.\n\nCall trace:\n get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411\n get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241\n mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381\n snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887\n ...\n snd_card_register+0x4ed/0x6d0 sound/core/init.c:923\n usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025\n\nFix by calling snd_ctl_remove() for all mixer controls before freeing\nid_elems. We save the next pointer first because snd_ctl_remove()\nfrees the current element."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:10.273Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea"
},
{
"url": "https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6"
},
{
"url": "https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af"
},
{
"url": "https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a"
},
{
"url": "https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963"
},
{
"url": "https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad"
},
{
"url": "https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2"
}
],
"title": "ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23089",
"datePublished": "2026-02-04T16:08:12.575Z",
"dateReserved": "2026-01-13T15:37:45.962Z",
"dateUpdated": "2026-02-06T16:33:10.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23088 (GCVE-0-2026-23088)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
tracing: Fix crash on synthetic stacktrace field usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix crash on synthetic stacktrace field usage
When creating a synthetic event based on an existing synthetic event that
had a stacktrace field and the new synthetic event used that field a
kernel crash occurred:
~# cd /sys/kernel/tracing
~# echo 's:stack unsigned long stack[];' > dynamic_events
~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger
~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger
The above creates a synthetic event that takes a stacktrace when a task
schedules out in a non-running state and passes that stacktrace to the
sched_switch event when that task schedules back in. It triggers the
"stack" synthetic event that has a stacktrace as its field (called "stack").
~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events
~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger
~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger
The above makes another synthetic event called "syscall_stack" that
attaches the first synthetic event (stack) to the sys_exit trace event and
records the stacktrace from the stack event with the id of the system call
that is exiting.
When enabling this event (or using it in a historgram):
~# echo 1 > events/synthetic/syscall_stack/enable
Produces a kernel crash!
BUG: unable to handle page fault for address: 0000000000400010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:trace_event_raw_event_synth+0x90/0x380
Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f
RSP: 0018:ffffd2670388f958 EFLAGS: 00010202
RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0
RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50
R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010
R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90
FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0
Call Trace:
<TASK>
? __tracing_map_insert+0x208/0x3a0
action_trace+0x67/0x70
event_hist_trigger+0x633/0x6d0
event_triggers_call+0x82/0x130
trace_event_buffer_commit+0x19d/0x250
trace_event_raw_event_sys_exit+0x62/0xb0
syscall_exit_work+0x9d/0x140
do_syscall_64+0x20a/0x2f0
? trace_event_raw_event_sched_switch+0x12b/0x170
? save_fpregs_to_fpstate+0x3e/0x90
? _raw_spin_unlock+0xe/0x30
? finish_task_switch.isra.0+0x97/0x2c0
? __rseq_handle_notify_resume+0xad/0x4c0
? __schedule+0x4b8/0xd00
? restore_fpregs_from_fpstate+0x3c/0x90
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x1ef/0x2f0
? do_fault+0x2e9/0x540
? __handle_mm_fault+0x7d1/0xf70
? count_memcg_events+0x167/0x1d0
? handle_mm_fault+0x1d7/0x2e0
? do_user_addr_fault+0x2c3/0x7f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The reason is that the stacktrace field is not labeled as such, and is
treated as a normal field and not as a dynamic event that it is.
