Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0526
Vulnerability from certfr_avis - Published: 2026-05-04 - Updated: 2026-05-04
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 kernel versions ant\u00e9rieures \u00e0 6.6.137.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31623",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31623"
},
{
"name": "CVE-2026-31619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31619"
},
{
"name": "CVE-2026-31658",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31658"
},
{
"name": "CVE-2026-31618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31618"
},
{
"name": "CVE-2026-31578",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31578"
},
{
"name": "CVE-2026-31696",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31696"
},
{
"name": "CVE-2026-31704",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31704"
},
{
"name": "CVE-2026-31685",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
},
{
"name": "CVE-2026-31656",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31656"
},
{
"name": "CVE-2026-31698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31698"
},
{
"name": "CVE-2026-31664",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31664"
},
{
"name": "CVE-2026-31597",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31597"
},
{
"name": "CVE-2026-31586",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31586"
},
{
"name": "CVE-2026-31721",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31721"
},
{
"name": "CVE-2026-31655",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31655"
},
{
"name": "CVE-2026-31711",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31711"
},
{
"name": "CVE-2026-31611",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31611"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2026-31599",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31599"
},
{
"name": "CVE-2026-31668",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31668"
},
{
"name": "CVE-2026-31583",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31583"
},
{
"name": "CVE-2026-31605",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31605"
},
{
"name": "CVE-2026-31681",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
},
{
"name": "CVE-2026-43033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
},
{
"name": "CVE-2026-31622",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31622"
},
{
"name": "CVE-2026-31595",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31595"
},
{
"name": "CVE-2026-31642",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31642"
},
{
"name": "CVE-2026-31659",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31659"
},
{
"name": "CVE-2026-31638",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31638"
},
{
"name": "CVE-2026-31588",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31588"
},
{
"name": "CVE-2026-31689",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31689"
},
{
"name": "CVE-2026-31697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31697"
},
{
"name": "CVE-2026-31670",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31670"
},
{
"name": "CVE-2026-31533",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
},
{
"name": "CVE-2026-31615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31615"
},
{
"name": "CVE-2026-31594",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31594"
},
{
"name": "CVE-2026-31661",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31661"
},
{
"name": "CVE-2026-31705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31705"
},
{
"name": "CVE-2026-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31684"
},
{
"name": "CVE-2026-31625",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31625"
},
{
"name": "CVE-2026-31669",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
},
{
"name": "CVE-2026-31671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
},
{
"name": "CVE-2026-31694",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31694"
},
{
"name": "CVE-2026-31699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31699"
},
{
"name": "CVE-2026-31628",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31628"
},
{
"name": "CVE-2026-31662",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31662"
},
{
"name": "CVE-2026-31627",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31627"
},
{
"name": "CVE-2026-31665",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31665"
},
{
"name": "CVE-2026-31672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31672"
},
{
"name": "CVE-2026-31626",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31626"
},
{
"name": "CVE-2026-31634",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31634"
},
{
"name": "CVE-2026-31610",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31610"
},
{
"name": "CVE-2026-31648",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31648"
},
{
"name": "CVE-2026-31660",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31660"
},
{
"name": "CVE-2026-31607",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
},
{
"name": "CVE-2026-31637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31637"
},
{
"name": "CVE-2026-31612",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31612"
},
{
"name": "CVE-2026-31590",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31590"
},
{
"name": "CVE-2026-31604",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31604"
},
{
"name": "CVE-2026-31532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31532"
},
{
"name": "CVE-2026-31430",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31430"
},
{
"name": "CVE-2026-31596",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31596"
},
{
"name": "CVE-2026-31676",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31676"
},
{
"name": "CVE-2026-31603",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31603"
},
{
"name": "CVE-2026-31649",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
},
{
"name": "CVE-2026-31577",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31577"
},
{
"name": "CVE-2026-31702",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31702"
},
{
"name": "CVE-2026-31587",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31587"
},
{
"name": "CVE-2026-31708",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31708"
},
{
"name": "CVE-2026-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31651"
},
{
"name": "CVE-2026-31657",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31657"
},
{
"name": "CVE-2026-31624",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31624"
},
{
"name": "CVE-2026-31585",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31585"
},
{
"name": "CVE-2026-31646",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31646"
},
{
"name": "CVE-2026-31700",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
},
{
"name": "CVE-2026-31639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31639"
},
{
"name": "CVE-2026-31508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31508"
},
{
"name": "CVE-2026-31629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31629"
},
{
"name": "CVE-2026-31673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31673"
},
{
"name": "CVE-2026-31667",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
}
],
"initial_release_date": "2026-05-04T00:00:00",
"last_revision_date": "2026-05-04T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0526",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31629",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31629"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31639",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31639"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31694",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31694"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31662",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31662"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31651",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31651"
},
{
"published_at": "2026-04-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31661",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31661"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31671",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31671"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31656",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31656"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31595",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31595"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31700",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31700"
},
{
"published_at": "2026-04-22",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31430",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31430"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31599",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31599"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31685",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31685"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31607",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31607"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31659",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31659"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31673",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31673"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31612",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31612"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31638",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31638"
},
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31532",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31532"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31625",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31625"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31586",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31586"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31649",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31649"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31676",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31676"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31684",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31684"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31657",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31657"
},
{
"published_at": "2026-04-23",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31431",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31431"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31585",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31585"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31611",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31611"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31637",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31637"
},
{
"published_at": "2026-04-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31689",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31689"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31624",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31624"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31615",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31615"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31627",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31627"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31642",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31642"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31704",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31704"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31668",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31668"
},
{
"published_at": "2026-04-30",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31508",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31508"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31578",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31578"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31696",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31696"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31587",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31587"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31577",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31577"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31711",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31711"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31626",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31626"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31670",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31670"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31583",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31583"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31618",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31618"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31708",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31708"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31588",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31588"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31658",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31658"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31705",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31705"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31669",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31669"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31623",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31623"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31622",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31622"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31603",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31603"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31594",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31594"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31721",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31721"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31660",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31660"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31628",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31628"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43033",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43033"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31619",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31619"
},
{
"published_at": "2026-04-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31648",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31648"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31698",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31698"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31655",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31655"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31699",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31699"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31634",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31634"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31665",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31665"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31605",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31605"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31597",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31597"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31697",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31697"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31664",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31664"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31702",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31702"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31590",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31590"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31596",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31596"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31681",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31681"
},
{
"published_at": "2026-05-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31533",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31533"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31610",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31610"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31667",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31667"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31604",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31604"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31672",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31672"
},
{
"published_at": "2026-04-26",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31646",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31646"
}
]
}
CVE-2026-31665 (GCVE-0-2026-31665)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
netfilter: nft_ct: fix use-after-free in timeout object destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: fix use-after-free in timeout object destroy
nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
immediately after nf_ct_untimeout(), without waiting for an RCU grace
period. Concurrent packet processing on other CPUs may still hold
RCU-protected references to the timeout object obtained via
rcu_dereference() in nf_ct_timeout_data().
Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer
freeing until after an RCU grace period, matching the approach already
used in nfnetlink_cttimeout.c.
KASAN report:
BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0
Read of size 4 at addr ffff8881035fe19c by task exploit/80
Call Trace:
nf_conntrack_tcp_packet+0x1381/0x29d0
nf_conntrack_in+0x612/0x8b0
nf_hook_slow+0x70/0x100
__ip_local_out+0x1b2/0x210
tcp_sendmsg_locked+0x722/0x1580
__sys_sendto+0x2d8/0x320
Allocated by task 75:
nft_ct_timeout_obj_init+0xf6/0x290
nft_obj_init+0x107/0x1b0
nf_tables_newobj+0x680/0x9c0
nfnetlink_rcv_batch+0xc29/0xe00
Freed by task 26:
nft_obj_destroy+0x3f/0xa0
nf_tables_trans_destroy_work+0x51c/0x5c0
process_one_work+0x2c4/0x5a0
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e0b2b57f01d183e1c84114f1f2287737358d748 , < c458fc1c278a65ad5381083121d39a479973ebed
(git)
Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < c581e5c8f2b59158f62efe61c1a3dc36189081ff (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < f16fe84879a5280f05ebbcea593a189ba0f3e79a (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < 070abdf1b04325b21a20a2a0c39a2208af107275 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < b42aca3660dc2627a29a38131597ca610dc451f9 (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < d0983b48c10d1509fd795c155f8b1e832e1369ff (git) Affected: 7e0b2b57f01d183e1c84114f1f2287737358d748 , < f8dca15a1b190787bbd03285304b569631160eda (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_timeout.h",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c458fc1c278a65ad5381083121d39a479973ebed",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "c581e5c8f2b59158f62efe61c1a3dc36189081ff",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "f16fe84879a5280f05ebbcea593a189ba0f3e79a",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "070abdf1b04325b21a20a2a0c39a2208af107275",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "b42aca3660dc2627a29a38131597ca610dc451f9",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "d0983b48c10d1509fd795c155f8b1e832e1369ff",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
},
{
"lessThan": "f8dca15a1b190787bbd03285304b569631160eda",
"status": "affected",
"version": "7e0b2b57f01d183e1c84114f1f2287737358d748",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_conntrack_timeout.h",
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:49.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed"
},
{
"url": "https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff"
},
{
"url": "https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a"
},
{
"url": "https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275"
},
{
"url": "https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77"
},
{
"url": "https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9"
},
{
"url": "https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff"
},
{
"url": "https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda"
}
],
"title": "netfilter: nft_ct: fix use-after-free in timeout object destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31665",
"datePublished": "2026-04-24T14:45:14.613Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:49.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31586 (GCVE-0-2026-31586)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses
wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last
reference, the blkcg can be freed asynchronously (css_free_rwork_fn ->
blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the
pointer to access blkcg->online_pin, resulting in a use-after-free:
BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531
Workqueue: cgwb_release cgwb_release_workfn
Call Trace:
<TASK>
blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)
cgwb_release_workfn (mm/backing-dev.c:629)
process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)
Freed by task 1016:
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)
css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)
process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)
** Stack based on commit 66672af7a095 ("Add linux-next specific files
for 20260410")
I am seeing this crash sporadically in Meta fleet across multiple kernel
versions. A full reproducer is available at:
https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh
(The race window is narrow. To make it easily reproducible, inject a
msleep(100) between css_put() and blkcg_unpin_online() in
cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the
reproducer triggers the splat reliably in less than a second.)
Fix this by moving blkcg_unpin_online() before css_put(), so the
cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()
accesses it.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 115a5266749dcde7fe4127e8623d19c752088f69
(git)
Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < dfc8292a1d6782c76b626315605e0585a5a18447 (git) Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < ea3af09eb87d8f8708c66747fcf1a2762902e839 (git) Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 50879a3c1faf06e661090015d59e2127255cff27 (git) Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 67cb119d32f35e32acd0393bbeb318b2bb1fdafe (git) Affected: 59b57717fff8b562825d9d25e0180ad7e8048ca9 , < 8f5857be99f1ed1fa80991c72449541f634626ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/backing-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "115a5266749dcde7fe4127e8623d19c752088f69",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
},
{
"lessThan": "dfc8292a1d6782c76b626315605e0585a5a18447",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
},
{
"lessThan": "ea3af09eb87d8f8708c66747fcf1a2762902e839",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
},
{
"lessThan": "50879a3c1faf06e661090015d59e2127255cff27",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
},
{
"lessThan": "67cb119d32f35e32acd0393bbeb318b2bb1fdafe",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
},
{
"lessThan": "8f5857be99f1ed1fa80991c72449541f634626ee",
"status": "affected",
"version": "59b57717fff8b562825d9d25e0180ad7e8048ca9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/backing-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\nwb-\u003eblkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\n\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n \u003cTASK\u003e\n blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n cgwb_release_workfn (mm/backing-dev.c:629)\n process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n Freed by task 1016:\n kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:11.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69"
},
{
"url": "https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447"
},
{
"url": "https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839"
},
{
"url": "https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27"
},
{
"url": "https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe"
},
{
"url": "https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee"
}
],
"title": "mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31586",
"datePublished": "2026-04-24T14:42:14.937Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T14:04:11.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31655 (GCVE-0-2026-31655)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
Keep the NOC_HDCP clock always enabled to fix the potential hang
caused by the NoC ADB400 port power down handshake.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
77b0ddb42add47748c661f714e6f4b116a6e8759 , < 80fd0de89805a3f92dc320f5ab5a18007c260374
(git)
Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < 3086374e8bc7fd65f2cc62ef52351c6d662f1543 (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < e44919669f07b8f113ad49a248b44ca4f119bc94 (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < d1ef779d02b5df4e8bff4083b20bfea587b43c4b (git) Affected: 77b0ddb42add47748c661f714e6f4b116a6e8759 , < e91d5f94acf68618ea3ad9c92ac28614e791ae7d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80fd0de89805a3f92dc320f5ab5a18007c260374",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "3086374e8bc7fd65f2cc62ef52351c6d662f1543",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "e44919669f07b8f113ad49a248b44ca4f119bc94",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "d1ef779d02b5df4e8bff4083b20bfea587b43c4b",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
},
{
"lessThan": "e91d5f94acf68618ea3ad9c92ac28614e791ae7d",
"status": "affected",
"version": "77b0ddb42add47748c661f714e6f4b116a6e8759",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8mp-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled\n\nKeep the NOC_HDCP clock always enabled to fix the potential hang\ncaused by the NoC ADB400 port power down handshake."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:07.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80fd0de89805a3f92dc320f5ab5a18007c260374"
},
{
"url": "https://git.kernel.org/stable/c/3086374e8bc7fd65f2cc62ef52351c6d662f1543"
},
{
"url": "https://git.kernel.org/stable/c/e44919669f07b8f113ad49a248b44ca4f119bc94"
},
{
"url": "https://git.kernel.org/stable/c/d1ef779d02b5df4e8bff4083b20bfea587b43c4b"
},
{
"url": "https://git.kernel.org/stable/c/e91d5f94acf68618ea3ad9c92ac28614e791ae7d"
}
],
"title": "pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31655",
"datePublished": "2026-04-24T14:45:07.085Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:07.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31689 (GCVE-0-2026-31689)
Vulnerability from cvelistv5 – Published: 2026-04-27 17:34 – Updated: 2026-04-27 17:34
VLAI?
