Vulnerability-Lookup

CERTFR-2026-AVI-0454

Vulnerability from certfr_avis - Published: 2026-04-17 - Updated: 2026-04-17

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SUSE	N/A	SUSE Linux Enterprise High Performance Computing 15 SP5
SUSE	N/A	SUSE Linux Enterprise Micro 5.3
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP7
SUSE	N/A	SUSE Linux Enterprise Micro for Rancher 5.2
SUSE	N/A	SUSE Linux Enterprise High Performance Computing 12 SP5
SUSE	N/A	SUSE Linux Enterprise Server 12 SP5
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP4
SUSE	N/A	openSUSE Leap 15.4
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP7
SUSE	N/A	openSUSE Leap 15.5
SUSE	N/A	SUSE Linux Enterprise High Performance Computing 15 SP4
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP6
SUSE	N/A	SUSE Linux Enterprise Server 15 SP5
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP5
SUSE	N/A	SUSE Linux Enterprise Live Patching 12-SP5
SUSE	N/A	SUSE Linux Micro 6.2
SUSE	N/A	SUSE Linux Enterprise Server 15 SP7
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP7
SUSE	N/A	SUSE Linux Enterprise Live Patching 15-SP5
SUSE	N/A	SUSE Linux Enterprise Micro 5.2
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP6
SUSE	N/A	openSUSE Leap 15.6
SUSE	N/A	SUSE Linux Enterprise Server 15 SP4
SUSE	N/A	SUSE Linux Enterprise Real Time 15 SP4
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE	N/A	SUSE Linux Enterprise Micro 5.4
SUSE	N/A	openSUSE Leap 15.3
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE	N/A	SUSE Linux Enterprise Server 15 SP6
SUSE	N/A	SUSE Linux Enterprise Micro 5.5

References

Title

Publication Time

CVE-2023-53794 (GCVE-0-2023-53794)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-05-23 15:31

Title

cifs: fix session state check in reconnect to avoid use-after-free issue

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/7e4f5c3f01fb0e51c…
https://git.kernel.org/stable/c/759ffc164d95a32c0…
https://git.kernel.org/stable/c/99f280700b4cc02d5…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 7e4f5c3f01fb0e51ca438e43262d858daf9a0a76 (git) Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 759ffc164d95a32c09528766d74d9b4fb054e8f4 (git) Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 99f280700b4cc02d5f141b8d15f8e9fad0418f65 (git) Affected: 655e0c067f0e02ece03fd0591dabe3db2ae27552 (git) Affected: 875cc09c0767a4ac06b57af383709657f98b3ea1 (git) Affected: 599fe1409085059ba12a2c3897c853be9fa9e7cf (git) Affected: 2e4378ee60049b752c9dce16f62ce6fbd11b379a (git) Affected: 59b520454b323ec43b2ae757217332cea33091e0 (git) Affected: e20c888e2b3576e5f498c167729d274ef60b86f8 (git) Affected: 4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba (git) Affected: 419fad68e4c4135ff9859e9214dd6cf954413ca1 (git) Affected: 3.10.103 , < 3.11 (semver) Affected: 3.12.63 , < 3.13 (semver) Affected: 3.14.74 , < 3.15 (semver) Affected: 3.16.37 , < 3.17 (semver) Affected: 3.18.37 , < 3.19 (semver) Affected: 4.1.28 , < 4.2 (semver) Affected: 4.4.16 , < 4.5 (semver) Affected: 4.6.5 , < 4.7 (semver)
Linux	Linux	Affected: 4.7 Unaffected: 0 , < 4.7 (semver) Unaffected: 6.1.47 , ≤ 6.1.* (semver) Unaffected: 6.4.12 , ≤ 6.4.* (semver) Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e4f5c3f01fb0e51ca438e43262d858daf9a0a76",
              "status": "affected",
              "version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
