Search criteria
39441 vulnerabilities found for linux_kernel by linux
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from nvd – Published: 2026-05-11 06:26 – Updated: 2026-05-20 16:08
VLAI?
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.29 , ≤ 6.18.* (semver) Unaffected: 7.0.6 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:08:12.294Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-20T16:08:12.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43475 (GCVE-0-2026-43475)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0
---truncated---
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < cf00cb15f2515e38d3b7571bf6800b7c6ce70a84
(git)
Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < b82462af23e45e066dd56d2736ea70159a6ad647 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < 91ab59f76d0866079420ebff1c7959fcd87a242e (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < e7919a293f9b6101e38bde0d8613daea6c9955df (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < f8db760f4f52a73a022a3d6c84c488ead952a9b5 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < c2e73d8acd056347a70047e6be7cd98e0e811dfa (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < c7984d196476adcbd51c0ce386d7e90277198d57 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < 57297736c08233987e5d29ce6584c6ca2a831b12 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf00cb15f2515e38d3b7571bf6800b7c6ce70a84",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "b82462af23e45e066dd56d2736ea70159a6ad647",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "91ab59f76d0866079420ebff1c7959fcd87a242e",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "e7919a293f9b6101e38bde0d8613daea6c9955df",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "f8db760f4f52a73a022a3d6c84c488ead952a9b5",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "c2e73d8acd056347a70047e6be7cd98e0e811dfa",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "c7984d196476adcbd51c0ce386d7e90277198d57",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "57297736c08233987e5d29ce6584c6ca2a831b12",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix scheduling while atomic on PREEMPT_RT\n\nThis resolves the follow splat and lock-up when running with PREEMPT_RT\nenabled on Hyper-V:\n\n[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002\n[ 415.140822] INFO: lockdep is turned off.\n[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common\n[ 415.140846] Preemption disabled at:\n[ 415.140847] [\u003cffffffffc0656171\u003e] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}\n[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024\n[ 415.140857] Call Trace:\n[ 415.140861] \u003cTASK\u003e\n[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140863] dump_stack_lvl+0x91/0xb0\n[ 415.140870] __schedule_bug+0x9c/0xc0\n[ 415.140875] __schedule+0xdf6/0x1300\n[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980\n[ 415.140879] ? rcu_is_watching+0x12/0x60\n[ 415.140883] schedule_rtlock+0x21/0x40\n[ 415.140885] rtlock_slowlock_locked+0x502/0x1980\n[ 415.140891] rt_spin_lock+0x89/0x1e0\n[ 415.140893] hv_ringbuffer_write+0x87/0x2a0\n[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0\n[ 415.140900] ? rcu_is_watching+0x12/0x60\n[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]\n[ 415.140904] ? HARDIRQ_verbose+0x10/0x10\n[ 415.140908] ? __rq_qos_issue+0x28/0x40\n[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]\n[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0\n[ 415.140928] blk_mq_issue_direct+0x87/0x2b0\n[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440\n[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0\n[ 415.140935] __blk_flush_plug+0xf4/0x150\n[ 415.140940] __submit_bio+0x2b2/0x5c0\n[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]\n[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]\n[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]\n[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]\n[ 415.141060] generic_perform_write+0x14e/0x2c0\n[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]\n[ 415.141083] vfs_write+0x2ca/0x570\n[ 415.141087] ksys_write+0x76/0xf0\n[ 415.141089] do_syscall_64+0x99/0x1490\n[ 415.141093] ? rcu_is_watching+0x12/0x60\n[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0\n[ 415.141097] ? rcu_is_watching+0x12/0x60\n[ 415.141098] ? lock_release+0x1f0/0x2a0\n[ 415.141100] ? rcu_is_watching+0x12/0x60\n[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0\n[ 415.141103] ? rcu_is_watching+0x12/0x60\n[ 415.141104] ? __schedule+0xb34/0x1300\n[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170\n[ 415.141109] ? do_nanosleep+0x8b/0x160\n[ 415.141111] ? hrtimer_nanosleep+0x89/0x100\n[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10\n[ 415.141116] ? xfd_validate_state+0x26/0x90\n[ 415.141118] ? rcu_is_watching+0x12/0x60\n[ 415.141120] ? do_syscall_64+0x1e0/0x1490\n[ 415.141121] ? do_syscall_64+0x1e0/0x1490\n[ 415.141123] ? rcu_is_watching+0x12/0x60\n[ 415.141124] ? do_syscall_64+0x1e0/0x1490\n[ 415.141125] ? do_syscall_64+0x1e0/0x1490\n[ 415.141127] ? irqentry_exit+0x140/0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:19.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84"
},
{
"url": "https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647"
},
{
"url": "https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e"
},
{
"url": "https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df"
},
{
"url": "https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5"
},
{
"url": "https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa"
},
{
"url": "https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57"
},
{
"url": "https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12"
}
],
"title": "scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43475",
"datePublished": "2026-05-08T14:22:33.553Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:19.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43474 (GCVE-0-2026-43474)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
fs: init flags_valid before calling vfs_fileattr_get
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: init flags_valid before calling vfs_fileattr_get
syzbot reported a uninit-value bug in [1].
Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.
[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
be7efb2d20d67f334a7de2aef77ae6c69367e646 , < 379e19e820dd1c6145426b97467728b3b89c0b42
(git)
Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < b8c182b2c8c44c6016b11d8af61715ad7ef958a1 (git) Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < cb184dd19154fc486fa3d9e02afe70a97e54e055 (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "379e19e820dd1c6145426b97467728b3b89c0b42",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "b8c182b2c8c44c6016b11d8af61715ad7ef958a1",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "cb184dd19154fc486fa3d9e02afe70a97e54e055",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: init flags_valid before calling vfs_fileattr_get\n\nsyzbot reported a uninit-value bug in [1].\n\nSimilar to the \"*get\" context where the kernel\u0027s internal file_kattr\nstructure is initialized before calling vfs_fileattr_get(), we should\nuse the same mechanism when using fa.\n\n[1]\nBUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n vfs_fileattr_get fs/file_attr.c:94 [inline]\n __do_sys_file_getattr fs/file_attr.c:416 [inline]\n\nLocal variable fa.i created at:\n __do_sys_file_getattr fs/file_attr.c:380 [inline]\n __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:18.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42"
},
{
"url": "https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1"
},
{
"url": "https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055"
}
],
"title": "fs: init flags_valid before calling vfs_fileattr_get",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43474",
"datePublished": "2026-05-08T14:22:32.871Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:18.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43473 (GCVE-0-2026-43473)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 7df0296ad4e9253d12c6dbe7f120044dddc95600
(git)
Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 7da755e0d02e9ca035065127e108d1fed8950dc8 (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 78d3f201f8b609928eade53cf03a52df5415aaf7 (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < e978a36f332ede78eb4de037b517db16265d420d (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 220d7ca70611a73d50ef8e9edac630ed1ececb7c (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < fa96392ebebc8fade2b878acb14cce0f71016503 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7df0296ad4e9253d12c6dbe7f120044dddc95600",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "7da755e0d02e9ca035065127e108d1fed8950dc8",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "78d3f201f8b609928eade53cf03a52df5415aaf7",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "e978a36f332ede78eb4de037b517db16265d420d",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "220d7ca70611a73d50ef8e9edac630ed1ececb7c",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "fa96392ebebc8fade2b878acb14cce0f71016503",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Add NULL checks when resetting request and reply queues\n\nThe driver encountered a crash during resource cleanup when the reply and\nrequest queues were NULL due to freed memory. This issue occurred when the\ncreation of reply or request queues failed, and the driver freed the memory\nfirst, but attempted to mem set the content of the freed memory, leading to\na system crash.\n\nAdd NULL pointer checks for reply and request queues before accessing the\nreply/request memory during cleanup"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:17.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600"
},
{
"url": "https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8"
},
{
"url": "https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7"
},
{
"url": "https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d"
},
{
"url": "https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c"
},
{
"url": "https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503"
}
],
"title": "scsi: mpi3mr: Add NULL checks when resetting request and reply queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43473",
"datePublished": "2026-05-08T14:22:32.210Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:17.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43472 (GCVE-0-2026-43472)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
unshare: fix unshare_fs() handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
unshare: fix unshare_fs() handling
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
741a295130606143edbf9fc740f633dbc1e6225f , < 845bf3c6963a52096d0d3866e4a92db77a0c03d8
(git)
Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d3ffc8f13034af895531a02c30b1fe3a34b46432 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d0d99f60538ddb4a62ccaac2168d8f448965f083 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d7963d6997fea86a6def242ac36198b86655f912 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < aa9ebc084505fb26dd90f4d7a249045aad152043 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < 42e21e74061b0ebbd859839f81acf10efad02a27 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < 6c4b2243cb6c0755159bd567130d5e12e7b10d9f (git) |
|
| Linux | Linux |
Affected:
2.6.16
Unaffected: 0 , < 2.6.16 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "845bf3c6963a52096d0d3866e4a92db77a0c03d8",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d3ffc8f13034af895531a02c30b1fe3a34b46432",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d0d99f60538ddb4a62ccaac2168d8f448965f083",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d7963d6997fea86a6def242ac36198b86655f912",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "aa9ebc084505fb26dd90f4d7a249045aad152043",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "42e21e74061b0ebbd859839f81acf10efad02a27",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "6c4b2243cb6c0755159bd567130d5e12e7b10d9f",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nunshare: fix unshare_fs() handling\n\nThere\u0027s an unpleasant corner case in unshare(2), when we have a\nCLONE_NEWNS in flags and current-\u003efs hadn\u0027t been shared at all; in that\ncase copy_mnt_ns() gets passed current-\u003efs instead of a private copy,\nwhich causes interesting warts in proof of correctness]\n\n\u003e I guess if private means fs-\u003eusers == 1, the condition could still be true.\n\nUnfortunately, it\u0027s worse than just a convoluted proof of correctness.\nConsider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS\n(and current-\u003efs-\u003eusers == 1).\n\nWe pass current-\u003efs to copy_mnt_ns(), all right. Suppose it succeeds and\nflips current-\u003efs-\u003e{pwd,root} to corresponding locations in the new namespace.\nNow we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).\nWe call put_mnt_ns() on the namespace created by copy_mnt_ns(), it\u0027s\ndestroyed and its mount tree is dissolved, but... current-\u003efs-\u003eroot and\ncurrent-\u003efs-\u003epwd are both left pointing to now detached mounts.\n\nThey are pinning those, so it\u0027s not a UAF, but it leaves the calling\nprocess with unshare(2) failing with -ENOMEM _and_ leaving it with\npwd and root on detached isolated mounts. The last part is clearly a bug.\n\nThere is other fun related to that mess (races with pivot_root(), including\nthe one between pivot_root() and fork(), of all things), but this one\nis easy to isolate and fix - treat CLONE_NEWNS as \"allocate a new\nfs_struct even if it hadn\u0027t been shared in the first place\". Sure, we could\ngo for something like \"if both CLONE_NEWNS *and* one of the things that might\nend up failing after copy_mnt_ns() call in create_new_namespaces() are set,\nforce allocation of new fs_struct\", but let\u0027s keep it simple - the cost\nof copy_fs_struct() is trivial.\n\nAnother benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets\na freshly allocated fs_struct, yet to be attached to anything. That\nseriously simplifies the analysis...\n\nFWIW, that bug had been there since the introduction of unshare(2) ;-/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:16.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/845bf3c6963a52096d0d3866e4a92db77a0c03d8"
},
{
"url": "https://git.kernel.org/stable/c/d3ffc8f13034af895531a02c30b1fe3a34b46432"
},
{