EPSS
Title
EDAC/mc: Fix error path ordering in edac_mc_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/mc: Fix error path ordering in edac_mc_alloc()
When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path
will call put_device() which will end up calling the device's release
function.
However, the init ordering is wrong such that device_initialize() happens
*after* the failed allocation and thus the device itself and the release
function pointer are not initialized yet when they're called:
MCE: In-kernel MCE decoding enabled.
------------[ cut here ]------------
kobject: '(null)': is not initialized, yet kobject_put() is being called.
WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd
CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)
RIP: 0010:kobject_put
Call Trace:
<TASK>
edac_mc_alloc+0xbe/0xe0 [edac_core]
amd64_edac_init+0x7a4/0xff0 [amd64_edac]
? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]
do_one_initcall
...
Reorder the calling sequence so that the device is initialized and thus the
release function pointer is properly set before it can be used.
This was found by Claude while reviewing another EDAC patch.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < aae95970fad2127a1bd49d8713c7cd0677dcd2d6
(git)
Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < d3de72e2a2b9ee3a57734c1c068823e41a707715 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < d20e98c2df9354cc744431ad8ccbf49405b8b40f (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 87ce8ae511962e105bcb3534944208c6a9471ed9 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 75825648ce984ca4cebb28e4bd2bf8c3a7e837c5 (git) Affected: 0bbb265f7089584aaa6d440805ca75ea4f3930d4 , < 51520e03e70d6c73e33ee7cbe0319767d05764fe (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/edac_mc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aae95970fad2127a1bd49d8713c7cd0677dcd2d6",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "d3de72e2a2b9ee3a57734c1c068823e41a707715",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "d20e98c2df9354cc744431ad8ccbf49405b8b40f",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "87ce8ae511962e105bcb3534944208c6a9471ed9",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "75825648ce984ca4cebb28e4bd2bf8c3a7e837c5",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
},
{
"lessThan": "51520e03e70d6c73e33ee7cbe0319767d05764fe",
"status": "affected",
"version": "0bbb265f7089584aaa6d440805ca75ea4f3930d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/edac_mc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci-\u003epvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device\u0027s release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they\u0027re called:\n\n MCE: In-kernel MCE decoding enabled.\n ------------[ cut here ]------------\n kobject: \u0027(null)\u0027: is not initialized, yet kobject_put() is being called.\n WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n RIP: 0010:kobject_put\n Call Trace:\n \u003cTASK\u003e\n edac_mc_alloc+0xbe/0xe0 [edac_core]\n amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n do_one_initcall\n ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:34:27.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aae95970fad2127a1bd49d8713c7cd0677dcd2d6"
},
{
"url": "https://git.kernel.org/stable/c/d3de72e2a2b9ee3a57734c1c068823e41a707715"
},
{
"url": "https://git.kernel.org/stable/c/d20e98c2df9354cc744431ad8ccbf49405b8b40f"
},
{
"url": "https://git.kernel.org/stable/c/87ce8ae511962e105bcb3534944208c6a9471ed9"
},
{
"url": "https://git.kernel.org/stable/c/75825648ce984ca4cebb28e4bd2bf8c3a7e837c5"
},
{
"url": "https://git.kernel.org/stable/c/51520e03e70d6c73e33ee7cbe0319767d05764fe"
}
],
"title": "EDAC/mc: Fix error path ordering in edac_mc_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31689",
"datePublished": "2026-04-27T17:34:27.793Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-04-27T17:34:27.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31697 (GCVE-0-2026-31697)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
When retrieving the ID for the CPU, don't attempt to copy the ID blob to
userspace if the firmware command failed. If the failure was due to an
invalid length, i.e. the userspace buffer+length was too small, copying
the number of bytes _firmware_ requires will overflow the kernel-allocated
buffer and leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388
CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222
sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 09427bcb1715fb20a80b6acd5156dbf15ab5c363
(git)
Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 1fbac0429a42adec830491757a2b53956dd797ea (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 06f06d88c05ce176c61fff8c72c372847b0dd2b5 (git) Affected: d6112ea0cb344d6f5ed519991e24f69ba4b43d0e , < 4f685dbfa87c546e51d9dc6cab379d20f275e114 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09427bcb1715fb20a80b6acd5156dbf15ab5c363",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "1fbac0429a42adec830491757a2b53956dd797ea",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "06f06d88c05ce176c61fff8c72c372847b0dd2b5",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
},
{
"lessThan": "4f685dbfa87c546e51d9dc6cab379d20f275e114",
"status": "affected",
"version": "d6112ea0cb344d6f5ed519991e24f69ba4b43d0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don\u0027t attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:22.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363"
},
{
"url": "https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea"
},
{
"url": "https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e"
},
{
"url": "https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5"
},
{
"url": "https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy ID to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31697",
"datePublished": "2026-05-01T13:55:58.184Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-03T05:45:22.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31604 (GCVE-0-2026-31604)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
wifi: rtw88: fix device leak on probe failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: fix device leak on probe failure
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
This driver takes a reference to the USB device during probe but does
not to release it on all probe errors (e.g. when descriptor parsing
fails).
Drop the redundant device reference to fix the leak, reduce cargo
culting, make it easier to spot drivers where an extra reference is
needed, and reduce the risk of further memory leaks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < f632987306bce9242cdfcf911ee0b2c9455e05a3
(git)
Affected: a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < a4f4371d194dfa5473cc961f86194084b1b13a69 (git) Affected: a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < 89a9c1bc7d797120bcc290864e0cb10a440a677f (git) Affected: a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < af7307e96dad00bcc2675dac650d8558a52f2c6f (git) Affected: a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < 25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a (git) Affected: a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 , < bbb15e71156cd9f5e1869eee7207a06ea8e96c39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f632987306bce9242cdfcf911ee0b2c9455e05a3",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
},
{
"lessThan": "a4f4371d194dfa5473cc961f86194084b1b13a69",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
},
{
"lessThan": "89a9c1bc7d797120bcc290864e0cb10a440a677f",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
},
{
"lessThan": "af7307e96dad00bcc2675dac650d8558a52f2c6f",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
},
{
"lessThan": "25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
},
{
"lessThan": "bbb15e71156cd9f5e1869eee7207a06ea8e96c39",
"status": "affected",
"version": "a82dfd33d1237f6c0fb8a7077022189d1fc7ec98",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on all probe errors (e.g. when descriptor parsing\nfails).\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:46.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f632987306bce9242cdfcf911ee0b2c9455e05a3"
},
{
"url": "https://git.kernel.org/stable/c/a4f4371d194dfa5473cc961f86194084b1b13a69"
},
{
"url": "https://git.kernel.org/stable/c/89a9c1bc7d797120bcc290864e0cb10a440a677f"
},
{
"url": "https://git.kernel.org/stable/c/af7307e96dad00bcc2675dac650d8558a52f2c6f"
},
{
"url": "https://git.kernel.org/stable/c/25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a"
},
{
"url": "https://git.kernel.org/stable/c/bbb15e71156cd9f5e1869eee7207a06ea8e96c39"
}
],
"title": "wifi: rtw88: fix device leak on probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31604",
"datePublished": "2026-04-24T14:42:27.342Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T13:56:46.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31694 (GCVE-0-2026-31694)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:53 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
fuse: reject oversized dirents in page cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: reject oversized dirents in page cache
fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.
As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.
Reject dirents that cannot fit in a single page before copying them into
the readdir cache.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
69e34551152a286f827d54dcb5700da6aeaac1fb , < d23ad78bfd205eac26766e38ba7d79f279131098
(git)
Affected: 69e34551152a286f827d54dcb5700da6aeaac1fb , < 45c05af36311624c1148123caeb011312495d86b (git) Affected: 69e34551152a286f827d54dcb5700da6aeaac1fb , < 7de93abfaae1b2dc94da8a07a36421bd073f1d8f (git) Affected: 69e34551152a286f827d54dcb5700da6aeaac1fb , < 474ce83c96a55f2eeb14dee2be375eeadfdacdf5 (git) Affected: 69e34551152a286f827d54dcb5700da6aeaac1fb , < 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d23ad78bfd205eac26766e38ba7d79f279131098",
"status": "affected",
"version": "69e34551152a286f827d54dcb5700da6aeaac1fb",
"versionType": "git"
},
{
"lessThan": "45c05af36311624c1148123caeb011312495d86b",
"status": "affected",
"version": "69e34551152a286f827d54dcb5700da6aeaac1fb",
"versionType": "git"
},
{
"lessThan": "7de93abfaae1b2dc94da8a07a36421bd073f1d8f",
"status": "affected",
"version": "69e34551152a286f827d54dcb5700da6aeaac1fb",
"versionType": "git"
},
{
"lessThan": "474ce83c96a55f2eeb14dee2be375eeadfdacdf5",
"status": "affected",
"version": "69e34551152a286f827d54dcb5700da6aeaac1fb",
"versionType": "git"
},
{
"lessThan": "51a8de6c50bf947c8f534cd73da4c8f0a13e7bed",
"status": "affected",
"version": "69e34551152a286f827d54dcb5700da6aeaac1fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:19.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098"
},
{
"url": "https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b"
},
{
"url": "https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f"
},
{
"url": "https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5"
},
{
"url": "https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed"
}
],
"title": "fuse: reject oversized dirents in page cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31694",
"datePublished": "2026-05-01T13:53:36.048Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-03T05:45:19.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31577 (GCVE-0-2026-31577)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
during btree operations. However, nilfs_mdt_save_to_shadow_map()
assumes i_assoc_inode is already initialized when copying dirty pages
to the shadow map during GC.
If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before
any btree operation has occurred on the DAT inode, i_assoc_inode is
NULL leading to a general protection fault.
Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode
in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always
initialized before any GC operation can use it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e897be17a441fa637cd166fc3de1445131e57692 , < 7318e3549518ce8f14776a489d86488d80d7e2c8
(git)
Affected: e897be17a441fa637cd166fc3de1445131e57692 , < 449ec5fc99f45974525ba9eea16b6670c45cd363 (git) Affected: e897be17a441fa637cd166fc3de1445131e57692 , < c36e206f302f1ddefed92d09ecbba070e1ae079e (git) Affected: e897be17a441fa637cd166fc3de1445131e57692 , < 41de342278ae025c99cc8d33648773f05e306cf1 (git) Affected: e897be17a441fa637cd166fc3de1445131e57692 , < 97fb7afec404912d967a7d4715f37742666b3084 (git) Affected: e897be17a441fa637cd166fc3de1445131e57692 , < 4a4e0328edd9e9755843787d28f16dd4165f8b48 (git) Affected: 6c3da8c0a35bbafe359d9166269d5590f29664de (git) Affected: 605babb979c213737618b1c837e89624e5ab11fd (git) Affected: 307d021b1a7f33048b624f7aaeaa75e3eae571f1 (git) Affected: d626fcdabea2258be395a775bdbe09270e9bf73d (git) Affected: d05cc5395e36711edad8bdef6945f138d8a7097b (git) Affected: 1829b24a36ca12ca95b96d5478faeff40c17f2b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/dat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7318e3549518ce8f14776a489d86488d80d7e2c8",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"lessThan": "449ec5fc99f45974525ba9eea16b6670c45cd363",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"lessThan": "c36e206f302f1ddefed92d09ecbba070e1ae079e",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"lessThan": "41de342278ae025c99cc8d33648773f05e306cf1",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"lessThan": "97fb7afec404912d967a7d4715f37742666b3084",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"lessThan": "4a4e0328edd9e9755843787d28f16dd4165f8b48",
"status": "affected",
"version": "e897be17a441fa637cd166fc3de1445131e57692",
"versionType": "git"
},
{
"status": "affected",
"version": "6c3da8c0a35bbafe359d9166269d5590f29664de",
"versionType": "git"
},
{
"status": "affected",
"version": "605babb979c213737618b1c837e89624e5ab11fd",
"versionType": "git"
},
{
"status": "affected",
"version": "307d021b1a7f33048b624f7aaeaa75e3eae571f1",
"versionType": "git"
},
{
"status": "affected",
"version": "d626fcdabea2258be395a775bdbe09270e9bf73d",
"versionType": "git"
},
{
"status": "affected",
"version": "d05cc5395e36711edad8bdef6945f138d8a7097b",
"versionType": "git"
},
{
"status": "affected",
"version": "1829b24a36ca12ca95b96d5478faeff40c17f2b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/dat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode\u0027s btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:24.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7318e3549518ce8f14776a489d86488d80d7e2c8"
},
{
"url": "https://git.kernel.org/stable/c/449ec5fc99f45974525ba9eea16b6670c45cd363"
},
{
"url": "https://git.kernel.org/stable/c/c36e206f302f1ddefed92d09ecbba070e1ae079e"
},
{
"url": "https://git.kernel.org/stable/c/41de342278ae025c99cc8d33648773f05e306cf1"
},
{
"url": "https://git.kernel.org/stable/c/97fb7afec404912d967a7d4715f37742666b3084"
},
{
"url": "https://git.kernel.org/stable/c/4a4e0328edd9e9755843787d28f16dd4165f8b48"
}
],
"title": "nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31577",
"datePublished": "2026-04-24T14:42:08.879Z",
"dateReserved": "2026-03-09T15:48:24.119Z",
"dateUpdated": "2026-04-27T13:56:24.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31587 (GCVE-0-2026-31587)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
ASoC: qcom: q6apm: move component registration to unmanaged version
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6apm: move component registration to unmanaged version
q6apm component registers dais dynamically from ASoC toplology, which
are allocated using device managed version apis. Allocating both
component and dynamic dais using managed version could lead to incorrect
free ordering, dai will be freed while component still holding references
to it.