              "versionType": "git"
            },
            {
              "lessThan": "759ffc164d95a32c09528766d74d9b4fb054e8f4",
              "status": "affected",
              "version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
              "versionType": "git"
            },
            {
              "lessThan": "99f280700b4cc02d5f141b8d15f8e9fad0418f65",
              "status": "affected",
              "version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "655e0c067f0e02ece03fd0591dabe3db2ae27552",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "875cc09c0767a4ac06b57af383709657f98b3ea1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "599fe1409085059ba12a2c3897c853be9fa9e7cf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2e4378ee60049b752c9dce16f62ce6fbd11b379a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "59b520454b323ec43b2ae757217332cea33091e0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e20c888e2b3576e5f498c167729d274ef60b86f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "419fad68e4c4135ff9859e9214dd6cf954413ca1",
              "versionType": "git"
            },
            {
              "lessThan": "3.11",
              "status": "affected",
              "version": "3.10.103",
              "versionType": "semver"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.63",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15",
              "status": "affected",
              "version": "3.14.74",
              "versionType": "semver"
            },
            {
              "lessThan": "3.17",
              "status": "affected",
              "version": "3.16.37",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.37",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.28",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.16",
              "versionType": "semver"
            },
            {
              "lessThan": "4.7",
              "status": "affected",
              "version": "4.6.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.47",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.12",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.63",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix session state check in reconnect to avoid use-after-free issue\n\nDon\u0027t collect exiting session in smb2_reconnect_server(), because it\nwill be released soon.\n\nNote that the exiting session will stay in server-\u003esmb_ses_list until\nit complete the cifs_free_ipc() and logoff() and then delete itself\nfrom the list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:31:00.459Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e4f5c3f01fb0e51ca438e43262d858daf9a0a76"
        },
        {
          "url": "https://git.kernel.org/stable/c/759ffc164d95a32c09528766d74d9b4fb054e8f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/99f280700b4cc02d5f141b8d15f8e9fad0418f65"
        }
      ],
      "title": "cifs: fix session state check in reconnect to avoid use-after-free issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53794",
    "datePublished": "2025-12-09T00:00:51.061Z",
    "dateReserved": "2025-12-08T23:58:35.274Z",
    "dateUpdated": "2026-05-23T15:31:00.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38234 (GCVE-0-2025-38234)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