In trace_event_raw_event_synth() the event is field is still treated as a
dynamic array, but the retrieval of the data is considered a normal field,
and the reference is just the meta data:
// Meta data is retrieved instead of a dynamic array
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00cf3d672a9dd409418647e9f98784c339c3ff63 , < 98ecbfb2598c9c7ca755a29f402da9d36c057077
(git)
Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 327af07dff6ab5650b21491eb4f69694999ff3d1 (git) Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 3b90d099efa2b67239bd3b3dc3521ec584261748 (git) Affected: 00cf3d672a9dd409418647e9f98784c339c3ff63 , < 90f9f5d64cae4e72defd96a2a22760173cb3c9ec (git) Affected: b9453380c1c542fd095a4dbe9251eeba4022bbce (git) Affected: 5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55 (git) Affected: f3baa42afeea0d5f04ad31525e861199d02210cc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c",
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98ecbfb2598c9c7ca755a29f402da9d36c057077",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "327af07dff6ab5650b21491eb4f69694999ff3d1",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "3b90d099efa2b67239bd3b3dc3521ec584261748",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"lessThan": "90f9f5d64cae4e72defd96a2a22760173cb3c9ec",
"status": "affected",
"version": "00cf3d672a9dd409418647e9f98784c339c3ff63",
"versionType": "git"
},
{
"status": "affected",
"version": "b9453380c1c542fd095a4dbe9251eeba4022bbce",
"versionType": "git"
},
{
"status": "affected",
"version": "5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55",
"versionType": "git"
},
{
"status": "affected",
"version": "f3baa42afeea0d5f04ad31525e861199d02210cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c",
"kernel/trace/trace_events_synth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix crash on synthetic stacktrace field usage\n\nWhen creating a synthetic event based on an existing synthetic event that\nhad a stacktrace field and the new synthetic event used that field a\nkernel crash occurred:\n\n ~# cd /sys/kernel/tracing\n ~# echo \u0027s:stack unsigned long stack[];\u0027 \u003e dynamic_events\n ~# echo \u0027hist:keys=prev_pid:s0=common_stacktrace if prev_state \u0026 3\u0027 \u003e\u003e events/sched/sched_switch/trigger\n ~# echo \u0027hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)\u0027 \u003e\u003e events/sched/sched_switch/trigger\n\nThe above creates a synthetic event that takes a stacktrace when a task\nschedules out in a non-running state and passes that stacktrace to the\nsched_switch event when that task schedules back in. It triggers the\n\"stack\" synthetic event that has a stacktrace as its field (called \"stack\").\n\n ~# echo \u0027s:syscall_stack s64 id; unsigned long stack[];\u0027 \u003e\u003e dynamic_events\n ~# echo \u0027hist:keys=common_pid:s2=stack\u0027 \u003e\u003e events/synthetic/stack/trigger\n ~# echo \u0027hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)\u0027 \u003e\u003e events/raw_syscalls/sys_exit/trigger\n\nThe above makes another synthetic event called \"syscall_stack\" that\nattaches the first synthetic event (stack) to the sys_exit trace event and\nrecords the stacktrace from the stack event with the id of the system call\nthat is exiting.\n\nWhen enabling this event (or using it in a historgram):\n\n ~# echo 1 \u003e events/synthetic/syscall_stack/enable\n\nProduces a kernel crash!\n\n BUG: unable to handle page fault for address: 0000000000400010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:trace_event_raw_event_synth+0x90/0x380\n Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 \u003c49\u003e 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f\n RSP: 0018:ffffd2670388f958 EFLAGS: 00010202\n RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0\n RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50\n R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010\n R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90\n FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n ? __tracing_map_insert+0x208/0x3a0\n action_trace+0x67/0x70\n event_hist_trigger+0x633/0x6d0\n event_triggers_call+0x82/0x130\n trace_event_buffer_commit+0x19d/0x250\n trace_event_raw_event_sys_exit+0x62/0xb0\n syscall_exit_work+0x9d/0x140\n do_syscall_64+0x20a/0x2f0\n ? trace_event_raw_event_sched_switch+0x12b/0x170\n ? save_fpregs_to_fpstate+0x3e/0x90\n ? _raw_spin_unlock+0xe/0x30\n ? finish_task_switch.isra.0+0x97/0x2c0\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? __schedule+0x4b8/0xd00\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x1ef/0x2f0\n ? do_fault+0x2e9/0x540\n ? __handle_mm_fault+0x7d1/0xf70\n ? count_memcg_events+0x167/0x1d0\n ? handle_mm_fault+0x1d7/0x2e0\n ? do_user_addr_fault+0x2c3/0x7f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reason is that the stacktrace field is not labeled as such, and is\ntreated as a normal field and not as a dynamic event that it is.\n\nIn trace_event_raw_event_synth() the event is field is still treated as a\ndynamic array, but the retrieval of the data is considered a normal field,\nand the reference is just the meta data:\n\n// Meta data is retrieved instead of a dynamic array\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:11.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077"
},
{
"url": "https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1"
},
{
"url": "https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748"
},
{
"url": "https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec"
}
],