Fix this issue by moving component to unmanged version so
that the dai pointers are only freeded after the component is removed.
==================================================================
BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426
Tainted: [W]=WARN
Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024
Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
Call trace:
show_stack+0x28/0x7c (C)
dump_stack_lvl+0x60/0x80
print_report+0x160/0x4b4
kasan_report+0xac/0xfc
__asan_report_load8_noabort+0x20/0x34
snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]
devm_component_release+0x30/0x5c [snd_soc_core]
devres_release_all+0x13c/0x210
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x350/0x468
device_release_driver+0x18/0x30
bus_remove_device+0x1a0/0x35c
device_del+0x314/0x7f0
device_unregister+0x20/0xbc
apr_remove_device+0x5c/0x7c [apr]
device_for_each_child+0xd8/0x160
apr_pd_status+0x7c/0xa8 [apr]
pdr_notifier_work+0x114/0x240 [pdr_interface]
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Allocated by task 77:
kasan_save_stack+0x40/0x68
kasan_save_track+0x20/0x40
kasan_save_alloc_info+0x44/0x58
__kasan_kmalloc+0xbc/0xdc
__kmalloc_node_track_caller_noprof+0x1f4/0x620
devm_kmalloc+0x7c/0x1c8
snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]
soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]
snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]
audioreach_tplg_init+0x124/0x1fc [snd_q6apm]
q6apm_audio_probe+0x10/0x1c [snd_q6apm]
snd_soc_component_probe+0x5c/0x118 [snd_soc_core]
soc_probe_component+0x44c/0xaf0 [snd_soc_core]
snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]
snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]
devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]
x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]
platform_probe+0xc0/0x188
really_probe+0x188/0x804
__driver_probe_device+0x158/0x358
driver_probe_device+0x60/0x190
__device_attach_driver+0x16c/0x2a8
bus_for_each_drv+0x100/0x194
__device_attach+0x174/0x380
device_initial_probe+0x14/0x20
bus_probe_device+0x124/0x154
deferred_probe_work_func+0x140/0x220
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Freed by task 3426:
kasan_save_stack+0x40/0x68
kasan_save_track+0x20/0x40
__kasan_save_free_info+0x4c/0x80
__kasan_slab_free+0x78/0xa0
kfree+0x100/0x4a4
devres_release_all+0x144/0x210
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x350/0x468
device_release_driver+0x18/0x30
bus_remove_device+0x1a0/0x35c
device_del+0x314/0x7f0
device_unregister+0x20/0xbc
apr_remove_device+0x5c/0x7c [apr]
device_for_each_child+0xd8/0x160
apr_pd_status+0x7c/0xa8 [apr]
pdr_notifier_work+0x114/0x240 [pdr_interface]
process_one_work+0x500/0xb70
worker_thread+0x630/0xfb0
kthread+0x370/0x6c0
ret_from_fork+0x10/0x20
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5477518b8a0e8a45239646acd80c9bafc4401522 , < 887632163b546a8944b46ef465f1d74e838b727a
(git)
Affected: 5477518b8a0e8a45239646acd80c9bafc4401522 , < b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2 (git) Affected: 5477518b8a0e8a45239646acd80c9bafc4401522 , < 30383b7780ffa140bc124de5b66cae7c84133dbb (git) Affected: 5477518b8a0e8a45239646acd80c9bafc4401522 , < f7b790531cdad3b2075ab937aa06d7b802403be4 (git) Affected: 5477518b8a0e8a45239646acd80c9bafc4401522 , < a561a55b79a9c55f0443377f2d4dcf6149d057af (git) Affected: 5477518b8a0e8a45239646acd80c9bafc4401522 , < 6ec1235fc941dac6c011b30ee01d9220ff87e0cd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "887632163b546a8944b46ef465f1d74e838b727a",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
},
{
"lessThan": "b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
},
{
"lessThan": "30383b7780ffa140bc124de5b66cae7c84133dbb",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
},
{
"lessThan": "f7b790531cdad3b2075ab937aa06d7b802403be4",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
},
{
"lessThan": "a561a55b79a9c55f0443377f2d4dcf6149d057af",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
},
{
"lessThan": "6ec1235fc941dac6c011b30ee01d9220ff87e0cd",
"status": "affected",
"version": "5477518b8a0e8a45239646acd80c9bafc4401522",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/qcom/qdsp6/q6apm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:12.452Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/887632163b546a8944b46ef465f1d74e838b727a"
},
{
"url": "https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2"
},
{
"url": "https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb"
},
{
"url": "https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4"
},
{
"url": "https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af"
},
{
"url": "https://git.kernel.org/stable/c/6ec1235fc941dac6c011b30ee01d9220ff87e0cd"
}
],
"title": "ASoC: qcom: q6apm: move component registration to unmanaged version",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31587",
"datePublished": "2026-04-24T14:42:15.625Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T14:04:12.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31656 (GCVE-0-2026-31656)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
A use-after-free / refcount underflow is possible when the heartbeat
worker and intel_engine_park_heartbeat() race to release the same
engine->heartbeat.systole request.
The heartbeat worker reads engine->heartbeat.systole and calls
i915_request_put() on it when the request is complete, but clears
the pointer in a separate, non-atomic step. Concurrently, a request
retirement on another CPU can drop the engine wakeref to zero, triggering
__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat
timer is pending at that point, cancel_delayed_work() returns true and
intel_engine_park_heartbeat() reads the stale non-NULL systole pointer
and calls i915_request_put() on it again, causing a refcount underflow:
```
<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
...
<4> [487.222707] Call Trace:
<4> [487.222711] <TASK>
<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]
<4> [487.223566] __engine_park+0xb9/0x650 [i915]
<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]
<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]
<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]
<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]
<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]
<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]
<4> [487.226625] engine_retire+0x122/0x180 [i915]
<4> [487.227037] process_one_work+0x239/0x760
<4> [487.227060] worker_thread+0x200/0x3f0
<4> [487.227068] ? __pfx_worker_thread+0x10/0x10
<4> [487.227075] kthread+0x10d/0x150
<4> [487.227083] ? __pfx_kthread+0x10/0x10
<4> [487.227092] ret_from_fork+0x3d4/0x480
<4> [487.227099] ? __pfx_kthread+0x10/0x10
<4> [487.227107] ret_from_fork_asm+0x1a/0x30
<4> [487.227141] </TASK>
```
Fix this by replacing the non-atomic pointer read + separate clear with
xchg() in both racing paths. xchg() is a single indivisible hardware
instruction that atomically reads the old pointer and writes NULL. This
guarantees only one of the two concurrent callers obtains the non-NULL
pointer and performs the put, the other gets NULL and skips it.
(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 70d3e622b10092fc483e28e57b4e8c49d9cc7f68
(git)
Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 8ce44d28a84fd5e053a88b04872a89d95c0779d4 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < ca3f48c3567dd49efdc55b80029ae74659c682ee (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < a00e92bf6583d019a4fb2c2df7007e6c9b269ce7 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 2af8b200cae3fdd0e917ecc2753b28bb40c876c1 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 455d98ed527fc94eed90406f90ab2391464ca657 (git) Affected: 058179e72e0956a2dfe4927db6cbe5fbfb2406aa , < 4c71fd099513bfa8acab529b626e1f0097b76061 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70d3e622b10092fc483e28e57b4e8c49d9cc7f68",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "8ce44d28a84fd5e053a88b04872a89d95c0779d4",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "ca3f48c3567dd49efdc55b80029ae74659c682ee",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "a00e92bf6583d019a4fb2c2df7007e6c9b269ce7",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "2af8b200cae3fdd0e917ecc2753b28bb40c876c1",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "455d98ed527fc94eed90406f90ab2391464ca657",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
},
{
"lessThan": "4c71fd099513bfa8acab529b626e1f0097b76061",
"status": "affected",
"version": "058179e72e0956a2dfe4927db6cbe5fbfb2406aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine-\u003eheartbeat.systole request.\n\nThe heartbeat worker reads engine-\u003eheartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -\u003e intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n\u003c4\u003e [487.221889] Workqueue: i915-unordered engine_retire [i915]\n\u003c4\u003e [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n\u003c4\u003e [487.222707] Call Trace:\n\u003c4\u003e [487.222711] \u003cTASK\u003e\n\u003c4\u003e [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n\u003c4\u003e [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n\u003c4\u003e [487.223566] __engine_park+0xb9/0x650 [i915]\n\u003c4\u003e [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n\u003c4\u003e [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n\u003c4\u003e [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n\u003c4\u003e [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n\u003c4\u003e [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n\u003c4\u003e [487.226178] i915_request_retire+0x1c/0x40 [i915]\n\u003c4\u003e [487.226625] engine_retire+0x122/0x180 [i915]\n\u003c4\u003e [487.227037] process_one_work+0x239/0x760\n\u003c4\u003e [487.227060] worker_thread+0x200/0x3f0\n\u003c4\u003e [487.227068] ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e [487.227075] kthread+0x10d/0x150\n\u003c4\u003e [487.227083] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227092] ret_from_fork+0x3d4/0x480\n\u003c4\u003e [487.227099] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e [487.227107] ret_from_fork_asm+0x1a/0x30\n\u003c4\u003e [487.227141] \u003c/TASK\u003e\n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:43.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68"
},
{
"url": "https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4"
},
{
"url": "https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee"
},
{
"url": "https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7"
},
{
"url": "https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1"
},
{
"url": "https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657"
},
{
"url": "https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061"
}
],
"title": "drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31656",
"datePublished": "2026-04-24T14:45:07.738Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:43.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31590 (GCVE-0-2026-31590)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:
struct kvm_enc_region range = {
.addr = 0,
.size = -1ul,
};
__vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
Note, the checks in sev_mem_enc_register_region() that presumably exist to
verify the incoming address+size are completely worthless, as both "addr"
and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
than ULONG_MAX. That wart will be cleaned up in the near future.
if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
return -EINVAL;
Opportunistically add a comment to explain why the code calculates the
number of pages the "hard" way, e.g. instead of just shifting @ulen.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < b670833749ffd8681361db2bb047c6f2e3075f3a
(git)
Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < ab423e5892826202a660b5ac85d1125b0e8301a5 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 28cc13ca20431b127d42d84ba10898d03e2c8267 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < c29ff288a2d97a6f4640a498a367cf0eb91312eb (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 1cba4dcd795daf6d257122779fb6a349edf03914 (git) Affected: 78824fabc72e5e37d51e6e567fde70a4fc41a6d7 , < 8acffeef5ef720c35e513e322ab08e32683f32f2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b670833749ffd8681361db2bb047c6f2e3075f3a",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "ab423e5892826202a660b5ac85d1125b0e8301a5",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "28cc13ca20431b127d42d84ba10898d03e2c8267",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "c29ff288a2d97a6f4640a498a367cf0eb91312eb",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "1cba4dcd795daf6d257122779fb6a349edf03914",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
},
{
"lessThan": "8acffeef5ef720c35e513e322ab08e32683f32f2",
"status": "affected",
"version": "78824fabc72e5e37d51e6e567fde70a4fc41a6d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, \u0026range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can\u0027t_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range-\u003eaddr \u003e ULONG_MAX || range-\u003esize \u003e ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:36.186Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a"
},
{
"url": "https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5"
},
{
"url": "https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267"
},
{
"url": "https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb"
},
{
"url": "https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914"
},
{
"url": "https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2"
}
],
"title": "KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31590",
"datePublished": "2026-04-24T14:42:17.629Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T13:56:36.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31603 (GCVE-0-2026-31603)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
staging: sm750fb: fix division by zero in ps_to_hz()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: sm750fb: fix division by zero in ps_to_hz()
ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating
that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO
causes a division by zero.
Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent
with other framebuffer drivers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
81dee67e215b23f0c98182eece122b906d35765a , < 779412e0e391fd4a0d12e1d1adaa7bf043de62d7
(git)
Affected: 81dee67e215b23f0c98182eece122b906d35765a , < 2f640c6043aeab31a2f607d7605271860c3b11df (git) Affected: 81dee67e215b23f0c98182eece122b906d35765a , < 1412ba36597a82e928f20047f41d6c6582dafe8a (git) Affected: 81dee67e215b23f0c98182eece122b906d35765a , < 6144895a4335a2491c282931f1f2fa610b86339f (git) Affected: 81dee67e215b23f0c98182eece122b906d35765a , < daf6733bd7c4c5015b431739ac29b0e29021096b (git) Affected: 81dee67e215b23f0c98182eece122b906d35765a , < 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/sm750fb/sm750.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "779412e0e391fd4a0d12e1d1adaa7bf043de62d7",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
},
{
"lessThan": "2f640c6043aeab31a2f607d7605271860c3b11df",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
},
{
"lessThan": "1412ba36597a82e928f20047f41d6c6582dafe8a",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
},
{
"lessThan": "6144895a4335a2491c282931f1f2fa610b86339f",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
},
{
"lessThan": "daf6733bd7c4c5015b431739ac29b0e29021096b",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
},
{
"lessThan": "75a1621e4f91310673c9acbcbb25c2a7ff821cd3",
"status": "affected",
"version": "81dee67e215b23f0c98182eece122b906d35765a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/sm750fb/sm750.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: sm750fb: fix division by zero in ps_to_hz()\n\nps_to_hz() is called from hw_sm750_crtc_set_mode() without validating\nthat pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO\ncauses a division by zero.\n\nFix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent\nwith other framebuffer drivers."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:44.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/779412e0e391fd4a0d12e1d1adaa7bf043de62d7"
},
{
"url": "https://git.kernel.org/stable/c/2f640c6043aeab31a2f607d7605271860c3b11df"
},
{
"url": "https://git.kernel.org/stable/c/1412ba36597a82e928f20047f41d6c6582dafe8a"
},
{
"url": "https://git.kernel.org/stable/c/6144895a4335a2491c282931f1f2fa610b86339f"
},
{
"url": "https://git.kernel.org/stable/c/daf6733bd7c4c5015b431739ac29b0e29021096b"
},
{
"url": "https://git.kernel.org/stable/c/75a1621e4f91310673c9acbcbb25c2a7ff821cd3"
}
],
"title": "staging: sm750fb: fix division by zero in ps_to_hz()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31603",
"datePublished": "2026-04-24T14:42:26.601Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T13:56:44.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31669 (GCVE-0-2026-31669)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
mptcp: fix slab-use-after-free in __inet_lookup_established
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b19bc2945b40b9fd38e835700907ffe8534ef0de , < f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
(git)
Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < fb1f54b7d16f393b8b65d328410f78b4beea8fcc (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 3fd6547f5b8ac99687be6d937a0321efda760597 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < eb9c6aeb512f877cf397deb1e4526f646c70e4a7 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 15fa9ead4d5e6b6b9c794e84144146c917f2cb62 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < b313e9037d98c13938740e5ebda7852929366dff (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 9b55b253907e7431210483519c5ad711a37dafa1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "fb1f54b7d16f393b8b65d328410f78b4beea8fcc",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "3fd6547f5b8ac99687be6d937a0321efda760597",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "eb9c6aeb512f877cf397deb1e4526f646c70e4a7",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "15fa9ead4d5e6b6b9c794e84144146c917f2cb62",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "b313e9037d98c13938740e5ebda7852929366dff",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "9b55b253907e7431210483519c5ad711a37dafa1",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP\u0027s mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(\u0026tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:53.478Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"
},
{
"url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"
},
{
"url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"
},
{
"url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"
},
{
"url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"
},
{
"url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"
},
{
"url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"
}
],
"title": "mptcp: fix slab-use-after-free in __inet_lookup_established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31669",
"datePublished": "2026-04-24T14:45:17.295Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:53.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31660 (GCVE-0-2026-31660)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
nfc: pn533: allocate rx skb before consuming bytes
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.