sched/rt: Fix race in push_rt_task

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (on_rq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list. Crashes ======= This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself. Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? pick_next_task_rt+0x6e/0x1d0 ? do_error_trap+0x64/0xa0 ? pick_next_task_rt+0x6e/0x1d0 ? exc_invalid_op+0x4c/0x60 ? pick_next_task_rt+0x6e/0x1d0 ? asm_exc_invalid_op+0x12/0x20 ? pick_next_task_rt+0x6e/0x1d0 __schedule+0x5cb/0x790 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? __warn+0x8a/0xe0 ? exc_page_fault+0x3d6/0x520 ? asm_exc_page_fault+0x1e/0x30 ? pick_next_task_rt+0xb5/0x1d0 ? pick_next_task_rt+0x8c/0x1d0 __schedule+0x583/0x7e0 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) -> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? dequeue_top_rt_rq+0xa2/0xb0 ? do_error_trap+0x64/0xa0 ? dequeue_top_rt_rq+0xa2/0xb0 ? exc_invalid_op+0x4c/0x60 ? dequeue_top_rt_rq+0xa2/0xb0 ? asm_exc_invalid_op+0x12/0x20 ? dequeue_top_rt_rq+0xa2/0xb0 dequeue_rt_entity+0x1f/0x70 dequeue_task_rt+0x2d/0x70 __schedule+0x1a8/0x7e0 ? blk_finish_plug+0x25/0x40 schedule+0x3c/0xb0 futex_wait_queue_me+0xb6/0x120 futex_wait+0xd9/0x240 do_futex+0x344/0xa90 ? get_mm_exe_file+0x30/0x60 ? audit_exe_compare+0x58/0x70 ? audit_filter_rules.constprop.26+0x65e/0x1220 __x64_sys_futex+0x148/0x1f0 do_syscall_64+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? spurious_kernel_fault+0x171/0x1c0 ? exc_page_fault+0x3b6/0x520 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? asm_exc_page_fault+0x1e/0x30 ? _cond_resched+0x15/0x30 ? futex_wait_queue_me+0xc8/0x120 ? futex_wait+0xd9/0x240 ? try_to_wake_up+0x1b8/0x490 ? futex_wake+0x78/0x160 ? do_futex+0xcd/0xa90 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? plist_del+0x6a/0xd0 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? dequeue_pushable_task+0x20/0x70 ? __schedule+0x382/0x7e0 ? asm_sysvec_reschedule_i ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/9f6022b2573ae0687…
https://git.kernel.org/stable/c/debfbc047196df1f6…
https://git.kernel.org/stable/c/07ecabfbca64f4f0b…
https://git.kernel.org/stable/c/690e47d1403e90b7f…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 9f6022b2573ae068793810db719e131df3ded405 (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < debfbc047196df1f6bfd52f2d028c21dce67f0de (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 07ecabfbca64f4f0b6071cf96e49d162fa9d138d (git) Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 690e47d1403e90b7f2366f03b52ed3304194c793 (git)
Linux	Linux	Affected: 2.6.25 Unaffected: 0 , < 2.6.25 (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.64 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f6022b2573ae068793810db719e131df3ded405",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "debfbc047196df1f6bfd52f2d028c21dce67f0de",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "07ecabfbca64f4f0b6071cf96e49d162fa9d138d",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "690e47d1403e90b7f2366f03b52ed3304194c793",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.124",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? do_error_trap+0x64/0xa0\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? exc_invalid_op+0x4c/0x60\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? pick_next_task_rt+0x6e/0x1d0\n   __schedule+0x5cb/0x790\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? __warn+0x8a/0xe0\n   ? exc_page_fault+0x3d6/0x520\n   ? asm_exc_page_fault+0x1e/0x30\n   ? pick_next_task_rt+0xb5/0x1d0\n   ? pick_next_task_rt+0x8c/0x1d0\n   __schedule+0x583/0x7e0\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n   kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? do_error_trap+0x64/0xa0\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? exc_invalid_op+0x4c/0x60\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   dequeue_rt_entity+0x1f/0x70\n   dequeue_task_rt+0x2d/0x70\n   __schedule+0x1a8/0x7e0\n   ? blk_finish_plug+0x25/0x40\n   schedule+0x3c/0xb0\n   futex_wait_queue_me+0xb6/0x120\n   futex_wait+0xd9/0x240\n   do_futex+0x344/0xa90\n   ? get_mm_exe_file+0x30/0x60\n   ? audit_exe_compare+0x58/0x70\n   ? audit_filter_rules.constprop.26+0x65e/0x1220\n   __x64_sys_futex+0x148/0x1f0\n   do_syscall_64+0x30/0x80\n   entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? spurious_kernel_fault+0x171/0x1c0\n   ? exc_page_fault+0x3b6/0x520\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? asm_exc_page_fault+0x1e/0x30\n   ? _cond_resched+0x15/0x30\n   ? futex_wait_queue_me+0xc8/0x120\n   ? futex_wait+0xd9/0x240\n   ? try_to_wake_up+0x1b8/0x490\n   ? futex_wake+0x78/0x160\n   ? do_futex+0xcd/0xa90\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? plist_del+0x6a/0xd0\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? dequeue_pushable_task+0x20/0x70\n   ? __schedule+0x382/0x7e0\n   ? asm_sysvec_reschedule_i\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:49.953Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f6022b2573ae068793810db719e131df3ded405"
        },
        {
          "url": "https://git.kernel.org/stable/c/debfbc047196df1f6bfd52f2d028c21dce67f0de"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ecabfbca64f4f0b6071cf96e49d162fa9d138d"
        },
        {
          "url": "https://git.kernel.org/stable/c/690e47d1403e90b7f2366f03b52ed3304194c793"
        }
      ],
      "title": "sched/rt: Fix race in push_rt_task",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38234",
    "datePublished": "2025-07-04T13:37:46.960Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-11T21:23:49.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39973 (GCVE-0-2025-39973)

Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2026-05-11 21:40

Title

i40e: add validation for ring_len param

Summary

In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a multiple of 32.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/0543d40d6513cdf1c…
https://git.kernel.org/stable/c/7d749e38dd2b7e8a8…
https://git.kernel.org/stable/c/45a7527cd7da4cdcf…
https://git.kernel.org/stable/c/d3b0d3f8d11fa9571…
https://git.kernel.org/stable/c/c0c83f4cd074b75ce…
https://git.kernel.org/stable/c/05fe81fb9db20464f…
https://git.kernel.org/stable/c/afec12adab55d1070…
https://git.kernel.org/stable/c/55d225670def06b01…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 0543d40d6513cdf1c7882811086e59a6455dfe97 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < d3b0d3f8d11fa957171fbb186e53998361a88d4e (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < c0c83f4cd074b75cecef107bfc349be7d516c9c4 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 05fe81fb9db20464fa532a3835dc8300d68a2f84 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < afec12adab55d10708179a64d95d650741e60fe0 (git) Affected: 5c3c48ac6bf56367c4e89f6453cd2d61e50375bd , < 55d225670def06b01af2e7a5e0446fbe946289e8 (git)
Linux	Linux	Affected: 3.12 Unaffected: 0 , < 3.12 (semver) Unaffected: 5.4.300 , ≤ 5.4.* (semver) Unaffected: 5.10.245 , ≤ 5.10.* (semver) Unaffected: 5.15.194 , ≤ 5.15.* (semver) Unaffected: 6.1.155 , ≤ 6.1.* (semver) Unaffected: 6.6.109 , ≤ 6.6.* (semver) Unaffected: 6.12.50 , ≤ 6.12.* (semver) Unaffected: 6.16.10 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0543d40d6513cdf1c7882811086e59a6455dfe97",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "d3b0d3f8d11fa957171fbb186e53998361a88d4e",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "c0c83f4cd074b75cecef107bfc349be7d516c9c4",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "05fe81fb9db20464fa532a3835dc8300d68a2f84",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "afec12adab55d10708179a64d95d650741e60fe0",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            },
            {
              "lessThan": "55d225670def06b01af2e7a5e0446fbe946289e8",
              "status": "affected",
              "version": "5c3c48ac6bf56367c4e89f6453cd2d61e50375bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.300",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.245",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.194",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.300",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.245",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.194",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.155",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.109",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.50",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.10",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:40:00.452Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0543d40d6513cdf1c7882811086e59a6455dfe97"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d749e38dd2b7e8a80da2ca30c93e09de95bfcf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/45a7527cd7da4cdcf3b06b5c0cb1cae30b5a5985"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3b0d3f8d11fa957171fbb186e53998361a88d4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0c83f4cd074b75cecef107bfc349be7d516c9c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/05fe81fb9db20464fa532a3835dc8300d68a2f84"
        },
        {
          "url": "https://git.kernel.org/stable/c/afec12adab55d10708179a64d95d650741e60fe0"
        },
        {
          "url": "https://git.kernel.org/stable/c/55d225670def06b01af2e7a5e0446fbe946289e8"
        }
      ],
      "title": "i40e: add validation for ring_len param",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39973",
    "datePublished": "2025-10-15T07:55:55.590Z",
    "dateReserved": "2025-04-16T07:20:57.149Z",
    "dateUpdated": "2026-05-11T21:40:00.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40018 (GCVE-0-2025-40018)

Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2026-05-11 21:40

Title

ipvs: Defer ip_vs_ftp unregister during netns cleanup

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/8a6ecab3847c213ce…
https://git.kernel.org/stable/c/421b1ae1574dfdda6…
https://git.kernel.org/stable/c/1d79471414d7b9424…
https://git.kernel.org/stable/c/53717f8a4347b78ea…
https://git.kernel.org/stable/c/8cbe2a21d85727b66…
https://git.kernel.org/stable/c/dc1a481359a72ee7e…
https://git.kernel.org/stable/c/a343811ef138a2654…
https://git.kernel.org/stable/c/134121bfd99a06d44…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 8a6ecab3847c213ce2855b0378e63ce839085de3 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 421b1ae1574dfdda68b835c15ac4921ec0030182 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 1d79471414d7b9424d699afff2aa79fff322f52d (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 53717f8a4347b78eac6488072ad8e5adbaff38d9 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 8cbe2a21d85727b66d7c591fd5d83df0d8c4f757 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < dc1a481359a72ee7e548f1f5da671282a7c13b8f (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < a343811ef138a265407167294275201621e9ebb2 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 134121bfd99a06d44ef5ba15a9beb075297c0821 (git)
Linux	Linux	Affected: 2.6.39 Unaffected: 0 , < 2.6.39 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_ftp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a6ecab3847c213ce2855b0378e63ce839085de3",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "421b1ae1574dfdda68b835c15ac4921ec0030182",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "1d79471414d7b9424d699afff2aa79fff322f52d",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "53717f8a4347b78eac6488072ad8e5adbaff38d9",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "8cbe2a21d85727b66d7c591fd5d83df0d8c4f757",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "dc1a481359a72ee7e548f1f5da671282a7c13b8f",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "a343811ef138a265407167294275201621e9ebb2",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "134121bfd99a06d44ef5ba15a9beb075297c0821",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_ftp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.112",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.53",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp-\u003eapp pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:40:53.340Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a6ecab3847c213ce2855b0378e63ce839085de3"
        },
        {
          "url": "https://git.kernel.org/stable/c/421b1ae1574dfdda68b835c15ac4921ec0030182"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d79471414d7b9424d699afff2aa79fff322f52d"
        },
        {
          "url": "https://git.kernel.org/stable/c/53717f8a4347b78eac6488072ad8e5adbaff38d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cbe2a21d85727b66d7c591fd5d83df0d8c4f757"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc1a481359a72ee7e548f1f5da671282a7c13b8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a343811ef138a265407167294275201621e9ebb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/134121bfd99a06d44ef5ba15a9beb075297c0821"
        }
      ],
      "title": "ipvs: Defer ip_vs_ftp unregister during netns cleanup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40018",
    "datePublished": "2025-10-24T11:44:28.955Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2026-05-11T21:40:53.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40159 (GCVE-0-2025-40159)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2026-05-11 21:43

Title

xsk: Harden userspace-supplied xdp_desc validation

Summary

In the Linux kernel, the following vulnerability has been resolved: xsk: Harden userspace-supplied xdp_desc validation Turned out certain clearly invalid values passed in xdp_desc from userspace can pass xp_{,un}aligned_validate_desc() and then lead to UBs or just invalid frames to be queued for xmit. desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len can cause positive integer overflow and wraparound, the same way low enough desc->addr with a non-zero pool->tx_metadata_len can cause negative integer overflow. Both scenarios can then pass the validation successfully. This doesn't happen with valid XSk applications, but can be used to perform attacks. Always promote desc->len to ``u64`` first to exclude positive overflows of it. Use explicit check_{add,sub}_overflow() when validating desc->addr (which is ``u64`` already). bloat-o-meter reports a little growth of the code size: add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) Function old new delta xskq_cons_peek_desc 299 330 +31 xsk_tx_peek_release_desc_batch 973 1002 +29 xsk_generic_xmit 3148 3132 -16 but hopefully this doesn't hurt the performance much.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/1463cd066f32efd56…
https://git.kernel.org/stable/c/5b5fffa7c81e55d8c…
https://git.kernel.org/stable/c/07ca98f906a403637…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 1463cd066f32efd56ddfd3ac4e3524200f362980 (git) Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 5b5fffa7c81e55d8c8edf05ad40d811ec7047e21 (git) Affected: 341ac980eab90ac1f6c22ee9f9da83ed9604d899 , < 07ca98f906a403637fc5e513a872a50ef1247f3b (git)
Linux	Linux	Affected: 6.8 Unaffected: 0 , < 6.8 (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_queue.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1463cd066f32efd56ddfd3ac4e3524200f362980",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            },
            {
              "lessThan": "5b5fffa7c81e55d8c8edf05ad40d811ec7047e21",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            },
            {
              "lessThan": "07ca98f906a403637fc5e513a872a50ef1247f3b",
              "status": "affected",
              "version": "341ac980eab90ac1f6c22ee9f9da83ed9604d899",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xdp/xsk_queue.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction                                     old     new   delta\nxskq_cons_peek_desc                          299     330     +31\nxsk_tx_peek_release_desc_batch               973    1002     +29\nxsk_generic_xmit                            3148    3132     -16\n\nbut hopefully this doesn\u0027t hurt the performance much."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:43:52.846Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1463cd066f32efd56ddfd3ac4e3524200f362980"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b5fffa7c81e55d8c8edf05ad40d811ec7047e21"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ca98f906a403637fc5e513a872a50ef1247f3b"
        }
      ],
      "title": "xsk: Harden userspace-supplied xdp_desc validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40159",
    "datePublished": "2025-11-12T10:24:36.104Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2026-05-11T21:43:52.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71120 (GCVE-0-2025-71120)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-05-23 16:03