"title": "tracing: Fix crash on synthetic stacktrace field usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23088",
"datePublished": "2026-02-04T16:08:11.717Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-04T16:08:11.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23087 (GCVE-0-2026-23087)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Memory allocated for struct vscsiblk_info in scsiback_probe() is not
freed in scsiback_remove() leading to potential memory leaks on remove,
as well as in the scsiback_probe() error paths. Fix that by freeing it
in scsiback_remove().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d9d660f6e562a47b4065eeb7e538910b0471b988 , < a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9
(git)
Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 427b0fb30ddec3bad05dcd73b00718f98c7026d2 (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 4a975c72429b050c234405668b742cdecc11548e (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < f86264ec0e2b102fcd49bf3e4f32fee669d482fc (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 32e52b56056daf0f0881fd9254706acf25b4be97 (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 24c441f0e24da175d7912095663f526ac480dc4f (git) Affected: d9d660f6e562a47b4065eeb7e538910b0471b988 , < 901a5f309daba412e2a30364d7ec1492fa11c32c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "427b0fb30ddec3bad05dcd73b00718f98c7026d2",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "4a975c72429b050c234405668b742cdecc11548e",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "f86264ec0e2b102fcd49bf3e4f32fee669d482fc",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "32e52b56056daf0f0881fd9254706acf25b4be97",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "24c441f0e24da175d7912095663f526ac480dc4f",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
},
{
"lessThan": "901a5f309daba412e2a30364d7ec1492fa11c32c",
"status": "affected",
"version": "d9d660f6e562a47b4065eeb7e538910b0471b988",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/xen-scsiback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: xen: scsiback: Fix potential memory leak in scsiback_remove()\n\nMemory allocated for struct vscsiblk_info in scsiback_probe() is not\nfreed in scsiback_remove() leading to potential memory leaks on remove,\nas well as in the scsiback_probe() error paths. Fix that by freeing it\nin scsiback_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:08.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9"
},
{
"url": "https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2"
},
{
"url": "https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e"
},
{
"url": "https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc"
},
{
"url": "https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97"
},
{
"url": "https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f"
},
{
"url": "https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c"
}
],
"title": "scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23087",
"datePublished": "2026-02-04T16:08:10.941Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-06T16:33:08.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23086 (GCVE-0-2026-23086)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
vsock/virtio: cap TX credit to local buffer size
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: cap TX credit to local buffer size
The virtio transports derives its TX credit directly from peer_buf_alloc,
which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.
On the host side this means that the amount of data we are willing to
queue for a connection is scaled by a guest-chosen buffer size, rather
than the host's own vsock configuration. A malicious guest can advertise
a large buffer and read slowly, causing the host to allocate a
correspondingly large amount of sk_buff memory.
The same thing would happen in the guest with a malicious host, since
virtio transports share the same code base.
Introduce a small helper, virtio_transport_tx_buf_size(), that
returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume
peer_buf_alloc.
This ensures the effective TX window is bounded by both the peer's
advertised buffer and our own buf_alloc (already clamped to
buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer
cannot force the other to queue more data than allowed by its own
vsock settings.
On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with
32 guest vsock connections advertising 2 GiB each and reading slowly
drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only
recovered after killing the QEMU process. That said, if QEMU memory is
limited with cgroups, the maximum memory used will be limited.
With this patch applied:
Before:
MemFree: ~61.6 GiB
Slab: ~142 MiB
SUnreclaim: ~117 MiB
After 32 high-credit connections:
MemFree: ~61.5 GiB
Slab: ~178 MiB
SUnreclaim: ~152 MiB
Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest
remains responsive.
Compatibility with non-virtio transports:
- VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per
socket based on the local vsk->buffer_* values; the remote side
cannot enlarge those queues beyond what the local endpoint
configured.
- Hyper-V's vsock transport uses fixed-size VMBus ring buffers and
an MTU bound; there is no peer-controlled credit field comparable
to peer_buf_alloc, and the remote endpoint cannot drive in-flight
kernel memory above those ring sizes.
- The loopback path reuses virtio_transport_common.c, so it
naturally follows the same semantics as the virtio transport.