"url": "https://git.kernel.org/stable/c/d0d99f60538ddb4a62ccaac2168d8f448965f083"
},
{
"url": "https://git.kernel.org/stable/c/d7963d6997fea86a6def242ac36198b86655f912"
},
{
"url": "https://git.kernel.org/stable/c/aa9ebc084505fb26dd90f4d7a249045aad152043"
},
{
"url": "https://git.kernel.org/stable/c/af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0"
},
{
"url": "https://git.kernel.org/stable/c/42e21e74061b0ebbd859839f81acf10efad02a27"
},
{
"url": "https://git.kernel.org/stable/c/6c4b2243cb6c0755159bd567130d5e12e7b10d9f"
}
],
"title": "unshare: fix unshare_fs() handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43472",
"datePublished": "2026-05-08T14:22:31.556Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:16.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43471 (GCVE-0-2026-43471)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL
pointer dereference when accessing hwq->id. This can happen if
ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its id field to
prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bed0896008334eeee4b4bfd7150491ca098cbf72 , < 0614f5618c24fbc3d555efade22887b102ad7ad6
(git)
Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < be730f9ee92ae08f2bc4b336967bcfd8183c06fe (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < f4f590c6c9df7453bbda2ef9170b1b09e42a124c (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < 93b9e7ee9e93629db80bbc9dab8a874215b89ccf (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < 30df81f2228d65bddf492db3929d9fcaffd38fc5 (git) Affected: 11d81233f4ebe6907b12c79ad7d8787aa4db0633 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0614f5618c24fbc3d555efade22887b102ad7ad6",
"status": "affected",
"version": "bed0896008334eeee4b4bfd7150491ca098cbf72",
"versionType": "git"
},
{
"lessThan": "be730f9ee92ae08f2bc4b336967bcfd8183c06fe",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "f4f590c6c9df7453bbda2ef9170b1b09e42a124c",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "93b9e7ee9e93629db80bbc9dab8a874215b89ccf",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "30df81f2228d65bddf492db3929d9fcaffd38fc5",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"status": "affected",
"version": "11d81233f4ebe6907b12c79ad7d8787aa4db0633",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()\n\nThe kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL\npointer dereference when accessing hwq-\u003eid. This can happen if\nufshcd_mcq_req_to_hwq() returns NULL.\n\nThis patch adds a NULL check for hwq before accessing its id field to\nprevent a kernel crash.\n\nKernel log excerpt:\n[\u003cffffffd5d192dc4c\u003e] notify_die+0x4c/0x8c\n[\u003cffffffd5d1814e58\u003e] __die+0x60/0xb0\n[\u003cffffffd5d1814d64\u003e] die+0x4c/0xe0\n[\u003cffffffd5d181575c\u003e] die_kernel_fault+0x74/0x88\n[\u003cffffffd5d1864db4\u003e] __do_kernel_fault+0x314/0x318\n[\u003cffffffd5d2a3cdf8\u003e] do_page_fault+0xa4/0x5f8\n[\u003cffffffd5d2a3cd34\u003e] do_translation_fault+0x34/0x54\n[\u003cffffffd5d1864524\u003e] do_mem_abort+0x50/0xa8\n[\u003cffffffd5d2a297dc\u003e] el1_abort+0x3c/0x64\n[\u003cffffffd5d2a29718\u003e] el1h_64_sync_handler+0x44/0xcc\n[\u003cffffffd5d181133c\u003e] el1h_64_sync+0x80/0x88\n[\u003cffffffd5d255c1dc\u003e] ufshcd_add_command_trace+0x23c/0x320\n[\u003cffffffd5d255bad8\u003e] ufshcd_compl_one_cqe+0xa4/0x404\n[\u003cffffffd5d2572968\u003e] ufshcd_mcq_poll_cqe_lock+0xac/0x104\n[\u003cffffffd5d11c7460\u003e] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]\n[\u003cffffffd5d19ab92c\u003e] __handle_irq_event_percpu+0xc8/0x348\n[\u003cffffffd5d19abca8\u003e] handle_irq_event+0x3c/0xa8\n[\u003cffffffd5d19b1f0c\u003e] handle_fasteoi_irq+0xf8/0x294\n[\u003cffffffd5d19aa778\u003e] generic_handle_domain_irq+0x54/0x80\n[\u003cffffffd5d18102bc\u003e] gic_handle_irq+0x1d4/0x330\n[\u003cffffffd5d1838210\u003e] call_on_irq_stack+0x44/0x68\n[\u003cffffffd5d183af30\u003e] do_interrupt_handler+0x78/0xd8\n[\u003cffffffd5d2a29c00\u003e] el1_interrupt+0x48/0xa8\n[\u003cffffffd5d2a29ba8\u003e] el1h_64_irq_handler+0x14/0x24\n[\u003cffffffd5d18113c4\u003e] el1h_64_irq+0x80/0x88\n[\u003cffffffd5d2527fb4\u003e] arch_local_irq_enable+0x4/0x1c\n[\u003cffffffd5d25282e4\u003e] cpuidle_enter+0x34/0x54\n[\u003cffffffd5d195a678\u003e] do_idle+0x1dc/0x2f8\n[\u003cffffffd5d195a7c4\u003e] cpu_startup_entry+0x30/0x3c\n[\u003cffffffd5d18155c4\u003e] secondary_start_kernel+0x134/0x1ac\n[\u003cffffffd5d18640bc\u003e] __secondary_switched+0xc4/0xcc"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:15.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0614f5618c24fbc3d555efade22887b102ad7ad6"
},
{
"url": "https://git.kernel.org/stable/c/be730f9ee92ae08f2bc4b336967bcfd8183c06fe"
},
{
"url": "https://git.kernel.org/stable/c/f4f590c6c9df7453bbda2ef9170b1b09e42a124c"
},
{
"url": "https://git.kernel.org/stable/c/93b9e7ee9e93629db80bbc9dab8a874215b89ccf"
},
{
"url": "https://git.kernel.org/stable/c/30df81f2228d65bddf492db3929d9fcaffd38fc5"
}
],
"title": "scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43471",
"datePublished": "2026-05-08T14:22:30.909Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:15.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43470 (GCVE-0-2026-43470)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7c6c5249f061b64fc6b5b90bc147169a048691bf , < 7e2963773760a664684435201960dd2fb712f1b5
(git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 203c792cb4315360d49973ae2e57feeb6d3dcf7e (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 9ee1770fcb2f1b48354622b926e7dc10222805f5 (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 410666a298c34ebd57256fde6b24c96bd23059a2 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e2963773760a664684435201960dd2fb712f1b5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "203c792cb4315360d49973ae2e57feeb6d3dcf7e",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "9ee1770fcb2f1b48354622b926e7dc10222805f5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "410666a298c34ebd57256fde6b24c96bd23059a2",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don\u0027t return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don\u0027t attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:13.820Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5"
},
{
"url": "https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e"
},
{
"url": "https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5"
},
{
"url": "https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2"
}
],
"title": "nfs: return EISDIR on nfs3_proc_create if d_alias is a dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43470",
"datePublished": "2026-05-08T14:22:30.218Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:13.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43469 (GCVE-0-2026-43469)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
xprtrdma: Decrement re_receiving on the early exit paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
xprtrdma: Decrement re_receiving on the early exit paths
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Severity ?
7.5 (High)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
15788d1d1077ebe029c48842c738876516d85076 , < 7ea69259a60a364f56cf4aa9e2eafb588d1c762b
(git)
Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 8cb6b5d8296b1f99a8d36849901ebabfe3f749db (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 74c39a47856bddcde7874f2196a00143b5cd0af9 (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 49f53ee4e25297d886f14e31f355ad1c2735ddfb (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 8127b5fec04757c2a41ed65bca0b3266968efd3b (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 7b6275c80a0c81c5f8943272292dfe67730ce849 (git) |
|
| Linux | Linux |
Affected:
5.13
Unaffected: 0 , < 5.13 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ea69259a60a364f56cf4aa9e2eafb588d1c762b",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "8cb6b5d8296b1f99a8d36849901ebabfe3f749db",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "74c39a47856bddcde7874f2196a00143b5cd0af9",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "49f53ee4e25297d886f14e31f355ad1c2735ddfb",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "8127b5fec04757c2a41ed65bca0b3266968efd3b",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "7b6275c80a0c81c5f8943272292dfe67730ce849",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Decrement re_receiving on the early exit paths\n\nIn the event that rpcrdma_post_recvs() fails to create a work request\n(due to memory allocation failure, say) or otherwise exits early, we\nshould decrement ep-\u003ere_receiving before returning. Otherwise we will\nhang in rpcrdma_xprt_drain() as re_receiving will never reach zero and\nthe completion will never be triggered.\n\nOn a system with high memory pressure, this can appear as the following\nhung task:\n\n INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.\n Tainted: G S E 6.19.0 #3\n \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000\n Workqueue: xprtiod xprt_autoclose [sunrpc]\n Call Trace:\n \u003cTASK\u003e\n __schedule+0x48b/0x18b0\n ? ib_post_send_mad+0x247/0xae0 [ib_core]\n schedule+0x27/0xf0\n schedule_timeout+0x104/0x110\n __wait_for_common+0x98/0x180\n ? __pfx_schedule_timeout+0x10/0x10\n wait_for_completion+0x24/0x40\n rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]\n xprt_rdma_close+0x12/0x40 [rpcrdma]\n xprt_autoclose+0x5f/0x120 [sunrpc]\n process_one_work+0x191/0x3e0\n worker_thread+0x2e3/0x420\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x273/0x2b0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:12.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ea69259a60a364f56cf4aa9e2eafb588d1c762b"
},
{
"url": "https://git.kernel.org/stable/c/8cb6b5d8296b1f99a8d36849901ebabfe3f749db"
},
{
"url": "https://git.kernel.org/stable/c/74c39a47856bddcde7874f2196a00143b5cd0af9"
},
{
"url": "https://git.kernel.org/stable/c/49f53ee4e25297d886f14e31f355ad1c2735ddfb"
},
{
"url": "https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b"
},
{
"url": "https://git.kernel.org/stable/c/dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf"
},
{
"url": "https://git.kernel.org/stable/c/7b6275c80a0c81c5f8943272292dfe67730ce849"
}
],
"title": "xprtrdma: Decrement re_receiving on the early exit paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43469",
"datePublished": "2026-05-08T14:22:29.550Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:12.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43468 (GCVE-0-2026-43468)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5: Fix deadlock between devlink lock and esw->wq
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix deadlock between devlink lock and esw->wq
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 0de867f6e34eae6907b367fd152c55e61cb98608
(git)
Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 957d2a58f7f8ebcbdd0a85935e0d2675134b890d (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 3c7313cb41b1b427078440364d2f042c276a1c0b (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 4a7838bebc38374f74baaf88bf2cf8d439a92923 (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1 (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < aed763abf0e905b4b8d747d1ba9e172961572f57 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0de867f6e34eae6907b367fd152c55e61cb98608",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "957d2a58f7f8ebcbdd0a85935e0d2675134b890d",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "3c7313cb41b1b427078440364d2f042c276a1c0b",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "4a7838bebc38374f74baaf88bf2cf8d439a92923",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "aed763abf0e905b4b8d747d1ba9e172961572f57",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix deadlock between devlink lock and esw-\u003ewq\n\nesw-\u003ework_queue executes esw_functions_changed_event_handler -\u003e\nesw_vfs_changed_event_handler and acquires the devlink lock.\n\n.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -\u003e\nmlx5_devlink_eswitch_mode_set -\u003e mlx5_eswitch_disable_locked -\u003e\nmlx5_eswitch_event_handler_unregister -\u003e flush_workqueue deadlocks\nwhen esw_vfs_changed_event_handler executes.\n\nFix that by no longer flushing the work to avoid the deadlock, and using\na generation counter to keep track of work relevance. This avoids an old\nhandler manipulating an esw that has undergone one or more mode changes:\n- the counter is incremented in mlx5_eswitch_event_handler_unregister.\n- the counter is read and passed to the ephemeral mlx5_host_work struct.\n- the work handler takes the devlink lock and bails out if the current\n generation is different than the one it was scheduled to operate on.\n- mlx5_eswitch_cleanup does the final draining before destroying the wq.\n\nNo longer flushing the workqueue has the side effect of maybe no longer\ncancelling pending vport_change_handler work items, but that\u0027s ok since\nthose are disabled elsewhere:\n- mlx5_eswitch_disable_locked disables the vport eq notifier.\n- mlx5_esw_vport_disable disarms the HW EQ notification and marks\n vport-\u003eenabled under state_lock to false to prevent pending vport\n handler from doing anything.\n- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events\n are disabled/finished."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:11.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0de867f6e34eae6907b367fd152c55e61cb98608"
},
{
"url": "https://git.kernel.org/stable/c/957d2a58f7f8ebcbdd0a85935e0d2675134b890d"
},
{
"url": "https://git.kernel.org/stable/c/3c7313cb41b1b427078440364d2f042c276a1c0b"
},
{
"url": "https://git.kernel.org/stable/c/4a7838bebc38374f74baaf88bf2cf8d439a92923"
},
{
"url": "https://git.kernel.org/stable/c/90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1"
},
{
"url": "https://git.kernel.org/stable/c/aed763abf0e905b4b8d747d1ba9e172961572f57"
}
],
"title": "net/mlx5: Fix deadlock between devlink lock and esw-\u003ewq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43468",
"datePublished": "2026-05-08T14:22:28.889Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:11.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43467 (GCVE-0-2026-43467)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5: Fix crash when moving to switchdev mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix crash when moving to switchdev mode
When moving to switchdev mode when the device doesn't support IPsec,
we try to clean up the IPsec resources anyway which causes the crash
below, fix that by correctly checking for IPsec support before trying
to clean up its resources.