If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb
(git)
Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 8b71299d587d9e4c830c18afb884c80ddb30ad28 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 16649adc2e19509104245ea1f349b629d858f11f (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 07cb6c72e66ba548679f22ac29ad588da8999279 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < a9495069b43b8634c1ae0042e888766c34f66637 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 21ae2cda66a55c759607bbf1d23cbaa42019d2de (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < 7e37da42eda45d7859d9273fc7e225d8df458038 (git) Affected: c656aa4c27b17a8c70da223ed5ab42145800d6b5 , < c71ba669b570c7b3f86ec875be222ea11dacb352 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "8b71299d587d9e4c830c18afb884c80ddb30ad28",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "16649adc2e19509104245ea1f349b629d858f11f",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "07cb6c72e66ba548679f22ac29ad588da8999279",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "a9495069b43b8634c1ae0042e888766c34f66637",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "21ae2cda66a55c759607bbf1d23cbaa42019d2de",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "7e37da42eda45d7859d9273fc7e225d8df458038",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
},
{
"lessThan": "c71ba669b570c7b3f86ec875be222ea11dacb352",
"status": "affected",
"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/uart.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:11.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"
},
{
"url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"
},
{
"url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"
},
{
"url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"
},
{
"url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"
},
{
"url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"
},
{
"url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"
},
{
"url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"
}
],
"title": "nfc: pn533: allocate rx skb before consuming bytes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31660",
"datePublished": "2026-04-24T14:45:11.039Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:11.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31623 (GCVE-0-2026-31623)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:57
VLAI?
EPSS
Title
net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.
Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < d4e1946bea8d6441835eb3fd09b19237ba366a6f
(git)
Affected: 87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < a23b1b1aaf41e174181d5853a70e65d4d01e648c (git) Affected: 87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < c183d5775129a0a7495bd61a6e57ec230dcf01e5 (git) Affected: 87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < ebf75c6301c4972a87542ebf2d994c6391eb5d46 (git) Affected: 87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < 9989938d13cc5ba8447eeed5a61acfcf61bc6801 (git) Affected: 87cf65601e1709e57f7e28f0f7b3eb0a992c1782 , < 600dc40554dc5ad1e6f3af51f700228033f43ea7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc-phonet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4e1946bea8d6441835eb3fd09b19237ba366a6f",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
},
{
"lessThan": "a23b1b1aaf41e174181d5853a70e65d4d01e648c",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
},
{
"lessThan": "c183d5775129a0a7495bd61a6e57ec230dcf01e5",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
},
{
"lessThan": "ebf75c6301c4972a87542ebf2d994c6391eb5d46",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
},
{
"lessThan": "9989938d13cc5ba8447eeed5a61acfcf61bc6801",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
},
{
"lessThan": "600dc40554dc5ad1e6f3af51f700228033f43ea7",
"status": "affected",
"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc-phonet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info-\u003efrags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb-\u003efrags overflow in RX path\") did for the\nt7xx driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:57:02.737Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f"
},
{
"url": "https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c"
},
{
"url": "https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5"
},
{
"url": "https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46"
},
{
"url": "https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801"
},
{
"url": "https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7"
}
],
"title": "net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31623",
"datePublished": "2026-04-24T14:42:40.566Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T13:57:02.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31605 (GCVE-0-2026-31605)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
59277b679f8b5ce594e367759256668eba652d0d , < cce24f70090e0decb597b88bc52e8ef8efed6105
(git)
Affected: 59277b679f8b5ce594e367759256668eba652d0d , < 03797cdee38ef19c87785622d423aabaafb71c5f (git) Affected: 59277b679f8b5ce594e367759256668eba652d0d , < 6de048d78f3029744778b7a2891745f3ca7c209a (git) Affected: 59277b679f8b5ce594e367759256668eba652d0d , < cccbf9b7fdab48ce4feb69c24f7f928aa8e4e8b8 (git) Affected: 59277b679f8b5ce594e367759256668eba652d0d , < afaaaa38579f1252bb42b145f6e88a955c4f73f3 (git) Affected: 59277b679f8b5ce594e367759256668eba652d0d , < a31e4518bec70333a0a98f2946a12b53b45fe5b9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cce24f70090e0decb597b88bc52e8ef8efed6105",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
},
{
"lessThan": "03797cdee38ef19c87785622d423aabaafb71c5f",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
},
{
"lessThan": "6de048d78f3029744778b7a2891745f3ca7c209a",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
},
{
"lessThan": "cccbf9b7fdab48ce4feb69c24f7f928aa8e4e8b8",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
},
{
"lessThan": "afaaaa38579f1252bb42b145f6e88a955c4f73f3",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
},
{
"lessThan": "a31e4518bec70333a0a98f2946a12b53b45fe5b9",
"status": "affected",
"version": "59277b679f8b5ce594e367759256668eba652d0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:47.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cce24f70090e0decb597b88bc52e8ef8efed6105"
},
{
"url": "https://git.kernel.org/stable/c/03797cdee38ef19c87785622d423aabaafb71c5f"
},
{
"url": "https://git.kernel.org/stable/c/6de048d78f3029744778b7a2891745f3ca7c209a"
},
{
"url": "https://git.kernel.org/stable/c/cccbf9b7fdab48ce4feb69c24f7f928aa8e4e8b8"
},
{
"url": "https://git.kernel.org/stable/c/afaaaa38579f1252bb42b145f6e88a955c4f73f3"
},
{
"url": "https://git.kernel.org/stable/c/a31e4518bec70333a0a98f2946a12b53b45fe5b9"
}
],
"title": "fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31605",
"datePublished": "2026-04-24T14:42:28.120Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T13:56:47.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31431 (GCVE-0-2026-31431)
Vulnerability from cvelistv5 – Published: 2026-04-22 08:15 – Updated: 2026-05-05 00:30
VLAI?
EPSS
Title
crypto: algif_aead - Revert to operating out-of-place
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.
There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy the
AD directly.
Severity ?
7.8 (High)
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 893d22e0135fa394db81df88697fba6032747667
(git)
Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 19d43105a97be0810edbda875f2cd03f30dc130c (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 961cfa271a918ad4ae452420e7c303149002875b (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 3115af9644c342b356f3f07a4dd1c8905cd9a6fc (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < 8b88d99341f139e23bdeb1027a2a3ae10d341d82 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < ce42ee423e58dffa5ec03524054c9d8bfd4f6237 (git) Affected: 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 , < a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31431",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-01",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:55:23.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/theori-io/copy-fail-CVE-2026-31431"
},
{
"tags": [
"mitigation"
],
"url": "https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"
},
{
"tags": [
"mitigation"
],
"url": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/"
},
{
"tags": [
"mitigation"
],
"url": "https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "CVE-2026-31431 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-05T00:30:43.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/23"
},
{
"url": "https://copy.fail"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/29/26"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/18"
},
{
"url": "https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/30/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/22"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/16"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/17"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/19"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/21"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/23"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/02/25"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/13"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/24"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/27"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/28"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/29"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "893d22e0135fa394db81df88697fba6032747667",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "19d43105a97be0810edbda875f2cd03f30dc130c",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "961cfa271a918ad4ae452420e7c303149002875b",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "3115af9644c342b356f3f07a4dd1c8905cd9a6fc",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "8b88d99341f139e23bdeb1027a2a3ae10d341d82",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "ce42ee423e58dffa5ec03524054c9d8bfd4f6237",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
},
{
"lessThan": "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5",
"status": "affected",
"version": "72548b093ee38a6d4f2a19e6ef1948ae05c181f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"crypto/algif_aead.c",
"crypto/algif_skcipher.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings. Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T09:32:06.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667"
},
{
"url": "https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c"
},
{
"url": "https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b"
},
{
"url": "https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc"
},
{
"url": "https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82"
},
{
"url": "https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8"
},
{
"url": "https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237"
},
{
"url": "https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"
}
],
"title": "crypto: algif_aead - Revert to operating out-of-place",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31431",
"datePublished": "2026-04-22T08:15:10.123Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-05-05T00:30:43.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31611 (GCVE-0-2026-31611)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
ksmbd: require 3 sub-authorities before reading sub_auth[2]
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: require 3 sub-authorities before reading sub_auth[2]
parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on
match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is
the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares
only min(num_subauth, 2) sub-authorities so a client SID with
num_subauth = 2 and sub_auth = {88, 3} will match.
If num_subauth = 2 and the ACE is placed at the very end of the security
descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The
out-of-band bytes will then be masked to the low 9 bits and applied as
the file's POSIX mode, probably not something that is good to have
happen.
Fix this up by forcing the SID to actually carry a third sub-authority
before reading it at all.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < b5b5d5936a50497fb151c0b122899a6894721c2b
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 08f9e6d899b5c834bbcc239eae1bed58d9b15d2c (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < d2454f4a002d08560a60f214f392e6491cf11560 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 46bbcd3ebfb3549c8da1838fc4493e79bd3241e7 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 53370cf9090777774e07fd9a8ebce67c6cc333ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5b5d5936a50497fb151c0b122899a6894721c2b",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "08f9e6d899b5c834bbcc239eae1bed58d9b15d2c",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "d2454f4a002d08560a60f214f392e6491cf11560",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "46bbcd3ebfb3549c8da1838fc4493e79bd3241e7",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "53370cf9090777774e07fd9a8ebce67c6cc333ab",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require 3 sub-authorities before reading sub_auth[2]\n\nparse_dacl() compares each ACE SID against sid_unix_NFS_mode and on\nmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is\nthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares\nonly min(num_subauth, 2) sub-authorities so a client SID with\nnum_subauth = 2 and sub_auth = {88, 3} will match.\n\nIf num_subauth = 2 and the ACE is placed at the very end of the security\ndescriptor, sub_auth[2] will be 4 bytes past end_of_acl. The\nout-of-band bytes will then be masked to the low 9 bits and applied as\nthe file\u0027s POSIX mode, probably not something that is good to have\nhappen.\n\nFix this up by forcing the SID to actually carry a third sub-authority\nbefore reading it at all."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:23.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2b"
},
{
"url": "https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c"
},
{
"url": "https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560"
},
{
"url": "https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7"
},
{
"url": "https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a"
},
{
"url": "https://git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333ab"
}
],
"title": "ksmbd: require 3 sub-authorities before reading sub_auth[2]",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31611",
"datePublished": "2026-04-24T14:42:32.124Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T14:04:23.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31664 (GCVE-0-2026-31664)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
xfrm: clear trailing padding in build_polexpire()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: clear trailing padding in build_polexpire()
build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.
The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.
Add the missing memset_after() call, matching build_expire().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ac6985903db047eaff54db929e4bf6b06782788e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c221ed63a2769a0af8bd849dfe25740048f34ef4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eda30846ea54f8ed218468e5480c8305ca645e37 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b1dfd6b27df35ef4f87825aa5f607378d23ff0f2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e1af65c669ebb1666c54576614c01a7f9ffcfff6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 71a98248c63c535eaa4d4c22f099b68d902006d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac6985903db047eaff54db929e4bf6b06782788e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c221ed63a2769a0af8bd849dfe25740048f34ef4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eda30846ea54f8ed218468e5480c8305ca645e37",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b1dfd6b27df35ef4f87825aa5f607378d23ff0f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1af65c669ebb1666c54576614c01a7f9ffcfff6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "71a98248c63c535eaa4d4c22f099b68d902006d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:13.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e"
},
{
"url": "https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4"
},
{
"url": "https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37"
},
{
"url": "https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2"
},
{
"url": "https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6"
},
{
"url": "https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0"
}
],
"title": "xfrm: clear trailing padding in build_polexpire()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31664",
"datePublished": "2026-04-24T14:45:13.922Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:13.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31583 (GCVE-0-2026-31583)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
media: em28xx: fix use-after-free in em28xx_v4l2_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: em28xx: fix use-after-free in em28xx_v4l2_open()
em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,
creating a race with em28xx_v4l2_init()'s error path and
em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct
and set dev->v4l2 to NULL under dev->lock.
This race leads to two issues:
- use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,
since the video_device is embedded in the freed em28xx_v4l2 struct.
- NULL pointer dereference in em28xx_resolution_set() when accessing
v4l2->norm, since dev->v4l2 has been set to NULL.