This change is limited to virtio_transport_common.c and thus affects
virtio-vsock, vhost-vsock, and loopback, bringing them in line with the
"remote window intersected with local policy" behaviour that VMCI and
Hyper-V already effectively have.
[Stefano: small adjustments after changing the previous patch]
[Stefano: tweak the commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
06a8fc78367d070720af960dcecec917d3ae5f3b , < fef7110ae5617555c792a2bb4d27878d84583adf
(git)
Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < d9d5f222558b42f6277eafaaa6080966faf37676 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 84ef86aa7120449828d1e0ce438c499014839711 (git) Affected: 06a8fc78367d070720af960dcecec917d3ae5f3b , < 8ee784fdf006cbe8739cfa093f54d326cbf54037 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fef7110ae5617555c792a2bb4d27878d84583adf",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "d9d5f222558b42f6277eafaaa6080966faf37676",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "84ef86aa7120449828d1e0ce438c499014839711",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
},
{
"lessThan": "8ee784fdf006cbe8739cfa093f54d326cbf54037",
"status": "affected",
"version": "06a8fc78367d070720af960dcecec917d3ae5f3b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/virtio_transport_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint\u0027s SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host\u0027s own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer\u0027s\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk-\u003ebuffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V\u0027s vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:07.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf"
},
{
"url": "https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676"
},
{
"url": "https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce"
},
{
"url": "https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711"
},
{
"url": "https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037"
}
],
"title": "vsock/virtio: cap TX credit to local buffer size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23086",
"datePublished": "2026-02-04T16:08:10.047Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-06T16:33:07.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23085 (GCVE-0-2026-23085)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
irqchip/gic-v3-its: Avoid truncating memory addresses
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Avoid truncating memory addresses
On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
allocations to be backed by addresses physical memory above the 32-bit
address limit, as found while experimenting with larger VMSPLIT
configurations.
This caused the qemu virt model to crash in the GICv3 driver, which
allocates the 'itt' object using GFP_KERNEL. Since all memory below
the 4GB physical address limit is in ZONE_DMA in this configuration,
kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
ITS driver stores the physical address in a 32-bit 'unsigned long'
variable.
Change the itt_addr variable to the correct phys_addr_t type instead,
along with all other variables in this driver that hold a physical
address.
The gicv5 driver correctly uses u64 variables, while all other irqchip
drivers don't call virt_to_phys or similar interfaces. It's expected that
other device drivers have similar issues, but fixing this one is
sufficient for booting a virtio based guest.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e332b3b69e5b3acf07204a4b185071bab15c2b88
(git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e2f9c751f73a2d5bb62d94ab030aec118a811f27 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 85215d633983233809f7d4dad163b953331b8238 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 1b323391560354d8c515de8658b057a1daa82adb (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 084ba3b99f2dfd991ce7e84fb17117319ec3cd9f (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 (git) Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 8d76a7d89c12d08382b66e2f21f20d0627d14859 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e332b3b69e5b3acf07204a4b185071bab15c2b88",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "e2f9c751f73a2d5bb62d94ab030aec118a811f27",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "85215d633983233809f7d4dad163b953331b8238",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "1b323391560354d8c515de8658b057a1daa82adb",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "084ba3b99f2dfd991ce7e84fb17117319ec3cd9f",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
},
{
"lessThan": "8d76a7d89c12d08382b66e2f21f20d0627d14859",
"status": "affected",
"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the \u0027itt\u0027 object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit \u0027unsigned long\u0027\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don\u0027t call virt_to_phys or similar interfaces. It\u0027s expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:05.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"
},
{
"url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"
},
{
"url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"
},
{
"url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"
},
{
"url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"
},
{
"url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"
},
{
"url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"
}
],
"title": "irqchip/gic-v3-its: Avoid truncating memory addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23085",
"datePublished": "2026-02-04T16:08:09.368Z",
"dateReserved": "2026-01-13T15:37:45.961Z",
"dateUpdated": "2026-02-06T16:33:05.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23084 (GCVE-0-2026-23084)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is
set to false, the driver may request the PMAC_ID from the firmware of the
network card, and this function will store that PMAC_ID at the provided
address pmac_id. This is the contract of this function.
However, there is a location within the driver where both
pmac_id_valid == false and pmac_id == NULL are being passed. This could
result in dereferencing a NULL pointer.