[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at
do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490
[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE
ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype
rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink
zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi
scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core
ib_core
[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted
6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE
[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680
[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22
00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb
ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d
41
[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046
[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
ffff88810b980f00
[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:
ffff88810770f728
[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:
0000000000000000
[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff888103f3c4c0
[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:
0000000000000000
[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)
knlGS:0000000000000000
[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:
0000000000172eb0
[27642.537982] Call Trace:
[27642.538466] <TASK>
[27642.538907] exc_page_fault+0x76/0x140
[27642.539583] asm_exc_page_fault+0x22/0x30
[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30
[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8
01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00
00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8
5b
[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046
[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:
ffff888113ad96d8
[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:
00000000000000a0
[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:
ffff88810b980f00
[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:
00000000000000a8
[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:
ffff8881130d8a40
[27642.550379] complete_all+0x20/0x90
[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]
[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]
[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]
[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]
[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]
[27642.555757] ? xa_load+0x53/0x90
[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]
[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]
[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]
[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]
[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]
[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]
[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0
[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0
[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130
[27642.564816] genl_rcv_msg+0x183/0x290
[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160
[27642.566329] ? d
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7e212cebc863c2c7a82f480446cd731721451691 , < 05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9
(git)
Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < 835778685f157b4fd4683b670cfe4010265bac60 (git) Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < bc72f739f398d9d2e4f3d06f3f75fe98876d5579 (git) Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < 24b2795f9683e092dc22a68f487e7aaaf2ddafea (git) Affected: 8956686d398eca6d324d2d164f9d2a281175a3a1 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9",
"status": "affected",
"version": "7e212cebc863c2c7a82f480446cd731721451691",
"versionType": "git"
},
{
"lessThan": "835778685f157b4fd4683b670cfe4010265bac60",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"lessThan": "bc72f739f398d9d2e4f3d06f3f75fe98876d5579",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"lessThan": "24b2795f9683e092dc22a68f487e7aaaf2ddafea",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"status": "affected",
"version": "8956686d398eca6d324d2d164f9d2a281175a3a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix crash when moving to switchdev mode\n\nWhen moving to switchdev mode when the device doesn\u0027t support IPsec,\nwe try to clean up the IPsec resources anyway which causes the crash\nbelow, fix that by correctly checking for IPsec support before trying\nto clean up its resources.\n\n[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at\ndo_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490\n[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE\nip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype\nrpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink\nzram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi\nscsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core\nib_core\n[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted\n6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE\n[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680\n[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22\n00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb\n ae \u003c0f\u003e 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d\n41\n[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046\n[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:\nffff88810b980f00\n[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:\nffff88810770f728\n[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:\n0000000000000000\n[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:\nffff888103f3c4c0\n[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:\n0000000000000000\n[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)\nknlGS:0000000000000000\n[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:\n0000000000172eb0\n[27642.537982] Call Trace:\n[27642.538466] \u003cTASK\u003e\n[27642.538907] exc_page_fault+0x76/0x140\n[27642.539583] asm_exc_page_fault+0x22/0x30\n[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30\n[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8\n01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00\n 00 \u003cf0\u003e 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8\n 5b\n[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046\n[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:\nffff888113ad96d8\n[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:\n00000000000000a0\n[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:\nffff88810b980f00\n[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:\n00000000000000a8\n[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:\nffff8881130d8a40\n[27642.550379] complete_all+0x20/0x90\n[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]\n[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]\n[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]\n[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]\n[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]\n[27642.555757] ? xa_load+0x53/0x90\n[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]\n[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]\n[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]\n[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]\n[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]\n[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]\n[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0\n[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0\n[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130\n[27642.564816] genl_rcv_msg+0x183/0x290\n[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160\n[27642.566329] ? d\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:10.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9"
},
{
"url": "https://git.kernel.org/stable/c/835778685f157b4fd4683b670cfe4010265bac60"
},
{
"url": "https://git.kernel.org/stable/c/bc72f739f398d9d2e4f3d06f3f75fe98876d5579"
},
{
"url": "https://git.kernel.org/stable/c/24b2795f9683e092dc22a68f487e7aaaf2ddafea"
}
],
"title": "net/mlx5: Fix crash when moving to switchdev mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43467",
"datePublished": "2026-05-08T14:22:28.216Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:10.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43466 (GCVE-0-2026-43466)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Severity ?
8.2 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 821f85d619f7f22cda7b9d7de89cf5eeb1d11544
(git)
Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 6eb68ecc5acc3b319986566c595990b8a7265b23 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 383b37c04a4827ba60b2bafc1a6cdfd995aed58f (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < ce1b19dd0684eeb68a124c11085bd611260b36d9 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 829efcccfa8f69db5dc8332961295587d218cee6 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 1633111d69053512d099658d4a05fc736fab36b0 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "821f85d619f7f22cda7b9d7de89cf5eeb1d11544",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "6eb68ecc5acc3b319986566c595990b8a7265b23",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "383b37c04a4827ba60b2bafc1a6cdfd995aed58f",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "ce1b19dd0684eeb68a124c11085bd611260b36d9",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "829efcccfa8f69db5dc8332961295587d218cee6",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "1633111d69053512d099658d4a05fc736fab36b0",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery\n\nIn case of a TX error CQE, a recovery flow is triggered,\nmlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,\ndesyncing the DMA FIFO producer and consumer.\n\nAfter recovery, the producer pushes new DMA entries at the old\ndma_fifo_pc, while the consumer reads from position 0.\nThis causes us to unmap stale DMA addresses from before the recovery.\n\nThe DMA FIFO is a purely software construct with no HW counterpart.\nAt the point of reset, all WQEs have been flushed so dma_fifo_cc is\nalready equal to dma_fifo_pc. There is no need to reset either counter,\nsimilar to how skb_fifo pc/cc are untouched.\n\nRemove the \u0027dma_fifo_cc = 0\u0027 reset.\n\nThis fixes the following WARNING:\n WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90\n Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommu_dma_unmap_page+0x79/0x90\n Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00\n Call Trace:\n \u003cIRQ\u003e\n ? __warn+0x7d/0x110\n ? iommu_dma_unmap_page+0x79/0x90\n ? report_bug+0x16d/0x180\n ? handle_bug+0x4f/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? iommu_dma_unmap_page+0x79/0x90\n ? iommu_dma_unmap_page+0x2e/0x90\n dma_unmap_page_attrs+0x10d/0x1b0\n mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]\n mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]\n mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]\n __napi_poll+0x24/0x190\n net_rx_action+0x32a/0x3b0\n ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]\n ? notifier_call_chain+0x35/0xa0\n handle_softirqs+0xc9/0x270\n irq_exit_rcu+0x71/0xd0\n common_interrupt+0x7f/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:09.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/821f85d619f7f22cda7b9d7de89cf5eeb1d11544"
},
{
"url": "https://git.kernel.org/stable/c/6eb68ecc5acc3b319986566c595990b8a7265b23"
},
{
"url": "https://git.kernel.org/stable/c/6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e"
},
{
"url": "https://git.kernel.org/stable/c/383b37c04a4827ba60b2bafc1a6cdfd995aed58f"
},
{
"url": "https://git.kernel.org/stable/c/9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8"
},
{
"url": "https://git.kernel.org/stable/c/ce1b19dd0684eeb68a124c11085bd611260b36d9"
},
{
"url": "https://git.kernel.org/stable/c/829efcccfa8f69db5dc8332961295587d218cee6"
},
{
"url": "https://git.kernel.org/stable/c/1633111d69053512d099658d4a05fc736fab36b0"
}
],
"title": "net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43466",
"datePublished": "2026-05-08T14:22:27.513Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:09.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43465 (GCVE-0-2026-43465)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
The issue was discovered by the drivers/net/xdp.py selftest,
more specifically the test_xdp_native_tx_mb:
- The mlx5 driver allocates a page_pool page and initializes it with
a frag counter of 64 (pp_ref_count=64) and the internal frag counter
to 0.
- The test sends one packet with no payload.
- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP
buffer with the packet data starting in the first fragment which is the
page mentioned above.
- The XDP program runs and calls bpf_xdp_pull_data() which moves the
header into the linear part of the XDP buffer. As the packet doesn't
contain more data, the program drops the tail fragment since it no
longer contains any payload (pp_ref_count=63).
- mlx5 device skips counting this fragment. Internal frag counter
remains 0.
- mlx5 releases all 64 fragments of the page but page pp_ref_count is
63 => negative reference counting error.
Resulting splat during the test:
WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
Modules linked in: [...]
CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]
mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]
mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]
mlx5e_close_rq+0x78/0xa0 [mlx5_core]
mlx5e_close_queues+0x46/0x2a0 [mlx5_core]
mlx5e_close_channel+0x24/0x90 [mlx5_core]
mlx5e_close_channels+0x5d/0xf0 [mlx5_core]
mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]
mlx5e_change_mtu+0x11d/0x490 [mlx5_core]
mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]
netif_set_mtu_ext+0xfc/0x240
do_setlink.isra.0+0x226/0x1100
rtnl_newlink+0x7a9/0xba0
rtnetlink_rcv_msg+0x220/0x3c0
netlink_rcv_skb+0x4b/0xf0
netlink_unicast+0x255/0x380
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1e8/0x240
___sys_sendmsg+0x7c/0xb0
[...]