Fix this by moving the mutex_lock() before the dev->v4l2 read and
adding a NULL check for dev->v4l2 under the lock.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8139a4d583abad45eb987b5a99b3281b6d435b7e , < b5d141ea15f173f15b9f0a72965902f3428c0d92
(git)
Affected: 8139a4d583abad45eb987b5a99b3281b6d435b7e , < 5fb2940327722b4684d2f964b54c1c90aa277324 (git) Affected: 8139a4d583abad45eb987b5a99b3281b6d435b7e , < 871b8ea8ef39a6c253594649f4339378fad3d0dd (git) Affected: 8139a4d583abad45eb987b5a99b3281b6d435b7e , < 6b9e66437cc6123ddedac141e1b8b6fcf57d2972 (git) Affected: 8139a4d583abad45eb987b5a99b3281b6d435b7e , < dd2b888e08d3b3d6aacd65d76cd44fac11da750f (git) Affected: 8139a4d583abad45eb987b5a99b3281b6d435b7e , < a66485a934c7187ae8e36517d40615fa2e961cff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/em28xx/em28xx-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5d141ea15f173f15b9f0a72965902f3428c0d92",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
},
{
"lessThan": "5fb2940327722b4684d2f964b54c1c90aa277324",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
},
{
"lessThan": "871b8ea8ef39a6c253594649f4339378fad3d0dd",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
},
{
"lessThan": "6b9e66437cc6123ddedac141e1b8b6fcf57d2972",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
},
{
"lessThan": "dd2b888e08d3b3d6aacd65d76cd44fac11da750f",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
},
{
"lessThan": "a66485a934c7187ae8e36517d40615fa2e961cff",
"status": "affected",
"version": "8139a4d583abad45eb987b5a99b3281b6d435b7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/em28xx/em28xx-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev-\u003ev4l2 without holding dev-\u003elock,\ncreating a race with em28xx_v4l2_init()\u0027s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev-\u003ev4l2 to NULL under dev-\u003elock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev-\u003ectrl_handler,\n since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n v4l2-\u003enorm, since dev-\u003ev4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev-\u003ev4l2 read and\nadding a NULL check for dev-\u003ev4l2 under the lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:29.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5d141ea15f173f15b9f0a72965902f3428c0d92"
},
{
"url": "https://git.kernel.org/stable/c/5fb2940327722b4684d2f964b54c1c90aa277324"
},
{
"url": "https://git.kernel.org/stable/c/871b8ea8ef39a6c253594649f4339378fad3d0dd"
},
{
"url": "https://git.kernel.org/stable/c/6b9e66437cc6123ddedac141e1b8b6fcf57d2972"
},
{
"url": "https://git.kernel.org/stable/c/dd2b888e08d3b3d6aacd65d76cd44fac11da750f"
},
{
"url": "https://git.kernel.org/stable/c/a66485a934c7187ae8e36517d40615fa2e961cff"
}
],
"title": "media: em28xx: fix use-after-free in em28xx_v4l2_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31583",
"datePublished": "2026-04-24T14:42:12.923Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T13:56:29.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31670 (GCVE-0-2026-31670)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-25 05:48
VLAI?
EPSS
Title
net: rfkill: prevent unlimited numbers of rfkill events from being created
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: prevent unlimited numbers of rfkill events from being created
Userspace can create an unlimited number of rfkill events if the system
is so configured, while not consuming them from the rfkill file
descriptor, causing a potential out of memory situation. Prevent this
from bounding the number of pending rfkill events at a "large" number
(i.e. 1000) to prevent abuses like this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c64fb01627e24725d1f9d535e4426475a4415753 , < 4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4
(git)
Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < e3842779547c83150569071d9980517cc9029fc0 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 673d2a3eef6e0ee9736501a150c9e4024a4e60a6 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 82843afc19012a29ba863961ef494165aa1a88f4 (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < a8c26800e0220e1550af012f5a20e50f5c78864d (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < 80ce4cb026f0a4c4532b6cad827b44debda6256a (git) Affected: c64fb01627e24725d1f9d535e4426475a4415753 , < ea245d78dec594372e27d8c79616baf49e98a4a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rfkill/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "e3842779547c83150569071d9980517cc9029fc0",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "673d2a3eef6e0ee9736501a150c9e4024a4e60a6",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "82843afc19012a29ba863961ef494165aa1a88f4",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "a8c26800e0220e1550af012f5a20e50f5c78864d",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "80ce4cb026f0a4c4532b6cad827b44debda6256a",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
},
{
"lessThan": "ea245d78dec594372e27d8c79616baf49e98a4a1",
"status": "affected",
"version": "c64fb01627e24725d1f9d535e4426475a4415753",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rfkill/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: prevent unlimited numbers of rfkill events from being created\n\nUserspace can create an unlimited number of rfkill events if the system\nis so configured, while not consuming them from the rfkill file\ndescriptor, causing a potential out of memory situation. Prevent this\nfrom bounding the number of pending rfkill events at a \"large\" number\n(i.e. 1000) to prevent abuses like this."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:48:28.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bcd1615a4e2a185ae9edd27b4143d7dfa7134f4"
},
{
"url": "https://git.kernel.org/stable/c/b1e0c8d3ab58a0161db487bf5fc47adfcaf5d5ca"
},
{
"url": "https://git.kernel.org/stable/c/e3842779547c83150569071d9980517cc9029fc0"
},
{
"url": "https://git.kernel.org/stable/c/673d2a3eef6e0ee9736501a150c9e4024a4e60a6"
},
{
"url": "https://git.kernel.org/stable/c/82843afc19012a29ba863961ef494165aa1a88f4"
},
{
"url": "https://git.kernel.org/stable/c/a8c26800e0220e1550af012f5a20e50f5c78864d"
},
{
"url": "https://git.kernel.org/stable/c/80ce4cb026f0a4c4532b6cad827b44debda6256a"
},
{
"url": "https://git.kernel.org/stable/c/ea245d78dec594372e27d8c79616baf49e98a4a1"
}
],
"title": "net: rfkill: prevent unlimited numbers of rfkill events from being created",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31670",
"datePublished": "2026-04-24T14:45:17.958Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-25T05:48:28.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31634 (GCVE-0-2026-31634)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-24 14:44
VLAI?
EPSS
Title
rxrpc: fix reference count leak in rxrpc_server_keyring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix reference count leak in rxrpc_server_keyring()
This patch fixes a reference count leak in rxrpc_server_keyring()
by checking if rx->securities is already set.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < fc76d0bd00850b7372f0a4a319c0c60f80487632
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 9ce36d28f67c2a477a7e2f03480de3f6783fb363 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 12de9e0e0b0b7058be7dfb8a5927eb565bc25780 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 139c750bf06649097d98b0bc41e2a678b4627e27 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < f125846ee79fcae537a964ce66494e96fa54a6de (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/server_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc76d0bd00850b7372f0a4a319c0c60f80487632",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "9ce36d28f67c2a477a7e2f03480de3f6783fb363",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "12de9e0e0b0b7058be7dfb8a5927eb565bc25780",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "139c750bf06649097d98b0bc41e2a678b4627e27",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "f125846ee79fcae537a964ce66494e96fa54a6de",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/server_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx-\u003esecurities is already set."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:44:49.307Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc76d0bd00850b7372f0a4a319c0c60f80487632"
},
{
"url": "https://git.kernel.org/stable/c/c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2"
},
{
"url": "https://git.kernel.org/stable/c/9ce36d28f67c2a477a7e2f03480de3f6783fb363"
},
{
"url": "https://git.kernel.org/stable/c/12de9e0e0b0b7058be7dfb8a5927eb565bc25780"
},
{
"url": "https://git.kernel.org/stable/c/8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a"
},
{
"url": "https://git.kernel.org/stable/c/139c750bf06649097d98b0bc41e2a678b4627e27"
},
{
"url": "https://git.kernel.org/stable/c/f125846ee79fcae537a964ce66494e96fa54a6de"
}
],
"title": "rxrpc: fix reference count leak in rxrpc_server_keyring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31634",
"datePublished": "2026-04-24T14:44:49.307Z",
"dateReserved": "2026-03-09T15:48:24.125Z",
"dateUpdated": "2026-04-24T14:44:49.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31700 (GCVE-0-2026-31700)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.
The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.
Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1d036d25e5609ba73fee6a88db01c306b140d512 , < 74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121
(git)
Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 3a1bf9116ea31470b89692585c3910dfe830dcdd (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 28324a3b62d9ce7f9bdd65a8ce63f382041d1b27 (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b (git) Affected: 1d036d25e5609ba73fee6a88db01c306b140d512 , < 2c054e17d9d41f1020376806c7f750834ced4dc5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "3a1bf9116ea31470b89692585c3910dfe830dcdd",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "28324a3b62d9ce7f9bdd65a8ce63f382041d1b27",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
},
{
"lessThan": "2c054e17d9d41f1020376806c7f750834ced4dc5",
"status": "affected",
"version": "1d036d25e5609ba73fee6a88db01c306b140d512",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap\u0027d TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap\u0027d ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:25.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74e2db36fe50e3ad9d5300d7fd0e6e2a15a6d121"
},
{
"url": "https://git.kernel.org/stable/c/3a1bf9116ea31470b89692585c3910dfe830dcdd"
},
{
"url": "https://git.kernel.org/stable/c/28324a3b62d9ce7f9bdd65a8ce63f382041d1b27"
},
{
"url": "https://git.kernel.org/stable/c/48a6ef291a17639e1b6ae0fbe9c8b2bb87d7804b"
},
{
"url": "https://git.kernel.org/stable/c/2c054e17d9d41f1020376806c7f750834ced4dc5"
}
],
"title": "net/packet: fix TOCTOU race on mmap\u0027d vnet_hdr in tpacket_snd()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31700",
"datePublished": "2026-05-01T13:56:00.205Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-03T05:45:25.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31646 (GCVE-0-2026-31646)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-24 14:44
VLAI?
EPSS
Title
net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()
page_pool_create() can return an ERR_PTR on failure. The return value
is used unconditionally in the loop that follows, passing the error
pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),
which dereferences it, causing a kernel oops.
Add an IS_ERR check after page_pool_create() to return early on failure.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
11871aba19748b3387e83a2db6360aa7119e9a1a , < e63265f188ea39dcf5f546770650027528f3bd0f
(git)
Affected: 11871aba19748b3387e83a2db6360aa7119e9a1a , < 305832c53551cfbe6e5b81ca7ee765e60f4fe8e9 (git) Affected: 11871aba19748b3387e83a2db6360aa7119e9a1a , < b5dcb41ba891b55157006cac79825c78a32b409e (git) Affected: 11871aba19748b3387e83a2db6360aa7119e9a1a , < 7caf90d9ab97951a58d1de85ab7e7d7cca7a4513 (git) Affected: 11871aba19748b3387e83a2db6360aa7119e9a1a , < 3fd0da4fd8851a7e62d009b7db6c4a05b092bc19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63265f188ea39dcf5f546770650027528f3bd0f",
"status": "affected",
"version": "11871aba19748b3387e83a2db6360aa7119e9a1a",
"versionType": "git"
},
{
"lessThan": "305832c53551cfbe6e5b81ca7ee765e60f4fe8e9",
"status": "affected",
"version": "11871aba19748b3387e83a2db6360aa7119e9a1a",
"versionType": "git"
},
{
"lessThan": "b5dcb41ba891b55157006cac79825c78a32b409e",
"status": "affected",
"version": "11871aba19748b3387e83a2db6360aa7119e9a1a",
"versionType": "git"
},
{
"lessThan": "7caf90d9ab97951a58d1de85ab7e7d7cca7a4513",
"status": "affected",
"version": "11871aba19748b3387e83a2db6360aa7119e9a1a",
"versionType": "git"
},
{
"lessThan": "3fd0da4fd8851a7e62d009b7db6c4a05b092bc19",
"status": "affected",
"version": "11871aba19748b3387e83a2db6360aa7119e9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:44:59.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63265f188ea39dcf5f546770650027528f3bd0f"
},
{
"url": "https://git.kernel.org/stable/c/305832c53551cfbe6e5b81ca7ee765e60f4fe8e9"
},
{
"url": "https://git.kernel.org/stable/c/b5dcb41ba891b55157006cac79825c78a32b409e"
},
{
"url": "https://git.kernel.org/stable/c/7caf90d9ab97951a58d1de85ab7e7d7cca7a4513"
},
{
"url": "https://git.kernel.org/stable/c/3fd0da4fd8851a7e62d009b7db6c4a05b092bc19"
}
],
"title": "net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31646",
"datePublished": "2026-04-24T14:44:59.874Z",
"dateReserved": "2026-03-09T15:48:24.127Z",
"dateUpdated": "2026-04-24T14:44:59.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31681 (GCVE-0-2026-31681)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 13:57
VLAI?
EPSS
Title
netfilter: xt_multiport: validate range encoding in checkentry
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_multiport: validate range encoding in checkentry
ports_match_v1() treats any non-zero pflags entry as the start of a
port range and unconditionally consumes the next ports[] element as
the range end.
The checkentry path currently validates protocol, flags and count, but
it does not validate the range encoding itself. As a result, malformed
rules can mark the last slot as a range start or place two range starts
back to back, leaving ports_match_v1() to step past the last valid
ports[] element while interpreting the rule.