To resolve this issue, it is necessary to pass the address of a stub
variable to the function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95046b927a54f461766f83a212c6a93bc5fd2e67 , < 4cba480c9b9a3861a515262225cb53a1f5978344
(git)
Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 92c6dc181a18e6e0ddb872ed35cb48a9274829e4 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 6c3e00888dbec887125a08b51a705b9b163fcdd1 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < e206fb415db36bad52bb90c08d46ce71ffbe8a80 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 47ffb4dcffe336f4a7bd0f3284be7aadc6484698 (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 31410a01a86bcb98c798d01061abf1f789c4f75a (git) Affected: 95046b927a54f461766f83a212c6a93bc5fd2e67 , < 8215794403d264739cc676668087512950b2ff31 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cba480c9b9a3861a515262225cb53a1f5978344",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "92c6dc181a18e6e0ddb872ed35cb48a9274829e4",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "6c3e00888dbec887125a08b51a705b9b163fcdd1",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "e206fb415db36bad52bb90c08d46ce71ffbe8a80",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "47ffb4dcffe336f4a7bd0f3284be7aadc6484698",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "31410a01a86bcb98c798d01061abf1f789c4f75a",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
},
{
"lessThan": "8215794403d264739cc676668087512950b2ff31",
"status": "affected",
"version": "95046b927a54f461766f83a212c6a93bc5fd2e67",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:04.297Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344"
},
{
"url": "https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4"
},
{
"url": "https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1"
},
{
"url": "https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80"
},
{
"url": "https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698"
},
{
"url": "https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a"
},
{
"url": "https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31"
}
],
"title": "be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23084",
"datePublished": "2026-02-04T16:08:08.456Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-06T16:33:04.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23083 (GCVE-0-2026-23083)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
Summary
In the Linux kernel, the following vulnerability has been resolved:
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
fou_udp_recv() has the same problem mentioned in the previous
patch.
If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
Let's forbid 0 for FOU_ATTR_IPPROTO.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23461551c00628c3f3fe9cf837bf53cf8f212b63 , < c7498f9bc390479ccfad7c7f2332237ff4945b03
(git)
Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 6e983789b7588ee59cbf303583546c043bad8e19 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 1cc98b8887cabb1808d2f4a37cd10a7be7574771 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < b7db31a52c3862a1a32202a273a4c32e7f5f4823 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 9b75dff8446ec871030d8daf5a69e74f5fe8b956 (git) Affected: 23461551c00628c3f3fe9cf837bf53cf8f212b63 , < 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7498f9bc390479ccfad7c7f2332237ff4945b03",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "6e983789b7588ee59cbf303583546c043bad8e19",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "1cc98b8887cabb1808d2f4a37cd10a7be7574771",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "b7db31a52c3862a1a32202a273a4c32e7f5f4823",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "9b75dff8446ec871030d8daf5a69e74f5fe8b956",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
},
{
"lessThan": "7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5",
"status": "affected",
"version": "23461551c00628c3f3fe9cf837bf53cf8f212b63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/netlink/specs/fou.yaml",
"net/ipv4/fou_nl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.\n\nfou_udp_recv() has the same problem mentioned in the previous\npatch.\n\nIf FOU_ATTR_IPPROTO is set to 0, skb is not freed by\nfou_udp_recv() nor \"resubmit\"-ted in ip_protocol_deliver_rcu().\n\nLet\u0027s forbid 0 for FOU_ATTR_IPPROTO."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:02.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03"
},
{
"url": "https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea"
},
{
"url": "https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19"
},
{
"url": "https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771"
},
{
"url": "https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823"
},
{
"url": "https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956"
},
{
"url": "https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5"
}
],
"title": "fou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23083",
"datePublished": "2026-02-04T16:08:07.561Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-06T16:33:02.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23082 (GCVE-0-2026-23082)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:32
VLAI?
Title
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error
In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
URB memory leak"), the URB was re-anchored before usb_submit_urb() in
gs_usb_receive_bulk_callback() to prevent a leak of this URB during
cleanup.
However, this patch did not take into account that usb_submit_urb() could
fail. The URB remains anchored and
usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
infinitely since the anchor list never becomes empty.