__sys_sendmsg+0x5f/0xb0
do_syscall_64+0x55/0xc70
The problem applies for XDP_PASS as well which is handled in a different
code path in the driver.
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
87bcef158ac1faca1bd7e0104588e8e2956d10be , < 7d7342a18fadcdb70a63b3c930dc63528ce51832
(git)
Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < 043bd62f748bc9fd98154037aa598cffbd3c667c (git) Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < db25c42c2e1f9c0d136420fff5e5700f7e771a6f (git) Affected: 8b051d7f530e8a5237da242fbeafef02fec6b813 (git) Affected: cb9edd583e23979ee546981be963ad5f217e8b18 (git) Affected: f2557d7fa38e9475b38588f5c124476091480f53 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d7342a18fadcdb70a63b3c930dc63528ce51832",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"lessThan": "043bd62f748bc9fd98154037aa598cffbd3c667c",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"lessThan": "db25c42c2e1f9c0d136420fff5e5700f7e771a6f",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"status": "affected",
"version": "8b051d7f530e8a5237da242fbeafef02fec6b813",
"versionType": "git"
},
{
"status": "affected",
"version": "cb9edd583e23979ee546981be963ad5f217e8b18",
"versionType": "git"
},
{
"status": "affected",
"version": "f2557d7fa38e9475b38588f5c124476091480f53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn\u0027t change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n buffer with the packet data starting in the first fragment which is the\n page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n header into the linear part of the XDP buffer. As the packet doesn\u0027t\n contain more data, the program drops the tail fragment since it no\n longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n 63 =\u003e negative reference counting error.\n\nResulting splat during the test:\n\n WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n Modules linked in: [...]\n CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n [...]\n Call Trace:\n \u003cTASK\u003e\n mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n mlx5e_close_channel+0x24/0x90 [mlx5_core]\n mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n netif_set_mtu_ext+0xfc/0x240\n do_setlink.isra.0+0x226/0x1100\n rtnl_newlink+0x7a9/0xba0\n rtnetlink_rcv_msg+0x220/0x3c0\n netlink_rcv_skb+0x4b/0xf0\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1e8/0x240\n ___sys_sendmsg+0x7c/0xb0\n [...]\n __sys_sendmsg+0x5f/0xb0\n do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:07.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832"
},
{
"url": "https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c"
},
{
"url": "https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f"
}
],
"title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43465",
"datePublished": "2026-05-08T14:22:26.822Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:07.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43464 (GCVE-0-2026-43464)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
Such issue can be observed with the
test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of
3600 and shrinking by 256 bytes (an upcoming selftest patch): the last
fragment gets released by the XDP code but doesn't get tracked by the
driver. This results in a negative pp_ref_count during page release and
the following splat:
WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137
Modules linked in: [...]
CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]
mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]
mlx5e_close_rq+0x50/0x60 [mlx5_core]
mlx5e_close_queues+0x36/0x2c0 [mlx5_core]
mlx5e_close_channel+0x1c/0x50 [mlx5_core]
mlx5e_close_channels+0x45/0x80 [mlx5_core]
mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]
mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]
netif_set_mtu_ext+0xf1/0x230
do_setlink.isra.0+0x219/0x1180
rtnl_newlink+0x79f/0xb60
rtnetlink_rcv_msg+0x213/0x3a0
netlink_rcv_skb+0x48/0xf0
netlink_unicast+0x24a/0x350
netlink_sendmsg+0x1ee/0x410
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x232/0x280
___sys_sendmsg+0x78/0xb0
__sys_sendmsg+0x5f/0xb0
[...]
do_syscall_64+0x57/0xc50
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Severity ?
7.5 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
afd5ba577c10639f62e8120df67dc70ea4b61176 , < c74557495efb4bd0adefdfc8678ecdbc82a06da3
(git)
Affected: afd5ba577c10639f62e8120df67dc70ea4b61176 , < 03cb50e5b74fce8bf6d92b860371b66253cf0f8d (git) Affected: afd5ba577c10639f62e8120df67dc70ea4b61176 , < a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa (git) Affected: 72328f25755ee966724f46e3a0e8e59bef2091ba (git) Affected: 0049fd63881505566824e88cfa624638f921c808 (git) Affected: d969645b9b7810289bf3c353ea06957373756b8e (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c74557495efb4bd0adefdfc8678ecdbc82a06da3",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"lessThan": "03cb50e5b74fce8bf6d92b860371b66253cf0f8d",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"lessThan": "a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"status": "affected",
"version": "72328f25755ee966724f46e3a0e8e59bef2091ba",
"versionType": "git"
},
{
"status": "affected",
"version": "0049fd63881505566824e88cfa624638f921c808",
"versionType": "git"
},
{
"status": "affected",
"version": "d969645b9b7810289bf3c353ea06957373756b8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn\u0027t change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nSuch issue can be observed with the\ntest_xdp_native_adjst_tail_shrnk_data selftest when using a payload of\n3600 and shrinking by 256 bytes (an upcoming selftest patch): the last\nfragment gets released by the XDP code but doesn\u0027t get tracked by the\ndriver. This results in a negative pp_ref_count during page release and\nthe following splat:\n\n WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137\n Modules linked in: [...]\n CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]\n [...]\n Call Trace:\n \u003cTASK\u003e\n mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]\n mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]\n mlx5e_close_rq+0x50/0x60 [mlx5_core]\n mlx5e_close_queues+0x36/0x2c0 [mlx5_core]\n mlx5e_close_channel+0x1c/0x50 [mlx5_core]\n mlx5e_close_channels+0x45/0x80 [mlx5_core]\n mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]\n mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]\n netif_set_mtu_ext+0xf1/0x230\n do_setlink.isra.0+0x219/0x1180\n rtnl_newlink+0x79f/0xb60\n rtnetlink_rcv_msg+0x213/0x3a0\n netlink_rcv_skb+0x48/0xf0\n netlink_unicast+0x24a/0x350\n netlink_sendmsg+0x1ee/0x410\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x232/0x280\n ___sys_sendmsg+0x78/0xb0\n __sys_sendmsg+0x5f/0xb0\n [...]\n do_syscall_64+0x57/0xc50\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:06.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3"
},
{
"url": "https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d"
},
{
"url": "https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa"
}
],
"title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43464",
"datePublished": "2026-05-08T14:22:26.039Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:06.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43463 (GCVE-0-2026-43463)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
rxrpc_kernel_lookup_peer() can also return error pointers in addition to
NULL, so just checking for NULL is not sufficient.
Fix this by:
(1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL
on allocation failure.
(2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the
error code returned.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
72904d7b9bfbf2dd146254edea93958bc35bbbfe , < d55fa7cd4b19ba91b34b307d769c149e56ad0a75
(git)
Affected: 72904d7b9bfbf2dd146254edea93958bc35bbbfe , < 54331c5dcc6d97683d7ca2788e7ef9c9505e1477 (git) Affected: 72904d7b9bfbf2dd146254edea93958bc35bbbfe , < 4245a79003adf30e67f8e9060915bd05cb31d142 (git) Affected: 056fc740be000d39a7dba700a935f3bbfbc664e6 (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/afs/addr_list.c",
"net/rxrpc/af_rxrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d55fa7cd4b19ba91b34b307d769c149e56ad0a75",
"status": "affected",
"version": "72904d7b9bfbf2dd146254edea93958bc35bbbfe",
"versionType": "git"
},
{
"lessThan": "54331c5dcc6d97683d7ca2788e7ef9c9505e1477",
"status": "affected",
"version": "72904d7b9bfbf2dd146254edea93958bc35bbbfe",
"versionType": "git"
},
{
"lessThan": "4245a79003adf30e67f8e9060915bd05cb31d142",
"status": "affected",
"version": "72904d7b9bfbf2dd146254edea93958bc35bbbfe",
"versionType": "git"
},
{
"status": "affected",
"version": "056fc740be000d39a7dba700a935f3bbfbc664e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/afs/addr_list.c",
"net/rxrpc/af_rxrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()\n\nrxrpc_kernel_lookup_peer() can also return error pointers in addition to\nNULL, so just checking for NULL is not sufficient.\n\nFix this by:\n\n (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL\n on allocation failure.\n\n (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the\n error code returned."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:05.525Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d55fa7cd4b19ba91b34b307d769c149e56ad0a75"
},
{
"url": "https://git.kernel.org/stable/c/54331c5dcc6d97683d7ca2788e7ef9c9505e1477"
},
{
"url": "https://git.kernel.org/stable/c/4245a79003adf30e67f8e9060915bd05cb31d142"
}
],
"title": "rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43463",
"datePublished": "2026-05-08T14:22:25.346Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:25:05.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43462 (GCVE-0-2026-43462)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net: spacemit: Fix error handling in emac_tx_mem_map()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: spacemit: Fix error handling in emac_tx_mem_map()
The DMA mappings were leaked on mapping error. Free them with the
existing emac_free_tx_buf() function.
Severity ?
7.5 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bfec6d7f2001c7470c3cd261ae65a3ba8737f226 , < c34ebd7b24ea70be3c6fdb6936f79f593f37df60
(git)
Affected: bfec6d7f2001c7470c3cd261ae65a3ba8737f226 , < edeaba385318f60ec1b32470da4d5eb800294d16 (git) Affected: bfec6d7f2001c7470c3cd261ae65a3ba8737f226 , < 86292155bea578ebab0ca3b65d4d87ecd8a0e9ea (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/spacemit/k1_emac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c34ebd7b24ea70be3c6fdb6936f79f593f37df60",
"status": "affected",
"version": "bfec6d7f2001c7470c3cd261ae65a3ba8737f226",
"versionType": "git"
},
{
"lessThan": "edeaba385318f60ec1b32470da4d5eb800294d16",
"status": "affected",
"version": "bfec6d7f2001c7470c3cd261ae65a3ba8737f226",
"versionType": "git"
},
{
"lessThan": "86292155bea578ebab0ca3b65d4d87ecd8a0e9ea",
"status": "affected",
"version": "bfec6d7f2001c7470c3cd261ae65a3ba8737f226",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/spacemit/k1_emac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: spacemit: Fix error handling in emac_tx_mem_map()\n\nThe DMA mappings were leaked on mapping error. Free them with the\nexisting emac_free_tx_buf() function."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:04.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60"
},
{
"url": "https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16"
},
{
"url": "https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea"
}
],
"title": "net: spacemit: Fix error handling in emac_tx_mem_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43462",
"datePublished": "2026-05-08T14:22:24.686Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:25:04.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43461 (GCVE-0-2026-43461)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
spi: amlogic: spifc-a4: Fix DMA mapping error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: amlogic: spifc-a4: Fix DMA mapping error handling
Fix three bugs in aml_sfc_dma_buffer_setup() error paths:
1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails,
nothing needs cleanup. Use direct return instead of goto.
2. Double-unmap bug: When info DMA mapping failed, the code would
unmap sfc->daddr inline, then fall through to out_map_data which
would unmap it again, causing a double-unmap.