Title

SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

Summary

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/a8f1e445ce3545c90…
https://git.kernel.org/stable/c/4dedb6a11243a5c9e…
https://git.kernel.org/stable/c/f9e53f69ac3bc4ef5…
https://git.kernel.org/stable/c/7452d53f293379e2c…
https://git.kernel.org/stable/c/a2c6f25ab98b423f9…
https://git.kernel.org/stable/c/1c8bb965e9b0559ff…
https://git.kernel.org/stable/c/d4b69a6186b215d2d…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a8f1e445ce3545c90d69c9e8ff8f7821825fe810 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < f9e53f69ac3bc4ef568b08d3542edac02e83fefd (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 7452d53f293379e2c38cfa8ad0694aa46fc4788b (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a2c6f25ab98b423f99ccd94874d655b8bcb01a19 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 1c8bb965e9b0559ff0f5690615a527c30f651dd8 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < d4b69a6186b215d2dc1ebcab965ed88e8d41768d (git) Affected: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git) Affected: 7be8c165dc81564705e8e0b72d398ef708f67eaa (git) Affected: 4.19.99 , < 4.20 (semver) Affected: 5.4.15 , < 5.5 (semver)
Linux	Linux	Affected: 5.5 Unaffected: 0 , < 5.5 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.64 , ≤ 6.12.* (semver) Unaffected: 6.18.3 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
              "versionType": "git"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.99",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.15",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:03:14.907Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
        }
      ],
      "title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71120",
    "datePublished": "2026-01-14T15:06:07.194Z",
    "dateReserved": "2026-01-13T15:30:19.654Z",
    "dateUpdated": "2026-05-23T16:03:14.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22999 (GCVE-0-2026-22999)

Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-05-11 21:58

Title

net/sched: sch_qfq: do not free existing class in qfq_change_class()

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/2a64fb9b47afffeb5…
https://git.kernel.org/stable/c/cff6cd703f41d8071…
https://git.kernel.org/stable/c/f06f7635499bc806c…
https://git.kernel.org/stable/c/0a234660dc70ce45d…
https://git.kernel.org/stable/c/362e269bb03f7076b…
https://git.kernel.org/stable/c/e9d8f11652fa08c64…
https://git.kernel.org/stable/c/3879cffd9d07aa037…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < cff6cd703f41d8071995956142729e4bba160363 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f06f7635499bc806cbe2bbc8805c7cef8b1edddf (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 0a234660dc70ce45d771cbc76b20d925b73ec160 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 362e269bb03f7076ba9990e518aeddb898232e50 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < e9d8f11652fa08c647bf7bba7dd8163241a332cd (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.67 , ≤ 6.12.* (semver) Unaffected: 6.18.7 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "cff6cd703f41d8071995956142729e4bba160363",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "f06f7635499bc806cbe2bbc8805c7cef8b1edddf",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "0a234660dc70ce45d771cbc76b20d925b73ec160",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "362e269bb03f7076ba9990e518aeddb898232e50",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "e9d8f11652fa08c647bf7bba7dd8163241a332cd",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            },
            {
              "lessThan": "3879cffd9d07aa0377c4b8835c4f64b4fb24ac78",
              "status": "affected",
              "version": "462dbc9101acd38e92eda93c0726857517a24bbd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_qfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.67",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:58:02.934Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"
        },
        {
          "url": "https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"
        },
        {
          "url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"
        }
      ],
      "title": "net/sched: sch_qfq: do not free existing class in qfq_change_class()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-22999",
    "datePublished": "2026-01-25T14:36:13.909Z",
    "dateReserved": "2026-01-13T15:37:45.938Z",
    "dateUpdated": "2026-05-11T21:58:02.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23074 (GCVE-0-2026-23074)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:07 – Updated: 2026-05-11 21:59