Reject malformed multiport v1 rules in checkentry by validating that
each range start has a following element and that the following element
is not itself marked as another range start.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 , < 36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16
(git)
Affected: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 , < aec14808271f2bf2b656de6ff12dfe73c5fd3b67 (git) Affected: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 , < 8368ce8eb01f0b91111d814703696e780d0ef12f (git) Affected: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 , < 1e4baa853f1cc4227e04f52d6860524707cfb294 (git) Affected: a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 , < ff64c5bfef12461df8450e0f50bb693b5269c720 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_multiport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "aec14808271f2bf2b656de6ff12dfe73c5fd3b67",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "8368ce8eb01f0b91111d814703696e780d0ef12f",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "1e4baa853f1cc4227e04f52d6860524707cfb294",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
},
{
"lessThan": "ff64c5bfef12461df8450e0f50bb693b5269c720",
"status": "affected",
"version": "a89ecb6a2ef732d04058d87801e2b6bd7e5c7089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_multiport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_multiport: validate range encoding in checkentry\n\nports_match_v1() treats any non-zero pflags entry as the start of a\nport range and unconditionally consumes the next ports[] element as\nthe range end.\n\nThe checkentry path currently validates protocol, flags and count, but\nit does not validate the range encoding itself. As a result, malformed\nrules can mark the last slot as a range start or place two range starts\nback to back, leaving ports_match_v1() to step past the last valid\nports[] element while interpreting the rule.\n\nReject malformed multiport v1 rules in checkentry by validating that\neach range start has a following element and that the following element\nis not itself marked as another range start."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:57:13.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16"
},
{
"url": "https://git.kernel.org/stable/c/aec14808271f2bf2b656de6ff12dfe73c5fd3b67"
},
{
"url": "https://git.kernel.org/stable/c/8368ce8eb01f0b91111d814703696e780d0ef12f"
},
{
"url": "https://git.kernel.org/stable/c/1e4baa853f1cc4227e04f52d6860524707cfb294"
},
{
"url": "https://git.kernel.org/stable/c/ff64c5bfef12461df8450e0f50bb693b5269c720"
}
],
"title": "netfilter: xt_multiport: validate range encoding in checkentry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31681",
"datePublished": "2026-04-25T08:46:57.995Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T13:57:13.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31610 (GCVE-0-2026-31610)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
The kernel ASN.1 BER decoder calls action callbacks incrementally as it
walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken
[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates
conn->mechToken immediately via kmemdup_nul(). If a later element in
the same blob is malformed, then the decoder will return nonzero after
the allocation is already live. This could happen if mechListMIC [3]
overrunse the enclosing SEQUENCE.
decode_negotiation_token() then sets conn->use_spnego = false because
both the negTokenInit and negTokenTarg grammars failed. The cleanup at
the bottom of smb2_sess_setup() is gated on use_spnego:
if (conn->use_spnego && conn->mechToken) {
kfree(conn->mechToken);
conn->mechToken = NULL;
}
so the kfree is skipped, causing the mechToken to never be freed.
This codepath is reachable pre-authentication, so untrusted clients can
cause slow memory leaks on a server without even being properly
authenticated.
Fix this up by not checking check for use_spnego, as it's not required,
so the memory will always be properly freed. At the same time, always
free the memory in ksmbd_conn_free() incase some other failure path
forgot to free it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fad4161b5cd01a24202234976ebbb133f7adc0b5 , < 745a535461bbb90a56d9357573c9f97a5c12abe1
(git)
Affected: fad4161b5cd01a24202234976ebbb133f7adc0b5 , < dd577cb55588ec3fbc66af3621280306601c4192 (git) Affected: fad4161b5cd01a24202234976ebbb133f7adc0b5 , < dd53414e301beb915fe672dc4c4a51bafb917604 (git) Affected: fad4161b5cd01a24202234976ebbb133f7adc0b5 , < 269c800a7a7e363459291885b35f7bc72e231ed6 (git) Affected: fad4161b5cd01a24202234976ebbb133f7adc0b5 , < 6c8c44e6553b9f072f62d9875e567766eb293162 (git) Affected: fad4161b5cd01a24202234976ebbb133f7adc0b5 , < ad0057fb91218914d6c98268718ceb9d59b388e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/connection.c",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "745a535461bbb90a56d9357573c9f97a5c12abe1",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
},
{
"lessThan": "dd577cb55588ec3fbc66af3621280306601c4192",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
},
{
"lessThan": "dd53414e301beb915fe672dc4c4a51bafb917604",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
},
{
"lessThan": "269c800a7a7e363459291885b35f7bc72e231ed6",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
},
{
"lessThan": "6c8c44e6553b9f072f62d9875e567766eb293162",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
},
{
"lessThan": "ad0057fb91218914d6c98268718ceb9d59b388e1",
"status": "affected",
"version": "fad4161b5cd01a24202234976ebbb133f7adc0b5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/connection.c",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input. When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn-\u003emechToken immediately via kmemdup_nul(). If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live. This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn-\u003euse_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed. The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn-\u003euse_spnego \u0026\u0026 conn-\u003emechToken) {\n\t\tkfree(conn-\u003emechToken);\n\t\tconn-\u003emechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it\u0027s not required,\nso the memory will always be properly freed. At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:49.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/745a535461bbb90a56d9357573c9f97a5c12abe1"
},
{
"url": "https://git.kernel.org/stable/c/dd577cb55588ec3fbc66af3621280306601c4192"
},
{
"url": "https://git.kernel.org/stable/c/dd53414e301beb915fe672dc4c4a51bafb917604"
},
{
"url": "https://git.kernel.org/stable/c/269c800a7a7e363459291885b35f7bc72e231ed6"
},
{
"url": "https://git.kernel.org/stable/c/6c8c44e6553b9f072f62d9875e567766eb293162"
},
{
"url": "https://git.kernel.org/stable/c/ad0057fb91218914d6c98268718ceb9d59b388e1"
}
],
"title": "ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31610",
"datePublished": "2026-04-24T14:42:31.471Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T13:56:49.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31668 (GCVE-0-2026-31668)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
Summary
In the Linux kernel, the following vulnerability has been resolved:
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
The seg6 lwtunnel uses a single dst_cache per encap route, shared
between seg6_input_core() and seg6_output_core(). These two paths
can perform the post-encap SID lookup in different routing contexts
(e.g., ip rules matching on the ingress interface, or VRF table
separation). Whichever path runs first populates the cache, and the
other reuses it blindly, bypassing its own lookup.
Fix this by splitting the cache into cache_input and cache_output,
so each path maintains its own cached dst independently.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6c8702c60b88651072460f3f4026c7dfe2521d12 , < 1dec91d3b1cefb82635761b7812154af3ef46449
(git)
Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 750569d6987a0ff46317a4b86eb3907e296287bf (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 57d0374d14fa667dec6952173b93e7e84486d5c9 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 84d458018b147176b259347103fccb7e93abd2b1 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 6305ad032b03d2ea4181b953a66e19a9a6ed053c (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < fb56de5d99218de49d5d43ef3a99e062ecd0f9a1 (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < 17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a (git) Affected: 6c8702c60b88651072460f3f4026c7dfe2521d12 , < c3812651b522fe8437ebb7063b75ddb95b571643 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dec91d3b1cefb82635761b7812154af3ef46449",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "750569d6987a0ff46317a4b86eb3907e296287bf",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "57d0374d14fa667dec6952173b93e7e84486d5c9",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "84d458018b147176b259347103fccb7e93abd2b1",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "6305ad032b03d2ea4181b953a66e19a9a6ed053c",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "fb56de5d99218de49d5d43ef3a99e062ecd0f9a1",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
},
{
"lessThan": "c3812651b522fe8437ebb7063b75ddb95b571643",
"status": "affected",
"version": "6c8702c60b88651072460f3f4026c7dfe2521d12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: separate dst_cache for input and output paths in seg6 lwtunnel\n\nThe seg6 lwtunnel uses a single dst_cache per encap route, shared\nbetween seg6_input_core() and seg6_output_core(). These two paths\ncan perform the post-encap SID lookup in different routing contexts\n(e.g., ip rules matching on the ingress interface, or VRF table\nseparation). Whichever path runs first populates the cache, and the\nother reuses it blindly, bypassing its own lookup.\n\nFix this by splitting the cache into cache_input and cache_output,\nso each path maintains its own cached dst independently."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:52.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dec91d3b1cefb82635761b7812154af3ef46449"
},
{
"url": "https://git.kernel.org/stable/c/750569d6987a0ff46317a4b86eb3907e296287bf"
},
{
"url": "https://git.kernel.org/stable/c/57d0374d14fa667dec6952173b93e7e84486d5c9"
},
{
"url": "https://git.kernel.org/stable/c/84d458018b147176b259347103fccb7e93abd2b1"
},
{
"url": "https://git.kernel.org/stable/c/6305ad032b03d2ea4181b953a66e19a9a6ed053c"
},
{
"url": "https://git.kernel.org/stable/c/fb56de5d99218de49d5d43ef3a99e062ecd0f9a1"
},
{
"url": "https://git.kernel.org/stable/c/17d87d42874f5d6c1a0ccc6d9190dfe82a9a7a6a"
},
{
"url": "https://git.kernel.org/stable/c/c3812651b522fe8437ebb7063b75ddb95b571643"
}
],
"title": "seg6: separate dst_cache for input and output paths in seg6 lwtunnel",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31668",
"datePublished": "2026-04-24T14:45:16.630Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:52.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31627 (GCVE-0-2026-31627)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
i2c: s3c24xx: check the size of the SMBUS message before using it
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: s3c24xx: check the size of the SMBUS message before using it
The first byte of an i2c SMBUS message is the size, and it should be
verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
before processing it.
This is the same logic that was added in commit a6e04f05ce0b ("i2c:
tegra: check msg length in SMBUS block read") to the i2c tegra driver.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
85747311ecb6167c989093c64a13807366fdd3a9 , < fa00738ab30b07db1a43b9c85fc56b8cc3b7d197
(git)
Affected: 85747311ecb6167c989093c64a13807366fdd3a9 , < d87d5620125a03b1eadbd5df39748215d3db7ddb (git) Affected: 85747311ecb6167c989093c64a13807366fdd3a9 , < 377fae22a137b6b89f3f32399a58c52cf2325416 (git) Affected: 85747311ecb6167c989093c64a13807366fdd3a9 , < 71b3c316b22c555d2769126a92b1244b15a9750d (git) Affected: 85747311ecb6167c989093c64a13807366fdd3a9 , < aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b (git) Affected: 85747311ecb6167c989093c64a13807366fdd3a9 , < c0128c7157d639a931353ea344fb44aad6d6e17a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-s3c2410.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa00738ab30b07db1a43b9c85fc56b8cc3b7d197",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
},
{
"lessThan": "d87d5620125a03b1eadbd5df39748215d3db7ddb",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
},
{
"lessThan": "377fae22a137b6b89f3f32399a58c52cf2325416",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
},
{
"lessThan": "71b3c316b22c555d2769126a92b1244b15a9750d",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
},
{
"lessThan": "aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
},
{
"lessThan": "c0128c7157d639a931353ea344fb44aad6d6e17a",
"status": "affected",
"version": "85747311ecb6167c989093c64a13807366fdd3a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-s3c2410.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: s3c24xx: check the size of the SMBUS message before using it\n\nThe first byte of an i2c SMBUS message is the size, and it should be\nverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX\nbefore processing it.\n\nThis is the same logic that was added in commit a6e04f05ce0b (\"i2c:\ntegra: check msg length in SMBUS block read\") to the i2c tegra driver."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:28.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa00738ab30b07db1a43b9c85fc56b8cc3b7d197"
},
{
"url": "https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb"
},
{
"url": "https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416"
},
{
"url": "https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d"
},
{
"url": "https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b"
},
{
"url": "https://git.kernel.org/stable/c/c0128c7157d639a931353ea344fb44aad6d6e17a"
}
],
"title": "i2c: s3c24xx: check the size of the SMBUS message before using it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31627",
"datePublished": "2026-04-24T14:42:48.342Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T14:04:28.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31629 (GCVE-0-2026-31629)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
nfc: llcp: add missing return after LLCP_CLOSED checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: add missing return after LLCP_CLOSED checks
In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket
state is LLCP_CLOSED, the code correctly calls release_sock() and
nfc_llcp_sock_put() but fails to return. Execution falls through to
the remainder of the function, which calls release_sock() and
nfc_llcp_sock_put() again. This results in a double release_sock()
and a refcount underflow via double nfc_llcp_sock_put(), leading to
a use-after-free.
Add the missing return statements after the LLCP_CLOSED branches
in both functions to prevent the fall-through.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 0eb1263a3b8c36418c9ba295c9ab3abed664edbf
(git)
Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 796e0cac058252d0ad34ebe288e6f7979b5fc9b2 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 8977fad2b3c6eefd414131168d597c5d1d5e1abf (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < ff3d9e8f7244293e303f7b6ef70774291c7c27e9 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < aba4712e8f0381cd5d196534ce2ad082626a5ab6 (git) Affected: d646960f7986fefb460a2b062d5ccc8ccfeacc3a , < 2b5dd4632966c39da6ba74dbc8689b309065e82c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0eb1263a3b8c36418c9ba295c9ab3abed664edbf",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "796e0cac058252d0ad34ebe288e6f7979b5fc9b2",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "8977fad2b3c6eefd414131168d597c5d1d5e1abf",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "ff3d9e8f7244293e303f7b6ef70774291c7c27e9",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "aba4712e8f0381cd5d196534ce2ad082626a5ab6",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
},
{
"lessThan": "2b5dd4632966c39da6ba74dbc8689b309065e82c",
"status": "affected",
"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:29.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf"
},
{
"url": "https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2"
},
{
"url": "https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf"
},
{
"url": "https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"
},
{
"url": "https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6"
},
{
"url": "https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c"
}
],
"title": "nfc: llcp: add missing return after LLCP_CLOSED checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31629",
"datePublished": "2026-04-24T14:42:49.849Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T14:04:29.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31659 (GCVE-0-2026-31659)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
batman-adv: reject oversized global TT response buffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: reject oversized global TT response buffers
batadv_tt_prepare_tvlv_global_data() builds the allocation length for a
global TT response in 16-bit temporaries. When a remote originator
advertises a large enough global TT, the TT payload length plus the VLAN
header offset can exceed 65535 and wrap before kmalloc().
The full-table response path still uses the original TT payload length when
it fills tt_change, so the wrapped allocation is too small and
batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object
before the later packet-size check runs.