3. Wrong unmap size: The out_map_info label used datalen instead of
infolen when unmapping sfc->iaddr, which could lead to incorrect
DMA sync behavior.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9 , < 0a83d6c9e149a176340190fa9cbadf2266db4c9a
(git)
Affected: 4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9 , < c0b88f1176074f80140ed77fce909f254b7180ab (git) Affected: 4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9 , < b20b437666e1cb26a7c499d1664e8f2a0ac67000 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-amlogic-spifc-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a83d6c9e149a176340190fa9cbadf2266db4c9a",
"status": "affected",
"version": "4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9",
"versionType": "git"
},
{
"lessThan": "c0b88f1176074f80140ed77fce909f254b7180ab",
"status": "affected",
"version": "4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9",
"versionType": "git"
},
{
"lessThan": "b20b437666e1cb26a7c499d1664e8f2a0ac67000",
"status": "affected",
"version": "4670db6f32e9379f5ab6c9bb2a6787cd9b9230a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-amlogic-spifc-a4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: amlogic: spifc-a4: Fix DMA mapping error handling\n\nFix three bugs in aml_sfc_dma_buffer_setup() error paths:\n1. Unnecessary goto: When the first DMA mapping (sfc-\u003edaddr) fails,\n nothing needs cleanup. Use direct return instead of goto.\n2. Double-unmap bug: When info DMA mapping failed, the code would\n unmap sfc-\u003edaddr inline, then fall through to out_map_data which\n would unmap it again, causing a double-unmap.\n3. Wrong unmap size: The out_map_info label used datalen instead of\n infolen when unmapping sfc-\u003eiaddr, which could lead to incorrect\n DMA sync behavior."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:02.472Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a83d6c9e149a176340190fa9cbadf2266db4c9a"
},
{
"url": "https://git.kernel.org/stable/c/c0b88f1176074f80140ed77fce909f254b7180ab"
},
{
"url": "https://git.kernel.org/stable/c/b20b437666e1cb26a7c499d1664e8f2a0ac67000"
}
],
"title": "spi: amlogic: spifc-a4: Fix DMA mapping error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43461",
"datePublished": "2026-05-08T14:22:23.999Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:25:02.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43460 (GCVE-0-2026-43460)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
spi: rockchip-sfc: Fix double-free in remove() callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: rockchip-sfc: Fix double-free in remove() callback
The driver uses devm_spi_register_controller() for registration, which
automatically unregisters the controller via devm cleanup when the
device is removed. The manual call to spi_unregister_controller() in
the remove() callback can lead to a double-free.
And to make sure controller is unregistered before DMA buffer is
unmapped, switch to use spi_register_controller() in probe().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8011709906d0d6ff1ba9589de5a906bf6e430782 , < b6051f2bdd4bd3dde85b68558edd3a6843489221
(git)
Affected: 8011709906d0d6ff1ba9589de5a906bf6e430782 , < 85fb53351e6a3b921357a2178671e847a087e400 (git) Affected: 8011709906d0d6ff1ba9589de5a906bf6e430782 , < 111e2863372c322e836e0c896f6dd9cf4ee08c71 (git) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-rockchip-sfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6051f2bdd4bd3dde85b68558edd3a6843489221",
"status": "affected",
"version": "8011709906d0d6ff1ba9589de5a906bf6e430782",
"versionType": "git"
},
{
"lessThan": "85fb53351e6a3b921357a2178671e847a087e400",
"status": "affected",
"version": "8011709906d0d6ff1ba9589de5a906bf6e430782",
"versionType": "git"
},
{
"lessThan": "111e2863372c322e836e0c896f6dd9cf4ee08c71",
"status": "affected",
"version": "8011709906d0d6ff1ba9589de5a906bf6e430782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-rockchip-sfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rockchip-sfc: Fix double-free in remove() callback\n\nThe driver uses devm_spi_register_controller() for registration, which\nautomatically unregisters the controller via devm cleanup when the\ndevice is removed. The manual call to spi_unregister_controller() in\nthe remove() callback can lead to a double-free.\n\nAnd to make sure controller is unregistered before DMA buffer is\nunmapped, switch to use spi_register_controller() in probe()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:00.962Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221"
},
{
"url": "https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400"
},
{
"url": "https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71"
}
],
"title": "spi: rockchip-sfc: Fix double-free in remove() callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43460",
"datePublished": "2026-05-08T14:22:23.332Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:25:00.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43459 (GCVE-0-2026-43459)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
ASoC: soc-core: flush delayed work before removing DAIs and widgets
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-core: flush delayed work before removing DAIs and widgets
When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Severity ?
7.3 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e894efef9ac7c10b7727798dcc711cccf07569f9 , < bf80a89da97285d9b877e0c6995e870d46b8025c
(git)
Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < 3887e514978d28216246360b46a9cb534969eb5a (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < 231568afbc0cd25b8fb2a94ebf9738eabe1cf007 (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < 317a9298c54bb00319da73e5a7179f00e67fcbdf (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < eab71e11ce2447c1e01809cbc11eab4234cf8dc8 (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < 7d33e6140945482a07f8089ee86e13e02553ffdb (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < c054f0607c8bb1b1aa529bc109e4149298a1cccd (git) Affected: e894efef9ac7c10b7727798dcc711cccf07569f9 , < 95bc5c225513fc3c4ce169563fb5e3929fbb938b (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf80a89da97285d9b877e0c6995e870d46b8025c",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "3887e514978d28216246360b46a9cb534969eb5a",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "231568afbc0cd25b8fb2a94ebf9738eabe1cf007",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "317a9298c54bb00319da73e5a7179f00e67fcbdf",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "eab71e11ce2447c1e01809cbc11eab4234cf8dc8",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "7d33e6140945482a07f8089ee86e13e02553ffdb",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "c054f0607c8bb1b1aa529bc109e4149298a1cccd",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
},
{
"lessThan": "95bc5c225513fc3c4ce169563fb5e3929fbb938b",
"status": "affected",
"version": "e894efef9ac7c10b7727798dcc711cccf07569f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-core: flush delayed work before removing DAIs and widgets\n\nWhen a sound card is unbound while a PCM stream is open, a\nuse-after-free can occur in snd_soc_dapm_stream_event(), called from\nthe close_delayed_work workqueue handler.\n\nDuring unbind, snd_soc_unbind_card() flushes delayed work and then\ncalls soc_cleanup_card_resources(). Inside cleanup,\nsnd_card_disconnect_sync() releases all PCM file descriptors, and\nthe resulting PCM close path can call snd_soc_dapm_stream_stop()\nwhich schedules new delayed work with a pmdown_time timer delay.\nSince this happens after the flush in snd_soc_unbind_card(), the\nnew work is not caught. soc_remove_link_components() then frees\nDAPM widgets before this work fires, leading to the use-after-free.\n\nThe existing flush in soc_free_pcm_runtime() also cannot help as it\nruns after soc_remove_link_components() has already freed the widgets.\n\nAdd a flush in soc_cleanup_card_resources() after\nsnd_card_disconnect_sync() (after which no new PCM closes can\nschedule further delayed work) and before soc_remove_link_dais()\nand soc_remove_link_components() (which tear down the structures the\ndelayed work accesses)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:59.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c"
},
{
"url": "https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a"
},
{
"url": "https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007"
},
{
"url": "https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf"
},
{
"url": "https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8"
},
{
"url": "https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb"
},
{
"url": "https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd"
},
{
"url": "https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b"
}
],
"title": "ASoC: soc-core: flush delayed work before removing DAIs and widgets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43459",
"datePublished": "2026-05-08T14:22:22.651Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:59.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43458 (GCVE-0-2026-43458)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
serial: caif: hold tty->link reference in ldisc_open and ser_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: caif: hold tty->link reference in ldisc_open and ser_release
A reproducer triggers a KASAN slab-use-after-free in pty_write_room()
when caif_serial's TX path calls tty_write_room(). The faulting access
is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line
discipline: get it in ldisc_open() and drop it in ser_release(), and
also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in
my testing.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e31d5a05948e4478ba8396063d1e1f39880928e2 , < 23a3ac2e2262a291498567418227b99e1f3606b1
(git)
Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 52135420e9f75853ea0c6cea7b736e3e98495f7d (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < ca2ceba983bb23ea0202c2882d963253416654a3 (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 8460187b4852fd00bd1c76394358053f3fa4d089 (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 27e43356d0defb9fc7fa25265219a3ffeb7b3e98 (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 35b58d3bc716ebb9ebd10fe1cac8c1177242511c (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 97a0bb491cae39478c6225381f14e9ac67b7bba7 (git) Affected: e31d5a05948e4478ba8396063d1e1f39880928e2 , < 288598d80a068a0e9281de35bcb4ce495f189e2a (git) |
|
| Linux | Linux |
Affected:
2.6.35
Unaffected: 0 , < 2.6.35 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/caif/caif_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23a3ac2e2262a291498567418227b99e1f3606b1",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "52135420e9f75853ea0c6cea7b736e3e98495f7d",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "ca2ceba983bb23ea0202c2882d963253416654a3",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "8460187b4852fd00bd1c76394358053f3fa4d089",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "27e43356d0defb9fc7fa25265219a3ffeb7b3e98",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "35b58d3bc716ebb9ebd10fe1cac8c1177242511c",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "97a0bb491cae39478c6225381f14e9ac67b7bba7",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
},
{
"lessThan": "288598d80a068a0e9281de35bcb4ce495f189e2a",
"status": "affected",
"version": "e31d5a05948e4478ba8396063d1e1f39880928e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/caif/caif_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: caif: hold tty-\u003elink reference in ldisc_open and ser_release\n\nA reproducer triggers a KASAN slab-use-after-free in pty_write_room()\nwhen caif_serial\u0027s TX path calls tty_write_room(). The faulting access\nis on tty-\u003elink-\u003eport.\n\nHold an extra kref on tty-\u003elink for the lifetime of the caif_serial line\ndiscipline: get it in ldisc_open() and drop it in ser_release(), and\nalso drop it on the ldisc_open() error path.\n\nWith this change applied, the reproducer no longer triggers the UAF in\nmy testing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:58.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1"
},
{
"url": "https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d"
},
{
"url": "https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3"
},
{
"url": "https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089"
},
{
"url": "https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98"
},
{
"url": "https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c"
},
{
"url": "https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7"
},
{
"url": "https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a"
}
],
"title": "serial: caif: hold tty-\u003elink reference in ldisc_open and ser_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43458",
"datePublished": "2026-05-08T14:22:21.997Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:58.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43457 (GCVE-0-2026-43457)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
mctp: i2c: fix skb memory leak in receive path
Summary
In the Linux kernel, the following vulnerability has been resolved:
mctp: i2c: fix skb memory leak in receive path
When 'midev->allow_rx' is false, the newly allocated skb isn't consumed
by netif_rx(), it needs to free the skb directly.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < 0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb
(git)
Affected: f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < d7900a43b0a314a645ca0a2adf45928dbc7001f4 (git) Affected: f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < 9f81be2ab9d8e4744871bfb3e868ef413413829f (git) Affected: f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < 1ec54187e1aa40a4cfa2b265e9a311179f24b98d (git) Affected: f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < 1b1be322342a6b0085bf6ee52235e5ac9834ec25 (git) Affected: f5b8abf9fc3dacd7529d363e26fe8230935d65f8 , < e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/mctp/mctp-i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
},
{
"lessThan": "d7900a43b0a314a645ca0a2adf45928dbc7001f4",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
},
{
"lessThan": "9f81be2ab9d8e4744871bfb3e868ef413413829f",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
},
{
"lessThan": "1ec54187e1aa40a4cfa2b265e9a311179f24b98d",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
},
{
"lessThan": "1b1be322342a6b0085bf6ee52235e5ac9834ec25",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
},
{
"lessThan": "e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69",
"status": "affected",
"version": "f5b8abf9fc3dacd7529d363e26fe8230935d65f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/mctp/mctp-i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: i2c: fix skb memory leak in receive path\n\nWhen \u0027midev-\u003eallow_rx\u0027 is false, the newly allocated skb isn\u0027t consumed\nby netif_rx(), it needs to free the skb directly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:57.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb"
},
{
"url": "https://git.kernel.org/stable/c/d7900a43b0a314a645ca0a2adf45928dbc7001f4"
},
{
"url": "https://git.kernel.org/stable/c/9f81be2ab9d8e4744871bfb3e868ef413413829f"
},
{
"url": "https://git.kernel.org/stable/c/1ec54187e1aa40a4cfa2b265e9a311179f24b98d"
},
{
"url": "https://git.kernel.org/stable/c/1b1be322342a6b0085bf6ee52235e5ac9834ec25"
},
{
"url": "https://git.kernel.org/stable/c/e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69"
}
],
"title": "mctp: i2c: fix skb memory leak in receive path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43457",
"datePublished": "2026-05-08T14:22:20.725Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:57.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43456 (GCVE-0-2026-43456)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
bonding: fix type confusion in bond_setup_by_slave()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix type confusion in bond_setup_by_slave()
kernel BUG at net/core/skbuff.c:2306!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306
RSP: 0018:ffffc90004aff760 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e
RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900
RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780
R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0
Call Trace:
<TASK>
ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900
dev_hard_header include/linux/netdevice.h:3439 [inline]
packet_snd net/packet/af_packet.c:3028 [inline]
packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa54/0xc30 net/socket.c:2592
___sys_sendmsg+0x190/0x1e0 net/socket.c:2646
__sys_sendmsg+0x170/0x220 net/socket.c:2678
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe1a0e6c1a9
When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,
bond_setup_by_slave() directly copies the slave's header_ops to the
bond device:
bond_dev->header_ops = slave_dev->header_ops;
This causes a type confusion when dev_hard_header() is later called
on the bond device. Functions like ipgre_header(), ip6gre_header(),all use
netdev_priv(dev) to access their device-specific private data. When
called with the bond device, netdev_priv() returns the bond's private
data (struct bonding) instead of the expected type (e.g. struct
ip_tunnel), leading to garbage values being read and kernel crashes.