Title

net/sched: Enforce that teql can only be used as root qdisc

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/73d970ff0eddd874a…
https://git.kernel.org/stable/c/ae810e6a8ac4fe250…
https://git.kernel.org/stable/c/dad49a67c2d817bfe…
https://git.kernel.org/stable/c/0686bedfed3415552…
https://git.kernel.org/stable/c/4c7e8aa71c9232cba…
https://git.kernel.org/stable/c/16ed73c1282d376b9…
https://git.kernel.org/stable/c/50da4b9d07a7a463e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73d970ff0eddd874a84c953387c7f4464b705fc6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae810e6a8ac4fe25042e6825d2a401207a2e41fb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad49a67c2d817bfec98e6e45121b351e3a0202c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0686bedfed34155520f3f735cbf3210cb9044380 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c7e8aa71c9232cba84c289b4b56cba80b280841 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 16ed73c1282d376b956bff23e5139add061767ba (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_teql.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "73d970ff0eddd874a84c953387c7f4464b705fc6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae810e6a8ac4fe25042e6825d2a401207a2e41fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dad49a67c2d817bfec98e6e45121b351e3a0202c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0686bedfed34155520f3f735cbf3210cb9044380",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c7e8aa71c9232cba84c289b4b56cba80b280841",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "16ed73c1282d376b956bff23e5139add061767ba",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_teql.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n  \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n  \u2514\u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql\u0027s enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql\u0027s\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2\u0027s lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc\u0027s\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem\u0027s delay), a dangling pointer is\naccessed causing GangMin\u0027s causing a UAF."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:59:29.932Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841"
        },
        {
          "url": "https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"
        }
      ],
      "title": "net/sched: Enforce that teql can only be used as root qdisc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23074",
    "datePublished": "2026-02-04T16:07:59.379Z",
    "dateReserved": "2026-01-13T15:37:45.958Z",
    "dateUpdated": "2026-05-11T21:59:29.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23103 (GCVE-0-2026-23103)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-05-11 22:00

Title

ipvlan: Make the addrs_lock be per port

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/3c149b662cbb202a4…
https://git.kernel.org/stable/c/70feb16e3fbfb10b1…
https://git.kernel.org/stable/c/88f83e6c9cdb46b8c…
https://git.kernel.org/stable/c/04ba6de6eff61238e…
https://git.kernel.org/stable/c/1f300c10d92c547c3…
https://git.kernel.org/stable/c/6a81e2db096913d7e…
https://git.kernel.org/stable/c/d3ba32162488283c0…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 3c149b662cbb202a450e81f938e702ba333864ad (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 70feb16e3fbfb10b15de1396557c38e99f1ab8df (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 88f83e6c9cdb46b8c8ddd0ba01393362963cf589 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 04ba6de6eff61238e5397c14ac26a6578c7735a5 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 1f300c10d92c547c3a7d978e1212ff52f18256ed (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 6a81e2db096913d7e43aada1c350c1282e76db39 (git) Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < d3ba32162488283c0a4c5bedd8817aec91748802 (git)
Linux	Linux	Affected: 4.17 Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.249 , ≤ 5.10.* (semver) Unaffected: 5.15.199 , ≤ 5.15.* (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.68 , ≤ 6.12.* (semver) Unaffected: 6.18.8 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan.h",
            "drivers/net/ipvlan/ipvlan_core.c",
            "drivers/net/ipvlan/ipvlan_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c149b662cbb202a450e81f938e702ba333864ad",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "70feb16e3fbfb10b15de1396557c38e99f1ab8df",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "88f83e6c9cdb46b8c8ddd0ba01393362963cf589",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "04ba6de6eff61238e5397c14ac26a6578c7735a5",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "1f300c10d92c547c3a7d978e1212ff52f18256ed",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "6a81e2db096913d7e43aada1c350c1282e76db39",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "d3ba32162488283c0a4c5bedd8817aec91748802",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan.h",
            "drivers/net/ipvlan/ipvlan_core.c",
            "drivers/net/ipvlan/ipvlan_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:00:10.728Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df"
        },
        {
          "url": "https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589"
        },
        {
          "url": "https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802"
        }
      ],
      "title": "ipvlan: Make the addrs_lock be per port",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23103",
    "datePublished": "2026-02-04T16:08:24.771Z",
    "dateReserved": "2026-01-13T15:37:45.966Z",
    "dateUpdated": "2026-05-11T22:00:10.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23111 (GCVE-0-2026-23111)