Fix this by rejecting TT responses whose TVLV value length cannot fit in
the 16-bit TVLV payload length field.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 7e5d007e0df946bffb8542fb112e0044014a5897
(git)
Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 2997f4bd1f982e7013709946e00be89b507693fa (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 95c71365a2222908441b54d6f2c315e0c79fcec3 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 69d61639bc7e963c3b645e570279d731e7c89062 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < f970646b9a39539d1bac86822ac78b5915455ea9 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < de6c1dc3c7d01a152607e6fcecee4d5288283f10 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < cf2199171ef799ca7270019125f4a91bd20ad4d9 (git) Affected: 7ea7b4a142758deaf46c1af0ca9ceca6dd55138b , < 3a359bf5c61d52e7f09754108309d637532164a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/translation-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e5d007e0df946bffb8542fb112e0044014a5897",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "2997f4bd1f982e7013709946e00be89b507693fa",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "95c71365a2222908441b54d6f2c315e0c79fcec3",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "69d61639bc7e963c3b645e570279d731e7c89062",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "f970646b9a39539d1bac86822ac78b5915455ea9",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "de6c1dc3c7d01a152607e6fcecee4d5288283f10",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "cf2199171ef799ca7270019125f4a91bd20ad4d9",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
},
{
"lessThan": "3a359bf5c61d52e7f09754108309d637532164a6",
"status": "affected",
"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/translation-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:46.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897"
},
{
"url": "https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa"
},
{
"url": "https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3"
},
{
"url": "https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062"
},
{
"url": "https://git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9"
},
{
"url": "https://git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10"
},
{
"url": "https://git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9"
},
{
"url": "https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6"
}
],
"title": "batman-adv: reject oversized global TT response buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31659",
"datePublished": "2026-04-24T14:45:10.254Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:46.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31637 (GCVE-0-2026-31637)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
rxrpc: reject undecryptable rxkad response tickets
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: reject undecryptable rxkad response tickets
rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
parses the buffer as plaintext without checking whether
crypto_skcipher_decrypt() succeeded.
A malformed RESPONSE can therefore use a non-block-aligned ticket
length, make the decrypt operation fail, and still drive the ticket
parser with attacker-controlled bytes.
Check the decrypt result and abort the connection with RXKADBADTICKET
when ticket decryption fails.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < 47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < a149dcae23309df9de1c3b6b5d468610ef5ab7de (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 22f6258e7b31dba9bf88dce4e3ee7f0f20072e60 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 58fcd1b156152613ba00a064a129fb69507ddd7d (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < fe4447cd95623b1cfacc15f280aab73a6d7340b2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/rxkad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "a149dcae23309df9de1c3b6b5d468610ef5ab7de",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "22f6258e7b31dba9bf88dce4e3ee7f0f20072e60",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "58fcd1b156152613ba00a064a129fb69507ddd7d",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "fe4447cd95623b1cfacc15f280aab73a6d7340b2",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/rxkad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:36.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a"
},
{
"url": "https://git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7de"
},
{
"url": "https://git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60"
},
{
"url": "https://git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7d"
},
{
"url": "https://git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2"
}
],
"title": "rxrpc: reject undecryptable rxkad response tickets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31637",
"datePublished": "2026-04-24T14:44:51.364Z",
"dateReserved": "2026-03-09T15:48:24.125Z",
"dateUpdated": "2026-04-27T14:04:36.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31578 (GCVE-0-2026-31578)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
media: as102: fix to not free memory after the device is registered in as102_usb_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: as102: fix to not free memory after the device is registered in as102_usb_probe()
In as102_usb driver, the following race condition occurs:
```
CPU0 CPU1
as102_usb_probe()
kzalloc(); // alloc as102_dev_t
....
usb_register_dev();
fd = sys_open("/path/to/dev"); // open as102 fd
....
usb_deregister_dev();
....
kfree(); // free as102_dev_t
....
sys_close(fd);
as102_release() // UAF!!
as102_usb_release()
kfree(); // DFB!!
```
When a USB character device registered with usb_register_dev() is later
unregistered (via usb_deregister_dev() or disconnect), the device node is
removed so new open() calls fail. However, file descriptors that are
already open do not go away immediately: they remain valid until the last
reference is dropped and the driver's .release() is invoked.
In as102, as102_usb_probe() calls usb_register_dev() and then, on an
error path, does usb_deregister_dev() and frees as102_dev_t right away.
If userspace raced a successful open() before the deregistration, that
open FD will later hit as102_release() --> as102_usb_release() and access
or free as102_dev_t again, occur a race to use-after-free and
double-free vuln.
The fix is to never kfree(as102_dev_t) directly once usb_register_dev()
has succeeded. After deregistration, defer freeing memory to .release().
In other words, let release() perform the last kfree when the final open
FD is closed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < cb8092038e95dc1113a68e63762de40fff61ba71
(git)
Affected: cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < 582fbecb3756330006fe1950762412a68c2cacd2 (git) Affected: cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < 09e9206008b887aa553733bd915d73131071a086 (git) Affected: cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < 2eeae47a438694408189138048a786be99954032 (git) Affected: cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < 7e5aedf6059cba2a669d86caeaf5a51f33ec85a1 (git) Affected: cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c , < 8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/as102/as102_usb_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb8092038e95dc1113a68e63762de40fff61ba71",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
},
{
"lessThan": "582fbecb3756330006fe1950762412a68c2cacd2",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
},
{
"lessThan": "09e9206008b887aa553733bd915d73131071a086",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
},
{
"lessThan": "2eeae47a438694408189138048a786be99954032",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
},
{
"lessThan": "7e5aedf6059cba2a669d86caeaf5a51f33ec85a1",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
},
{
"lessThan": "8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c",
"status": "affected",
"version": "cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/as102/as102_usb_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n kzalloc(); // alloc as102_dev_t\n ....\n usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n usb_deregister_dev();\n ....\n kfree(); // free as102_dev_t\n ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t as102_release() // UAF!!\n\t\t\t\t\t\t as102_usb_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver\u0027s .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --\u003e as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:26.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb8092038e95dc1113a68e63762de40fff61ba71"
},
{
"url": "https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2"
},
{
"url": "https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086"
},
{
"url": "https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032"
},
{
"url": "https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1"
},
{
"url": "https://git.kernel.org/stable/c/8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c"
}
],
"title": "media: as102: fix to not free memory after the device is registered in as102_usb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31578",
"datePublished": "2026-04-24T14:42:09.519Z",
"dateReserved": "2026-03-09T15:48:24.119Z",
"dateUpdated": "2026-04-27T13:56:26.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31673 (GCVE-0-2026-31673)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: read UNIX_DIAG_VFS data under unix_state_lock
Exact UNIX diag lookups hold a reference to the socket, but not to
u->path. Meanwhile, unix_release_sock() clears u->path under
unix_state_lock() and drops the path reference after unlocking.
Read the inode and device numbers for UNIX_DIAG_VFS while holding
unix_state_lock(), then emit the netlink attribute after dropping the
lock.
This keeps the VFS data stable while the reply is being built.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5f7b0569460b7d8d01ca776430a00505a68b7584 , < b9232421a77a649c9376c99fdfc8cb7f79cad34c
(git)
Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 0c739f3785f84af695952c2bac8be2f45082c9b8 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 900a4e0910e98b8caef117d5df00471fa438dcf9 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < bdf206e740bf2919d818f132c8c9cc7ed91d11c0 (git) Affected: 5f7b0569460b7d8d01ca776430a00505a68b7584 , < 39897df386376912d561d4946499379effa1e7ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9232421a77a649c9376c99fdfc8cb7f79cad34c",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "0c739f3785f84af695952c2bac8be2f45082c9b8",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "900a4e0910e98b8caef117d5df00471fa438dcf9",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "bdf206e740bf2919d818f132c8c9cc7ed91d11c0",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
},
{
"lessThan": "39897df386376912d561d4946499379effa1e7ef",
"status": "affected",
"version": "5f7b0569460b7d8d01ca776430a00505a68b7584",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu-\u003epath. Meanwhile, unix_release_sock() clears u-\u003epath under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:54.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34c"
},
{
"url": "https://git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8"
},
{
"url": "https://git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9"
},
{
"url": "https://git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0"
},
{
"url": "https://git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7ef"
}
],
"title": "af_unix: read UNIX_DIAG_VFS data under unix_state_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31673",
"datePublished": "2026-04-25T08:46:49.246Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:54.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31685 (GCVE-0-2026-31685)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-04-27 14:05
VLAI?
EPSS
Title
netfilter: ip6t_eui64: reject invalid MAC header for all packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_eui64: reject invalid MAC header for all packets
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Severity ?
9.4 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 288138418bef956f8b295751a4536c60f0e89f4a
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 807d6ee15804df6f01a35c910f09612e858739a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 309ae3e9a51a69699ca94eac5fac5688fa562d55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fdce0b3590f724540795b874b4c8850c90e6b0a8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "288138418bef956f8b295751a4536c60f0e89f4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9eda5478746ef7dc0e4e537b5a5e4b0ca1027091",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "807d6ee15804df6f01a35c910f09612e858739a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "309ae3e9a51a69699ca94eac5fac5688fa562d55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdce0b3590f724540795b874b4c8850c90e6b0a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/netfilter/ip6t_eui64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:05:04.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a"
},
{
"url": "https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091"
},
{
"url": "https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6"
},
{
"url": "https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55"
},
{
"url": "https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8"
}
],
"title": "netfilter: ip6t_eui64: reject invalid MAC header for all packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31685",
"datePublished": "2026-04-25T08:47:02.857Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-04-27T14:05:04.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31657 (GCVE-0-2026-31657)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
batman-adv: hold claim backbone gateways by reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: hold claim backbone gateways by reference
batadv_bla_add_claim() can replace claim->backbone_gw and drop the old
gateway's last reference while readers still follow the pointer.
The netlink claim dump path dereferences claim->backbone_gw->orig and
takes claim->backbone_gw->crc_lock without pinning the underlying
backbone gateway. batadv_bla_check_claim() still has the same naked
pointer access pattern.
Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate
on a stable gateway reference until the read-side work is complete.
This keeps the dump and claim-check paths aligned with the lifetime
rules introduced for the other BLA claim readers.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23721387c409087fd3b97e274f34d3ddc0970b74 , < f4858832ddef2f39f21e30b7226bbcd3c4b2bc96
(git)
Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 2f55b58b5a0bbed192d60c444a45a49cdf1b545f (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 7962b522222628596ca9ecc8722efc95367aadbd (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 4dee4c0688443aaf5bbec74aa203c851d1d53c35 (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 1f2dc36c297d27733f1b380ea644cf15a361bd7b (git) Affected: 23721387c409087fd3b97e274f34d3ddc0970b74 , < 82d8701b2c930d0e96b0dbc9115a218d791cb0d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4858832ddef2f39f21e30b7226bbcd3c4b2bc96",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "2f55b58b5a0bbed192d60c444a45a49cdf1b545f",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "7962b522222628596ca9ecc8722efc95367aadbd",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "4dee4c0688443aaf5bbec74aa203c851d1d53c35",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "1f2dc36c297d27733f1b380ea644cf15a361bd7b",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
},
{
"lessThan": "82d8701b2c930d0e96b0dbc9115a218d791cb0d2",
"status": "affected",
"version": "23721387c409087fd3b97e274f34d3ddc0970b74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/batman-adv/bridge_loop_avoidance.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim-\u003ebackbone_gw and drop the old\ngateway\u0027s last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim-\u003ebackbone_gw-\u003eorig and\ntakes claim-\u003ebackbone_gw-\u003ecrc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:44.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96"
},
{
"url": "https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f"
},
{
"url": "https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd"
},
{
"url": "https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35"
},
{
"url": "https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b"
},
{
"url": "https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2"
}
],
"title": "batman-adv: hold claim backbone gateways by reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31657",
"datePublished": "2026-04-24T14:45:08.867Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:44.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31599 (GCVE-0-2026-31599)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
vidtv_psi_pmt_stream_init() can return NULL on memory allocation
failure, but vidtv_channel_pmt_match_sections() does not check for
this. When tail is NULL, the subsequent call to
vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL
pointer offset, causing a general protection fault.
Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean
up the already-allocated stream chain and return.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629
Call Trace:
<TASK>
vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]
vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479
vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < b7efb4c94797c504a1c678edb48c2aa311d3309f
(git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < e589de36da106ef739ba98f66f5a5c2023370706 (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 2dff11fb5098ae453651f8f77e94ad499c078022 (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < b832cfd516b8504e95884622cee60bf9a39b7945 (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 07c1e474cf9acf777f09d14a8f8dfcef5b84e46f (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < f8e1fc918a9fe67103bcda01d20d745f264d00a7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7efb4c94797c504a1c678edb48c2aa311d3309f",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "e589de36da106ef739ba98f66f5a5c2023370706",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "2dff11fb5098ae453651f8f77e94ad499c078022",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "b832cfd516b8504e95884622cee60bf9a39b7945",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "07c1e474cf9acf777f09d14a8f8dfcef5b84e46f",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "f8e1fc918a9fe67103bcda01d20d745f264d00a7",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(\u0026tail-\u003edescriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n \u003cTASK\u003e\n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:42.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7efb4c94797c504a1c678edb48c2aa311d3309f"
},
{
"url": "https://git.kernel.org/stable/c/e589de36da106ef739ba98f66f5a5c2023370706"
},
{
"url": "https://git.kernel.org/stable/c/2dff11fb5098ae453651f8f77e94ad499c078022"
},
{
"url": "https://git.kernel.org/stable/c/b832cfd516b8504e95884622cee60bf9a39b7945"
},
{
"url": "https://git.kernel.org/stable/c/07c1e474cf9acf777f09d14a8f8dfcef5b84e46f"
},
{
"url": "https://git.kernel.org/stable/c/f8e1fc918a9fe67103bcda01d20d745f264d00a7"
}
],
"title": "media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31599",
"datePublished": "2026-04-24T14:42:23.961Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-04-27T13:56:42.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31625 (GCVE-0-2026-31625)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:57
VLAI?