Fix this by introducing bond_header_ops with wrapper functions that
delegate to the active slave's header_ops using the slave's own
device. This ensures netdev_priv() in the slave's header functions
always receives the correct device.
The fix is placed in the bonding driver rather than individual device
drivers, as the root cause is bond blindly inheriting header_ops from
the slave without considering that these callbacks expect a specific
netdev_priv() layout.
The type confusion can be observed by adding a printk in
ipgre_header() and running the following commands:
ip link add dummy0 type dummy
ip addr add 10.0.0.1/24 dev dummy0
ip link set dummy0 up
ip link add gre1 type gre local 10.0.0.1
ip link add bond1 type bond mode active-backup
ip link set gre1 master bond1
ip link set gre1 up
ip link set bond1 up
ip addr add fe80::1/64 dev bond1
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1284cd3a2b740d0118458d2ea470a1e5bc19b187 , < 9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d
(git)
Affected: 1284cd3a2b740d0118458d2ea470a1e5bc19b187 , < 6ac890f1d60ac3707ee8dae15a67d9a833e49956 (git) Affected: 1284cd3a2b740d0118458d2ea470a1e5bc19b187 , < 95597d11dc8bddb2b9a051c9232000bfbb5e43ba (git) Affected: 1284cd3a2b740d0118458d2ea470a1e5bc19b187 , < 950803f7254721c1c15858fbbfae3deaaeeecb11 (git) |
|
| Linux | Linux |
Affected:
2.6.24
Unaffected: 0 , < 2.6.24 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d",
"status": "affected",
"version": "1284cd3a2b740d0118458d2ea470a1e5bc19b187",
"versionType": "git"
},
{
"lessThan": "6ac890f1d60ac3707ee8dae15a67d9a833e49956",
"status": "affected",
"version": "1284cd3a2b740d0118458d2ea470a1e5bc19b187",
"versionType": "git"
},
{
"lessThan": "95597d11dc8bddb2b9a051c9232000bfbb5e43ba",
"status": "affected",
"version": "1284cd3a2b740d0118458d2ea470a1e5bc19b187",
"versionType": "git"
},
{
"lessThan": "950803f7254721c1c15858fbbfae3deaaeeecb11",
"status": "affected",
"version": "1284cd3a2b740d0118458d2ea470a1e5bc19b187",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix type confusion in bond_setup_by_slave()\n\nkernel BUG at net/core/skbuff.c:2306!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306\nRSP: 0018:ffffc90004aff760 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e\nRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900\nRBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000\nR10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780\nR13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900\n dev_hard_header include/linux/netdevice.h:3439 [inline]\n packet_snd net/packet/af_packet.c:3028 [inline]\n packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646\n __sys_sendmsg+0x170/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe1a0e6c1a9\n\nWhen a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,\nbond_setup_by_slave() directly copies the slave\u0027s header_ops to the\nbond device:\n\n bond_dev-\u003eheader_ops = slave_dev-\u003eheader_ops;\n\nThis causes a type confusion when dev_hard_header() is later called\non the bond device. Functions like ipgre_header(), ip6gre_header(),all use\nnetdev_priv(dev) to access their device-specific private data. When\ncalled with the bond device, netdev_priv() returns the bond\u0027s private\ndata (struct bonding) instead of the expected type (e.g. struct\nip_tunnel), leading to garbage values being read and kernel crashes.\n\nFix this by introducing bond_header_ops with wrapper functions that\ndelegate to the active slave\u0027s header_ops using the slave\u0027s own\ndevice. This ensures netdev_priv() in the slave\u0027s header functions\nalways receives the correct device.\n\nThe fix is placed in the bonding driver rather than individual device\ndrivers, as the root cause is bond blindly inheriting header_ops from\nthe slave without considering that these callbacks expect a specific\nnetdev_priv() layout.\n\nThe type confusion can be observed by adding a printk in\nipgre_header() and running the following commands:\n\n ip link add dummy0 type dummy\n ip addr add 10.0.0.1/24 dev dummy0\n ip link set dummy0 up\n ip link add gre1 type gre local 10.0.0.1\n ip link add bond1 type bond mode active-backup\n ip link set gre1 master bond1\n ip link set gre1 up\n ip link set bond1 up\n ip addr add fe80::1/64 dev bond1"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:56.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d"
},
{
"url": "https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956"
},
{
"url": "https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba"
},
{
"url": "https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11"
}
],
"title": "bonding: fix type confusion in bond_setup_by_slave()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43456",
"datePublished": "2026-05-08T14:22:20.036Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:56.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43455 (GCVE-0-2026-43455)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
mctp: route: hold key->lock in mctp_flow_prepare_output()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mctp: route: hold key->lock in mctp_flow_prepare_output()
mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.
mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.
Example interleaving:
CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB
Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.
Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 47893166bc5611ee9a20de6b8d2933b2320fb772
(git)
Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 86f5334fcb48a5b611c33364ab52ca684d0f6d91 (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 0695712f3a6f1a48915f95767cfb42077683dcdc (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 8d27d9b260dd19c1b519e1a13de6448f9984e30e (git) Affected: 67737c457281dd199ceb9e31b6ba7efd3bfe566d , < 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a (git) |
|
| Linux | Linux |
Affected:
5.16
Unaffected: 0 , < 5.16 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47893166bc5611ee9a20de6b8d2933b2320fb772",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "86f5334fcb48a5b611c33364ab52ca684d0f6d91",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "0695712f3a6f1a48915f95767cfb42077683dcdc",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "8d27d9b260dd19c1b519e1a13de6448f9984e30e",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
},
{
"lessThan": "7d86aa41c073c4e7eb75fd2e674f1fd8f289728a",
"status": "affected",
"version": "67737c457281dd199ceb9e31b6ba7efd3bfe566d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mctp/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: route: hold key-\u003elock in mctp_flow_prepare_output()\n\nmctp_flow_prepare_output() checks key-\u003edev and may call\nmctp_dev_set_key(), but it does not hold key-\u003elock while doing so.\n\nmctp_dev_set_key() and mctp_dev_release_key() are annotated with\n__must_hold(\u0026key-\u003elock), so key-\u003edev access is intended to be\nserialized by key-\u003elock. The mctp_sendmsg() transmit path reaches\nmctp_flow_prepare_output() via mctp_local_output() -\u003e mctp_dst_output()\nwithout holding key-\u003elock, so the check-and-set sequence is racy.\n\nExample interleaving:\n\n CPU0 CPU1\n ---- ----\n mctp_flow_prepare_output(key, devA)\n if (!key-\u003edev) // sees NULL\n mctp_flow_prepare_output(\n key, devB)\n if (!key-\u003edev) // still NULL\n mctp_dev_set_key(devB, key)\n mctp_dev_hold(devB)\n key-\u003edev = devB\n mctp_dev_set_key(devA, key)\n mctp_dev_hold(devA)\n key-\u003edev = devA // overwrites devB\n\nNow both devA and devB references were acquired, but only the final\nkey-\u003edev value is tracked for release. One reference can be lost,\ncausing a resource leak as mctp_dev_release_key() would only decrease\nthe reference on one dev.\n\nFix by taking key-\u003elock around the key-\u003edev check and\nmctp_dev_set_key() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:55.256Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772"
},
{
"url": "https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91"
},
{
"url": "https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc"
},
{
"url": "https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f"
},
{
"url": "https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e"
},
{
"url": "https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a"
}
],
"title": "mctp: route: hold key-\u003elock in mctp_flow_prepare_output()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43455",
"datePublished": "2026-05-08T14:22:19.375Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:55.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43454 (GCVE-0-2026-43454)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
netfilter: nf_tables: Fix for duplicate device in netdev hooks
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: Fix for duplicate device in netdev hooks
When handling NETDEV_REGISTER notification, duplicate device
registration must be avoided since the device may have been added by
nft_netdev_hook_alloc() already when creating the hook.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a331b78a552551d0e404e58e6390b1c828d6af8f , < 6d2a95c6890577cc3eab2b20018e16850d7fb094
(git)
Affected: a331b78a552551d0e404e58e6390b1c828d6af8f , < 2041cdb078041611510fc189410bc70b29f688fb (git) Affected: a331b78a552551d0e404e58e6390b1c828d6af8f , < b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_chain_filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d2a95c6890577cc3eab2b20018e16850d7fb094",
"status": "affected",
"version": "a331b78a552551d0e404e58e6390b1c828d6af8f",
"versionType": "git"
},
{
"lessThan": "2041cdb078041611510fc189410bc70b29f688fb",
"status": "affected",
"version": "a331b78a552551d0e404e58e6390b1c828d6af8f",
"versionType": "git"
},
{
"lessThan": "b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b",
"status": "affected",
"version": "a331b78a552551d0e404e58e6390b1c828d6af8f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_chain_filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix for duplicate device in netdev hooks\n\nWhen handling NETDEV_REGISTER notification, duplicate device\nregistration must be avoided since the device may have been added by\nnft_netdev_hook_alloc() already when creating the hook."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:54.071Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d2a95c6890577cc3eab2b20018e16850d7fb094"
},
{
"url": "https://git.kernel.org/stable/c/2041cdb078041611510fc189410bc70b29f688fb"
},
{
"url": "https://git.kernel.org/stable/c/b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b"
}
],
"title": "netfilter: nf_tables: Fix for duplicate device in netdev hooks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43454",
"datePublished": "2026-05-08T14:22:18.719Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:54.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43453 (GCVE-0-2026-43453)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3c4287f62044a90e73a561aa05fc46e62da173da , < 1957e793196e7f8557374fd4eda53abcbb42e1c0
(git)
Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 60c1d18781e37bfb96290b86510eb01c5fa24d75 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 0a55d62cdb628923d8a21724374a70c76ac7d19d (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < dfbdac719198778b581bc0dd055df2542edb8c62 (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < e047f6fbb975f685d6c9fcef95b3b7787a79b46d (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < 324b749aa5b2d516ccfab933df9d3f56e7807f5f (git) Affected: 3c4287f62044a90e73a561aa05fc46e62da173da , < d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 (git) |
|
| Linux | Linux |
Affected:
5.6
Unaffected: 0 , < 5.6 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1957e793196e7f8557374fd4eda53abcbb42e1c0",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "60c1d18781e37bfb96290b86510eb01c5fa24d75",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "0a55d62cdb628923d8a21724374a70c76ac7d19d",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "dfbdac719198778b581bc0dd055df2542edb8c62",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "e047f6fbb975f685d6c9fcef95b3b7787a79b46d",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "324b749aa5b2d516ccfab933df9d3f56e7807f5f",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
},
{
"lessThan": "d6d8cd2db236a9dd13dbc2d05843b3445cc964b5",
"status": "affected",
"version": "3c4287f62044a90e73a561aa05fc46e62da173da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_pipapo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()\n\npipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the\nto_offset argument on every iteration, including the last one where\ni == m-\u003efield_count - 1. This reads one element past the end of the\nstack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]\nwith NFT_PIPAPO_MAX_FIELDS == 16).\n\nAlthough pipapo_unmap() returns early when is_last is true without\nusing the to_offset value, the argument is evaluated at the call site\nbefore the function body executes, making this a genuine out-of-bounds\nstack read confirmed by KASAN:\n\n BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]\n Read of size 4 at addr ffff8000810e71a4\n\n This frame has 1 object:\n [32, 160) \u0027rulemap\u0027\n\n The buggy address is at offset 164 -- exactly 4 bytes past the end\n of the rulemap array.\n\nPass 0 instead of rulemap[i + 1].n on the last iteration to avoid\nthe out-of-bounds read."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:52.944Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0"
},
{
"url": "https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e"
},
{
"url": "https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75"
},
{
"url": "https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d"
},
{
"url": "https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62"
},
{
"url": "https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d"
},
{
"url": "https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f"
},
{
"url": "https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5"
}
],
"title": "netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43453",
"datePublished": "2026-05-08T14:22:18.087Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:52.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43452 (GCVE-0-2026-43452)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
netfilter: x_tables: guard option walkers against 1-byte tail reads
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: guard option walkers against 1-byte tail reads
When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.
Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.
Severity ?
8.2 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < c2a445367a496a3c25dbc940c10c8bd1cfd4c14a
(git)
Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < ae1e1267650638136b84c23f2b31250f0ccb6823 (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < c39f84e4be1be63fc60ca7141ea7b76edcea5907 (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < 9b94f0e42ed248eb31929da84ed9f5310d7ff540 (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < 5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < bc18551c6169eac5ed813778d3e3e484002dbbe5 (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < d04800323336eebf441d153f43234eac9b833d36 (git) Affected: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc , < cfe770220ac2dbd3e104c6b45094037455da81d4 (git) |
|
| Linux | Linux |
Affected:
2.6.16
Unaffected: 0 , < 2.6.16 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_dccp.c",
"net/netfilter/xt_tcpudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2a445367a496a3c25dbc940c10c8bd1cfd4c14a",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "ae1e1267650638136b84c23f2b31250f0ccb6823",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "c39f84e4be1be63fc60ca7141ea7b76edcea5907",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "9b94f0e42ed248eb31929da84ed9f5310d7ff540",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "bc18551c6169eac5ed813778d3e3e484002dbbe5",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "d04800323336eebf441d153f43234eac9b833d36",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
},
{
"lessThan": "cfe770220ac2dbd3e104c6b45094037455da81d4",
"status": "affected",
"version": "2e4e6a17af35be359cc8f1c924f8f198fbd478cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_dccp.c",
"net/netfilter/xt_tcpudp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: guard option walkers against 1-byte tail reads\n\nWhen the last byte of options is a non-single-byte option kind, walkers\nthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end\nof the option area.\n\nAdd an explicit i == optlen - 1 check before dereferencing op[i + 1]\nin xt_tcpudp and xt_dccp option walkers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:51.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a"
},
{
"url": "https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823"
},
{
"url": "https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907"
},
{
"url": "https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540"
},
{
"url": "https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c"
},
{
"url": "https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5"
},
{
"url": "https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36"
},
{
"url": "https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4"
}
],
"title": "netfilter: x_tables: guard option walkers against 1-byte tail reads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43452",
"datePublished": "2026-05-08T14:22:17.361Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:51.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43451 (GCVE-0-2026-43451)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue
entry from the queue data structures, taking ownership of the entry.
For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN
attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN
present but NFQA_VLAN_TCI missing), the function returns immediately
without freeing the dequeued entry or its sk_buff.
This leaks the nf_queue_entry, its associated sk_buff, and all held
references (net_device refcounts, struct net refcount). Repeated
triggering exhausts kernel memory.
Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict
on the error path, consistent with other error handling in this file.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < a907bea273b60d3e604ec4e8e1f6c49954805794
(git)
Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < 0b18d1b834ab5a5009be70b530f978d7989e445b (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < b38d2b4603fd3dda24eb8b3dd81c18a0930be97b (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < 47b1c5d1b0944aa88299f55a846fabaefc756982 (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < cf4a4df38d1747e06fc54f9879bd7a6f4178032f (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < 9853d94b82d303fc4ac37d592a23a154096ecd41 (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < 208669df703a25a601f45822b10c413f258bf275 (git) Affected: 8d45ff22f1b43249f0cf1baafe0262ca10d1666e , < f1ba83755d81c6fc66ac7acd723d238f974091e9 (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a907bea273b60d3e604ec4e8e1f6c49954805794",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "0b18d1b834ab5a5009be70b530f978d7989e445b",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "b38d2b4603fd3dda24eb8b3dd81c18a0930be97b",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "47b1c5d1b0944aa88299f55a846fabaefc756982",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "cf4a4df38d1747e06fc54f9879bd7a6f4178032f",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "9853d94b82d303fc4ac37d592a23a154096ecd41",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "208669df703a25a601f45822b10c413f258bf275",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
},
{
"lessThan": "f1ba83755d81c6fc66ac7acd723d238f974091e9",
"status": "affected",
"version": "8d45ff22f1b43249f0cf1baafe0262ca10d1666e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: fix entry leak in bridge verdict error path\n\nnfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue\nentry from the queue data structures, taking ownership of the entry.\nFor PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN\nattributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN\npresent but NFQA_VLAN_TCI missing), the function returns immediately\nwithout freeing the dequeued entry or its sk_buff.\n\nThis leaks the nf_queue_entry, its associated sk_buff, and all held\nreferences (net_device refcounts, struct net refcount). Repeated\ntriggering exhausts kernel memory.\n\nFix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict\non the error path, consistent with other error handling in this file."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:50.659Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794"
},
{
"url": "https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b"
},
{
"url": "https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b"
},
{
"url": "https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982"
},
{
"url": "https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f"
},
{
"url": "https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41"
},
{
"url": "https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275"
},
{
"url": "https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9"
}
],
"title": "netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43451",
"datePublished": "2026-05-08T14:22:16.716Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:50.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43450 (GCVE-0-2026-43450)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label
inside the for loop body. When the "last" helper saved in cb->args[1]
is deleted between dump rounds, every entry fails the (cur != last)
check, so cb->args[1] is never cleared. The for loop finishes with
cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back
into the loop body bypassing the bounds check, causing an 8-byte
out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].
The 'goto restart' block was meant to re-traverse the current bucket
when "last" is no longer found, but it was placed after the for loop
instead of inside it. Move the block into the for loop body so that
the restart only occurs while cb->args[0] is still within bounds.
BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0
Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131
Call Trace:
nfnl_cthelper_dump_table+0x9f/0x1b0
netlink_dump+0x333/0x880
netlink_recvmsg+0x3e2/0x4b0
sock_recvmsg+0xde/0xf0
__sys_recvfrom+0x150/0x200
__x64_sys_recvfrom+0x76/0x90
do_syscall_64+0xc3/0x6e0
Allocated by task 1:
__kvmalloc_node_noprof+0x21b/0x700
nf_ct_alloc_hashtable+0x65/0xd0
nf_conntrack_helper_init+0x21/0x60
nf_conntrack_init_start+0x18d/0x300
nf_conntrack_standalone_init+0x12/0xc0
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
12f7a505331e6b2754684b509f2ac8f0011ce644 , < 0605e1985a95d4334a67869aee45a47e82301abf
(git)
Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 92441f6d9405a0c18d03f278b395e782f79a4a30 (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 3cc328ffc32ddb389cba7b78b6aa95d995c2876e (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 4a1f6ee69267a5f524102c028981410eeacfa3da (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 894c5780ddadd5fde0e16f66587918e6be1504c4 (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 05018cd9370f77bb18fbf6e15ff33c7a06f10b3c (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 61b3a1f8621df1a5928118313f133996f6a786db (git) Affected: 12f7a505331e6b2754684b509f2ac8f0011ce644 , < 6dcee8496d53165b2d8a5909b3050b62ae71fe89 (git) |
|
| Linux | Linux |
Affected:
3.6
Unaffected: 0 , < 3.6 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_cthelper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0605e1985a95d4334a67869aee45a47e82301abf",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "92441f6d9405a0c18d03f278b395e782f79a4a30",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "3cc328ffc32ddb389cba7b78b6aa95d995c2876e",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "4a1f6ee69267a5f524102c028981410eeacfa3da",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "894c5780ddadd5fde0e16f66587918e6be1504c4",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "05018cd9370f77bb18fbf6e15ff33c7a06f10b3c",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "61b3a1f8621df1a5928118313f133996f6a786db",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
},
{
"lessThan": "6dcee8496d53165b2d8a5909b3050b62ae71fe89",
"status": "affected",
"version": "12f7a505331e6b2754684b509f2ac8f0011ce644",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_cthelper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a \u0027goto restart\u0027 that jumps to a label\ninside the for loop body. When the \"last\" helper saved in cb-\u003eargs[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb-\u003eargs[1] is never cleared. The for loop finishes with\ncb-\u003eargs[0] == nf_ct_helper_hsize, and the \u0027goto restart\u0027 jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe \u0027goto restart\u0027 block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it. Move the block into the for loop body so that\nthe restart only occurs while cb-\u003eargs[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n nfnl_cthelper_dump_table+0x9f/0x1b0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n sock_recvmsg+0xde/0xf0\n __sys_recvfrom+0x150/0x200\n __x64_sys_recvfrom+0x76/0x90\n do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n __kvmalloc_node_noprof+0x21b/0x700\n nf_ct_alloc_hashtable+0x65/0xd0\n nf_conntrack_helper_init+0x21/0x60\n nf_conntrack_init_start+0x18d/0x300\n nf_conntrack_standalone_init+0x12/0xc0"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:49.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf"
},
{
"url": "https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30"
},
{
"url": "https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e"
},
{
"url": "https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da"
},
{
"url": "https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4"
},
{
"url": "https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c"
},
{
"url": "https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db"
},
{
"url": "https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89"
}
],
"title": "netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43450",
"datePublished": "2026-05-08T14:22:15.915Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:49.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43449 (GCVE-0-2026-43449)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
dev->online_queues is a count incremented in nvme_init_queue. Thus,
valid indices are 0 through dev->online_queues − 1.