Vulnerability from cvelistv5 – Published: 2026-02-13 13:29 – Updated: 2026-05-23 16:03

Title

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/8c760ba4e36c75037…
https://git.kernel.org/stable/c/b9b6573421de51829…
https://git.kernel.org/stable/c/42c574c1504aa089a…
https://git.kernel.org/stable/c/1444ff890b4653add…
https://git.kernel.org/stable/c/8b68a45f9722f2bab…
https://git.kernel.org/stable/c/f41c5d151078c5348…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 , < 8c760ba4e36c750379d13569f23f5a6e185333f5 (git) Affected: d60be2da67d172aecf866302c91ea11533eca4d9 , < b9b6573421de51829f7ec1cce76d85f5f6fbbd7f (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 42c574c1504aa089a0a142e4c13859327570473d (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 1444ff890b4653add12f734ffeffc173d42862dd (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 8b68a45f9722f2babe9e7bad00aa74638addf081 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < f41c5d151078c5348271ffaf8e7410d96f2d82f8 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) Affected: 5.15.121 , < 5.15.200 (semver) Affected: 6.1.36 , < 6.1.163 (semver) Affected: 4.19.316 , < 4.20 (semver) Affected: 5.4.262 , < 5.5 (semver) Affected: 5.10.188 , < 5.11 (semver) Affected: 6.3.10 , < 6.4 (semver)
Linux	Linux	Affected: 6.4 Unaffected: 0 , < 6.4 (semver) Unaffected: 5.15.200 , ≤ 5.15.* (semver) Unaffected: 6.1.163 , ≤ 6.1.* (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.70 , ≤ 6.12.* (semver) Unaffected: 6.18.10 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c760ba4e36c750379d13569f23f5a6e185333f5",
              "status": "affected",
              "version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
              "versionType": "git"
            },
            {
              "lessThan": "b9b6573421de51829f7ec1cce76d85f5f6fbbd7f",
              "status": "affected",
              "version": "d60be2da67d172aecf866302c91ea11533eca4d9",
              "versionType": "git"
            },
            {
              "lessThan": "42c574c1504aa089a0a142e4c13859327570473d",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "1444ff890b4653add12f734ffeffc173d42862dd",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "8b68a45f9722f2babe9e7bad00aa74638addf081",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "f41c5d151078c5348271ffaf8e7410d96f2d82f8",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.200",
              "status": "affected",
              "version": "5.15.121",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.163",
              "status": "affected",
              "version": "6.1.36",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.262",
              "versionType": "semver"
            },
            {
              "lessThan": "5.11",
              "status": "affected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThan": "6.4",
              "status": "affected",
              "version": "6.3.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.200",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.200",
                  "versionStartIncluding": "5.15.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.163",
                  "versionStartIncluding": "6.1.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.124",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.70",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.316",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u003egenmask))\n        return 0;   /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:03:52.668Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
        },
        {
          "url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
        }
      ],
      "title": "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23111",
    "datePublished": "2026-02-13T13:29:55.895Z",
    "dateReserved": "2026-01-13T15:37:45.968Z",
    "dateUpdated": "2026-05-23T16:03:52.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2026-AVI-0454

Solutions

CVE-2023-53794 (GCVE-0-2023-53794)

CVE-2025-38234 (GCVE-0-2025-38234)

CVE-2025-39973 (GCVE-0-2025-39973)

CVE-2025-40018 (GCVE-0-2025-40018)

CVE-2025-40159 (GCVE-0-2025-40159)

CVE-2025-71120 (GCVE-0-2025-71120)

CVE-2026-22999 (GCVE-0-2026-22999)

CVE-2026-23074 (GCVE-0-2026-23074)

CVE-2026-23103 (GCVE-0-2026-23103)

CVE-2026-23111 (GCVE-0-2026-23111)

Tags

Sightings

Nomenclature