To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
also print an info message.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec5ccc2af9e5b045671f3f604b57512feda8bcc5 , < aa8a8866c533a150be4763bcb27993603bd5426c
(git)
Affected: f905bcfa971edb89e398c98957838d8c6381c0c7 , < ce4352057fc5a986c76ece90801b9755e7c6e56c (git) Affected: 08624b7206ddb9148eeffc2384ebda2c47b6d1e9 , < c610b550ccc0438d456dfe1df9f4f36254ccaae3 (git) Affected: 9f669a38ca70839229b7ba0f851820850a2fe1f7 , < c3edc14da81a8d8398682f6e4ab819f09f37c0b7 (git) Affected: 7352e1d5932a0e777e39fa4b619801191f57e603 , < 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa8a8866c533a150be4763bcb27993603bd5426c",
"status": "affected",
"version": "ec5ccc2af9e5b045671f3f604b57512feda8bcc5",
"versionType": "git"
},
{
"lessThan": "ce4352057fc5a986c76ece90801b9755e7c6e56c",
"status": "affected",
"version": "f905bcfa971edb89e398c98957838d8c6381c0c7",
"versionType": "git"
},
{
"lessThan": "c610b550ccc0438d456dfe1df9f4f36254ccaae3",
"status": "affected",
"version": "08624b7206ddb9148eeffc2384ebda2c47b6d1e9",
"versionType": "git"
},
{
"lessThan": "c3edc14da81a8d8398682f6e4ab819f09f37c0b7",
"status": "affected",
"version": "9f669a38ca70839229b7ba0f851820850a2fe1f7",
"versionType": "git"
},
{
"lessThan": "79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7",
"status": "affected",
"version": "7352e1d5932a0e777e39fa4b619801191f57e603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19-rc6"
},
{
"lessThan": "6.19-rc6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.12.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.18.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.19-rc6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error\n\nIn commit 7352e1d5932a (\"can: gs_usb: gs_usb_receive_bulk_callback(): fix\nURB memory leak\"), the URB was re-anchored before usb_submit_urb() in\ngs_usb_receive_bulk_callback() to prevent a leak of this URB during\ncleanup.\n\nHowever, this patch did not take into account that usb_submit_urb() could\nfail. The URB remains anchored and\nusb_kill_anchored_urbs(\u0026parent-\u003erx_submitted) in gs_can_close() loops\ninfinitely since the anchor list never becomes empty.\n\nTo fix the bug, unanchor the URB when an usb_submit_urb() error occurs,\nalso print an info message."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:32:56.412Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c"
},
{
"url": "https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c"
},
{
"url": "https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3"
},
{
"url": "https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7"
},
{
"url": "https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23082",
"datePublished": "2026-02-04T16:08:06.731Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-06T16:32:56.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23081 (GCVE-0-2026-23081)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-04 16:08
VLAI?
Title
net: phy: intel-xway: fix OF node refcount leakage
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: intel-xway: fix OF node refcount leakage
Automated review spotted am OF node reference count leakage when
checking if the 'leds' child node exists.
Call of_put_node() to correctly maintain the refcount.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/intel-xway.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f24dfd556401b75f78e8d9cbd94dd9f31411c3a",
"status": "affected",
"version": "1758af47b98c17da464cb45f476875150955dd48",
"versionType": "git"
},
{
"lessThan": "79912b256e14054e6ba177d7e7e631485ce23dbe",
"status": "affected",
"version": "1758af47b98c17da464cb45f476875150955dd48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/intel-xway.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: intel-xway: fix OF node refcount leakage\n\nAutomated review spotted am OF node reference count leakage when\nchecking if the \u0027leds\u0027 child node exists.\n\nCall of_put_node() to correctly maintain the refcount."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:08:05.822Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f24dfd556401b75f78e8d9cbd94dd9f31411c3a"
},
{
"url": "https://git.kernel.org/stable/c/79912b256e14054e6ba177d7e7e631485ce23dbe"
}
],
"title": "net: phy: intel-xway: fix OF node refcount leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23081",
"datePublished": "2026-02-04T16:08:05.822Z",
"dateReserved": "2026-01-13T15:37:45.960Z",
"dateUpdated": "2026-02-04T16:08:05.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}