This patch fixes the loop condition to ensure the index stays within the
valid range. Index 0 is excluded because it is the admin queue.
KASAN splat:
==================================================================
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: nvme-reset-wq nvme_reset_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xce/0x5d0 mm/kasan/report.c:482
kasan_report+0xdc/0x110 mm/kasan/report.c:595
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 34 on cpu 1 at 4.241550s:
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x29b/0xb70 drivers/base/dd.c:661
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88800592a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 244 bytes to the right of
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 000fffffc0000040 ffff888001042000 00000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 2b9d605c3f0d3262142f196249cd3bd58c857c71
(git)
Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 86183d550559e45e07059bbdf17331fea469e38c (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < d7990c936e25f484b61a5adeeadc1d290a9fd16e (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 83e6edd6358326c9c2de31a54bb4a1ec50703f1f (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 50bad78f03a02d3c0f228edf9912b494d3e7acb9 (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 328c551f0cc81ee776b186b86cc6e5253bb6fda7 (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < 78279d2d74c58a0ed64e43cf601a02649771182e (git) Affected: 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf , < b4e78f1427c7d6859229ae9616df54e1fc05a516 (git) Affected: 930bb3092fe606baa23d57ae59b70b291d67a8af (git) Affected: fd1c1de8c4589fdd528733bfd01ed0c5f3f69204 (git) Affected: 4940816604e3ce7e05e8df297773ee86c0476d48 (git) Affected: 55a3b1ad694631cc2698b5500ac5865d7d0f064e (git) |
|
| Linux | Linux |
Affected:
5.10
Unaffected: 0 , < 5.10 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b9d605c3f0d3262142f196249cd3bd58c857c71",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "86183d550559e45e07059bbdf17331fea469e38c",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "d7990c936e25f484b61a5adeeadc1d290a9fd16e",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "83e6edd6358326c9c2de31a54bb4a1ec50703f1f",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "50bad78f03a02d3c0f228edf9912b494d3e7acb9",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "328c551f0cc81ee776b186b86cc6e5253bb6fda7",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "78279d2d74c58a0ed64e43cf601a02649771182e",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"lessThan": "b4e78f1427c7d6859229ae9616df54e1fc05a516",
"status": "affected",
"version": "0f0d2c876c96d4908a9ef40959a44bec21bdd6cf",
"versionType": "git"
},
{
"status": "affected",
"version": "930bb3092fe606baa23d57ae59b70b291d67a8af",
"versionType": "git"
},
{
"status": "affected",
"version": "fd1c1de8c4589fdd528733bfd01ed0c5f3f69204",
"versionType": "git"
},
{
"status": "affected",
"version": "4940816604e3ce7e05e8df297773ee86c0476d48",
"versionType": "git"
},
{
"status": "affected",
"version": "55a3b1ad694631cc2698b5500ac5865d7d0f064e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.161",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set\n\ndev-\u003eonline_queues is a count incremented in nvme_init_queue. Thus,\nvalid indices are 0 through dev-\u003eonline_queues \u2212 1.\n\nThis patch fixes the loop condition to ensure the index stays within the\nvalid range. Index 0 is excluded because it is the admin queue.\n\nKASAN splat:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\nRead of size 2 at addr ffff88800592a574 by task kworker/u8:5/74\n\nCPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: nvme-reset-wq nvme_reset_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x5d0 mm/kasan/report.c:482\n kasan_report+0xdc/0x110 mm/kasan/report.c:595\n __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379\n nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\n nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\n nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\n\nAllocated by task 34 on cpu 1 at 4.241550s:\n kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57\n kasan_save_track+0x1c/0x70 mm/kasan/common.c:78\n kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663\n kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]\n nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]\n nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534\n local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324\n pci_call_probe drivers/pci/pci-driver.c:392 [inline]\n __pci_device_probe drivers/pci/pci-driver.c:417 [inline]\n pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451\n call_driver_probe drivers/base/dd.c:583 [inline]\n really_probe+0x29b/0xb70 drivers/base/dd.c:661\n __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803\n driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833\n __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159\n async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff88800592a000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 244 bytes to the right of\n allocated 1152-byte region [ffff88800592a000, ffff88800592a480)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: f5(slab)\nraw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000\nhead: 000fffffc0000040 ffff888001042000 00000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:48.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71"
},
{
"url": "https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c"
},
{
"url": "https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e"
},
{
"url": "https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f"
},
{
"url": "https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9"
},
{
"url": "https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7"
},
{
"url": "https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e"
},
{
"url": "https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516"
}
],
"title": "nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43449",
"datePublished": "2026-05-08T14:22:15.276Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:48.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43448 (GCVE-0-2026-43448)
Vulnerability from nvd – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:24
VLAI?
Title
nvme-pci: Fix race bug in nvme_poll_irqdisable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: Fix race bug in nvme_poll_irqdisable()
In the following scenario, pdev can be disabled between (1) and (3) by
(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will
return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).
This causes IRQ warning because it tries to enable INTx IRQ that has
never been disabled before.
To fix this, save IRQ number into a local variable and ensure
disable_irq() and enable_irq() operate on the same IRQ number. Even if
pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and
enable_irq() on a stale IRQ number is still valid and safe, and the
depth accounting reamins balanced.
task 1:
nvme_poll_irqdisable()
disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)
enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)
task 2:
nvme_reset_work()
nvme_dev_disable()
pdev->msix_enable = 0; ...(2)
crash log:
------------[ cut here ]------------
Unbalanced enable for IRQ 10
WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26
Modules linked in:
CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753
Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9
RSP: 0018:ffffc900001bf550 EFLAGS: 00010046
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90
RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0
RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000
R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293
FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0
Call Trace:
<TASK>
enable_irq+0x121/0x1e0 kernel/irq/manage.c:797
nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494
nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744
blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]
blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721
bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292
__sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]
sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]
bt_for_each block/blk-mq-tag.c:324 [inline]
blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536
blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421
kthread+0x41a/0x930 kernel/kthread.c:463
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
irq event stamp: 74478
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202
hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120
---truncated---
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < 265dbc9bc33c29f60f90be3e0afe1c4067ebb70b
(git)
Affected: fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < 628773eba024d1107cc9ec157a682cbb42ac912a (git) Affected: fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < 843e913cef4e33723663a899727f685a95ab53fe (git) Affected: fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < b56c49897bdac5cb49e3495ef421c391628ee9bb (git) Affected: fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < e311d84c62eb76e025e11a44155b402e55950b83 (git) Affected: fa059b856a593a7bddd4d3779ae8ab1380e05d91 , < fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "265dbc9bc33c29f60f90be3e0afe1c4067ebb70b",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
},
{
"lessThan": "628773eba024d1107cc9ec157a682cbb42ac912a",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
},
{
"lessThan": "843e913cef4e33723663a899727f685a95ab53fe",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
},
{
"lessThan": "b56c49897bdac5cb49e3495ef421c391628ee9bb",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
},
{
"lessThan": "e311d84c62eb76e025e11a44155b402e55950b83",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
},
{
"lessThan": "fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e",
"status": "affected",
"version": "fa059b856a593a7bddd4d3779ae8ab1380e05d91",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix race bug in nvme_poll_irqdisable()\n\nIn the following scenario, pdev can be disabled between (1) and (3) by\n(2). This sets pdev-\u003emsix_enabled = 0. Then, pci_irq_vector() will\nreturn MSI-X IRQ(\u003e15) for (1) whereas return INTx IRQ(\u003c=15) for (2).\nThis causes IRQ warning because it tries to enable INTx IRQ that has\nnever been disabled before.\n\nTo fix this, save IRQ number into a local variable and ensure\ndisable_irq() and enable_irq() operate on the same IRQ number. Even if\npci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and\nenable_irq() on a stale IRQ number is still valid and safe, and the\ndepth accounting reamins balanced.\n\ntask 1:\nnvme_poll_irqdisable()\n disable_irq(pci_irq_vector(pdev, nvmeq-\u003ecq_vector)) ...(1)\n enable_irq(pci_irq_vector(pdev, nvmeq-\u003ecq_vector)) ...(3)\n\ntask 2:\nnvme_reset_work()\n nvme_dev_disable()\n pdev-\u003emsix_enable = 0; ...(2)\n\ncrash log:\n\n------------[ cut here ]------------\nUnbalanced enable for IRQ 10\nWARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26\nModules linked in:\nCPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753\nCode: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c \u003c67\u003e 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9\nRSP: 0018:ffffc900001bf550 EFLAGS: 00010046\nRAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90\nRDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0\nRBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000\nR13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293\nFS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n enable_irq+0x121/0x1e0 kernel/irq/manage.c:797\n nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494\n nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744\n blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]\n blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721\n bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292\n __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]\n sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]\n bt_for_each block/blk-mq-tag.c:324 [inline]\n blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536\n blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\nirq event stamp: 74478\nhardirqs last enabled at (74477): [\u003cffffffffb5720a9c\u003e] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]\nhardirqs last enabled at (74477): [\u003cffffffffb5720a9c\u003e] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202\nhardirqs last disabled at (74478): [\u003cffffffffb57207b5\u003e] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]\nhardirqs last disabled at (74478): [\u003cffffffffb57207b5\u003e] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162\nsoftirqs last enabled at (74304): [\u003cffffffffb1e9466c\u003e] __do_softirq kernel/softirq.c:656 [inline]\nsoftirqs last enabled at (74304): [\u003cffffffffb1e9466c\u003e] invoke_softirq kernel/softirq.c:496 [inline]\nsoftirqs last enabled at (74304): [\u003cffffffffb1e9466c\u003e] __irq_exit_rcu+0xdc/0x120\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:24:47.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/265dbc9bc33c29f60f90be3e0afe1c4067ebb70b"
},
{
"url": "https://git.kernel.org/stable/c/628773eba024d1107cc9ec157a682cbb42ac912a"
},
{
"url": "https://git.kernel.org/stable/c/843e913cef4e33723663a899727f685a95ab53fe"
},
{
"url": "https://git.kernel.org/stable/c/b56c49897bdac5cb49e3495ef421c391628ee9bb"
},
{
"url": "https://git.kernel.org/stable/c/e311d84c62eb76e025e11a44155b402e55950b83"
},
{
"url": "https://git.kernel.org/stable/c/fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e"
}
],
"title": "nvme-pci: Fix race bug in nvme_poll_irqdisable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43448",
"datePublished": "2026-05-08T14:22:14.633Z",
"dateReserved": "2026-05-01T14:12:56.010Z",
"dateUpdated": "2026-05-11T22:24:47.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from cvelistv5 – Published: 2026-05-11 06:26 – Updated: 2026-05-20 16:08
VLAI?
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.29 , ≤ 6.18.* (semver) Unaffected: 7.0.6 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:08:12.294Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-20T16:08:12.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}