EPSS
Title
HID: alps: fix NULL pointer dereference in alps_raw_event()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: alps: fix NULL pointer dereference in alps_raw_event()
Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event
callbacks missing them") attempted to fix up the HID drivers that had
missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir:
Fix potential NULL dereference at raw event handle"), but the alps
driver was missed.
Fix this up by properly checking in the hid-alps driver that it had been
claimed correctly before attempting to process the raw event.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
73196ebe134d11a68a2e27814c489d685cfc8b03 , < c8cc765253ad89ccc106a7bdeb5aeac6cf963078
(git)
Affected: 73196ebe134d11a68a2e27814c489d685cfc8b03 , < 8eed7bce7a4c41ab28ee4891103623a12fd41611 (git) Affected: 73196ebe134d11a68a2e27814c489d685cfc8b03 , < 0091dfa542a362c178a7e9393097138a57d327d1 (git) Affected: 73196ebe134d11a68a2e27814c489d685cfc8b03 , < 4b618248d2307a219d9431a730cfe1156c8e3386 (git) Affected: 73196ebe134d11a68a2e27814c489d685cfc8b03 , < ee2cb3ddfdca949dbc0c3f796ed5a439f0efc9f6 (git) Affected: 73196ebe134d11a68a2e27814c489d685cfc8b03 , < 1badfc4319224820d5d890f8eab6aa52e4e83339 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8cc765253ad89ccc106a7bdeb5aeac6cf963078",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
},
{
"lessThan": "8eed7bce7a4c41ab28ee4891103623a12fd41611",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
},
{
"lessThan": "0091dfa542a362c178a7e9393097138a57d327d1",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
},
{
"lessThan": "4b618248d2307a219d9431a730cfe1156c8e3386",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
},
{
"lessThan": "ee2cb3ddfdca949dbc0c3f796ed5a439f0efc9f6",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
},
{
"lessThan": "1badfc4319224820d5d890f8eab6aa52e4e83339",
"status": "affected",
"version": "73196ebe134d11a68a2e27814c489d685cfc8b03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: alps: fix NULL pointer dereference in alps_raw_event()\n\nCommit ecfa6f34492c (\"HID: Add HID_CLAIMED_INPUT guards in raw_event\ncallbacks missing them\") attempted to fix up the HID drivers that had\nmissed the previous fix that was done in 2ff5baa9b527 (\"HID: appleir:\nFix potential NULL dereference at raw event handle\"), but the alps\ndriver was missed.\n\nFix this up by properly checking in the hid-alps driver that it had been\nclaimed correctly before attempting to process the raw event."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:57:04.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8cc765253ad89ccc106a7bdeb5aeac6cf963078"
},
{
"url": "https://git.kernel.org/stable/c/8eed7bce7a4c41ab28ee4891103623a12fd41611"
},
{
"url": "https://git.kernel.org/stable/c/0091dfa542a362c178a7e9393097138a57d327d1"
},
{
"url": "https://git.kernel.org/stable/c/4b618248d2307a219d9431a730cfe1156c8e3386"
},
{
"url": "https://git.kernel.org/stable/c/ee2cb3ddfdca949dbc0c3f796ed5a439f0efc9f6"
},
{
"url": "https://git.kernel.org/stable/c/1badfc4319224820d5d890f8eab6aa52e4e83339"
}
],
"title": "HID: alps: fix NULL pointer dereference in alps_raw_event()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31625",
"datePublished": "2026-04-24T14:42:42.481Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T13:57:04.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31615 (GCVE-0-2026-31615)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
number from the host-supplied wIndex without any sort of validation.
Fix this up by validating the number of endpoints actually match up with
the number the device has before attempting to dereference a pointer
based on this math.
This is just like what was done in commit ee0d382feb44 ("usb: gadget:
aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
746bfe63bba37ad55956b7377c9af494e7e28929 , < 1b2bfedccc4fb8c9572e1ea464f905424c91de2a
(git)
Affected: 746bfe63bba37ad55956b7377c9af494e7e28929 , < adb8014599fdf0818d3d93f1f74e06cd0bdec08d (git) Affected: 746bfe63bba37ad55956b7377c9af494e7e28929 , < 44216e3dd4455b798899b50eedb0ec3831dff8e0 (git) Affected: 746bfe63bba37ad55956b7377c9af494e7e28929 , < 37f430b2240655e6b0199a92aa1057e4d621be51 (git) Affected: 746bfe63bba37ad55956b7377c9af494e7e28929 , < e3d42598f2995cdc07b7779874e7c5f8a1b773db (git) Affected: 746bfe63bba37ad55956b7377c9af494e7e28929 , < f880aac8a57ebd92abfa685d45424b2998ac1059 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/renesas_usb3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b2bfedccc4fb8c9572e1ea464f905424c91de2a",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
},
{
"lessThan": "adb8014599fdf0818d3d93f1f74e06cd0bdec08d",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
},
{
"lessThan": "44216e3dd4455b798899b50eedb0ec3831dff8e0",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
},
{
"lessThan": "37f430b2240655e6b0199a92aa1057e4d621be51",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
},
{
"lessThan": "e3d42598f2995cdc07b7779874e7c5f8a1b773db",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
},
{
"lessThan": "f880aac8a57ebd92abfa685d45424b2998ac1059",
"status": "affected",
"version": "746bfe63bba37ad55956b7377c9af494e7e28929",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/renesas_usb3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:53.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a"
},
{
"url": "https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d"
},
{
"url": "https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0"
},
{
"url": "https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51"
},
{
"url": "https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db"
},
{
"url": "https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059"
}
],
"title": "usb: gadget: renesas_usb3: validate endpoint index in standard request handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31615",
"datePublished": "2026-04-24T14:42:34.806Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-04-27T13:56:53.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31639 (GCVE-0-2026-31639)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-24 14:44
VLAI?
EPSS
Title
rxrpc: Fix key reference count leak from call->key
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix key reference count leak from call->key
When creating a client call in rxrpc_alloc_client_call(), the code obtains
a reference to the key. This is never cleaned up and gets leaked when the
call is destroyed.
Fix this by freeing call->key in rxrpc_destroy_call().
Before the patch, it shows the key reference counter elevated:
$ cat /proc/keys | grep afs@54321
1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka
$
After the patch, the invalidated key is removed when the code exits:
$ cat /proc/keys | grep afs@54321
$
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f3441d4125fc98995858550a5521b8d7daf0504a , < f1a7a3ab0f35f83cf11bba906b9e948cf3788c28
(git)
Affected: f3441d4125fc98995858550a5521b8d7daf0504a , < e6b7943c5dc875647499da09bf4d50a8557ab0c3 (git) Affected: f3441d4125fc98995858550a5521b8d7daf0504a , < 2e6ef713b1598f6acd7f302fa6b12b6731c89914 (git) Affected: f3441d4125fc98995858550a5521b8d7daf0504a , < 978108902ee4ef2b348ff7ec36ad014dc5bc6dc6 (git) Affected: f3441d4125fc98995858550a5521b8d7daf0504a , < d666540d217e8d420544ebdfbadeedd623562733 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1a7a3ab0f35f83cf11bba906b9e948cf3788c28",
"status": "affected",
"version": "f3441d4125fc98995858550a5521b8d7daf0504a",
"versionType": "git"
},
{
"lessThan": "e6b7943c5dc875647499da09bf4d50a8557ab0c3",
"status": "affected",
"version": "f3441d4125fc98995858550a5521b8d7daf0504a",
"versionType": "git"
},
{
"lessThan": "2e6ef713b1598f6acd7f302fa6b12b6731c89914",
"status": "affected",
"version": "f3441d4125fc98995858550a5521b8d7daf0504a",
"versionType": "git"
},
{
"lessThan": "978108902ee4ef2b348ff7ec36ad014dc5bc6dc6",
"status": "affected",
"version": "f3441d4125fc98995858550a5521b8d7daf0504a",
"versionType": "git"
},
{
"lessThan": "d666540d217e8d420544ebdfbadeedd623562733",
"status": "affected",
"version": "f3441d4125fc98995858550a5521b8d7daf0504a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call-\u003ekey\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key. This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call-\u003ekey in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:44:52.769Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1a7a3ab0f35f83cf11bba906b9e948cf3788c28"
},
{
"url": "https://git.kernel.org/stable/c/e6b7943c5dc875647499da09bf4d50a8557ab0c3"
},
{
"url": "https://git.kernel.org/stable/c/2e6ef713b1598f6acd7f302fa6b12b6731c89914"
},
{
"url": "https://git.kernel.org/stable/c/978108902ee4ef2b348ff7ec36ad014dc5bc6dc6"
},
{
"url": "https://git.kernel.org/stable/c/d666540d217e8d420544ebdfbadeedd623562733"
}
],
"title": "rxrpc: Fix key reference count leak from call-\u003ekey",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31639",
"datePublished": "2026-04-24T14:44:52.769Z",
"dateReserved": "2026-03-09T15:48:24.125Z",
"dateUpdated": "2026-04-24T14:44:52.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31585 (GCVE-0-2026-31585)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
media: vidtv: fix nfeeds state corruption on start_streaming failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the
nfeeds counter is left incremented even though no feed was actually
started. This corrupts the driver state: subsequent start_feed calls
see nfeeds > 1 and skip starting the mux, while stop_feed calls
eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux
and channel resources may be partially allocated during a failed
start_streaming but never cleaned up, as the stop path finds
dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping
the counter in sync with the actual number of active feeds.
[1]
BUG: memory leak
unreferenced object 0xffff888145b50820 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
backtrace (crc 90a0c7d4):
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 17cb7957c979529cc98ff57f7ac331532f1f7c83
(git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 98c22210aeadce67d9d20059f0dbbd01ba7fdbba (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 25f19e476ab15defe698504212899fdb9f7cd61b (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 4bf95f797edd63c93330eafb6d6e670982344b9b (git) Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < a0e5a598fe9a4612b852406b51153b881592aede (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17cb7957c979529cc98ff57f7ac331532f1f7c83",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "98c22210aeadce67d9d20059f0dbbd01ba7fdbba",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "25f19e476ab15defe698504212899fdb9f7cd61b",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "4bf95f797edd63c93330eafb6d6e670982344b9b",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
},
{
"lessThan": "a0e5a598fe9a4612b852406b51153b881592aede",
"status": "affected",
"version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_bridge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds \u003e 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb-\u003estreaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:31.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83"
},
{
"url": "https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"
},
{
"url": "https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b"
},
{
"url": "https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"
},
{
"url": "https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b"
},
{
"url": "https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede"
}
],
"title": "media: vidtv: fix nfeeds state corruption on start_streaming failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31585",
"datePublished": "2026-04-24T14:42:14.266Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T13:56:31.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31648 (GCVE-0-2026-31648)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I
encountered some very strange crash issues showing up as "Bad page state":
"
[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb
[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb
[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)
[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000
[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000
[ 734.496442] page dumped because: nonzero mapcount
"
After analyzing this page’s state, it is hard to understand why the
mapcount is not 0 while the refcount is 0, since this page is not where
the issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can
reproduce the crash as well and captured the first warning where the issue
appears:
"
[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0
[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 734.469315] memcg:ffff000807a8ec00
[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):"stress-ng-mmaptorture-9397-0-2736200540"
[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)
......
[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),
const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:
(struct folio *)_compound_head(page + nr_pages - 1))) != folio)
[ 734.469390] ------------[ cut here ]------------
[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,
CPU#90: stress-ng-mlock/9430
[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)
[ 734.469555] set_pte_range+0xd8/0x2f8
[ 734.469566] filemap_map_folio_range+0x190/0x400
[ 734.469579] filemap_map_pages+0x348/0x638
[ 734.469583] do_fault_around+0x140/0x198
......
[ 734.469640] el0t_64_sync+0x184/0x188
"
The code that triggers the warning is: "VM_WARN_ON_FOLIO(page_folio(page +
nr_pages - 1) != folio, folio)", which indicates that set_pte_range()
tried to map beyond the large folio’s size.
By adding more debug information, I found that 'nr_pages' had overflowed
in filemap_map_pages(), causing set_pte_range() to establish mappings for
a range exceeding the folio size, potentially corrupting fields of pages
that do not belong to this folio (e.g., page->_mapcount).
After above analysis, I think the possible race is as follows:
CPU 0 CPU 1
filemap_map_pages() ext4_setattr()
//get and lock folio with old inode->i_size
next_uptodate_folio()
.......
//shrink the inode->i_size
i_size_write(inode, attr->ia_size);
//calculate the end_pgoff with the new inode->i_size
file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;
end_pgoff = min(end_pgoff, file_end);
......
//nr_pages can be overflowed, cause xas.xa_index > end_pgoff
end = folio_next_index(folio) - 1;
nr_pages = min(end, end_pgoff) - xas.xa_index + 1;
......
//map large folio
filemap_map_folio_range()
......
//truncate folios
truncate_pagecache(inode, inode->i_size);
To fix this issue, move the 'end_pgoff' calculation before
next_uptodate_folio(), so the retrieved folio stays consistent with the
file end to avoid
---truncated---
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fe601b70eac6cd266e8d7d55030e90a73ed0e339 , < 88591194df736a508dd5461ab2167a61e98caac1
(git)
Affected: 743a2753a02e805347969f6f89f38b736850d808 , < 633ab680c405ac390e6bec5b74aaf46197c837b6 (git) Affected: 743a2753a02e805347969f6f89f38b736850d808 , < 576543bedd616254032d4ebe54a90076f9e31740 (git) Affected: 743a2753a02e805347969f6f89f38b736850d808 , < 9316a820b9aae07d44469d6485376dad824c5b3f (git) Affected: 743a2753a02e805347969f6f89f38b736850d808 , < f58df566524ebcdfa394329c64f47e3c9257516e (git) Affected: 84ede15f27c06b111d1398dfa80b6fac4b135e34 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88591194df736a508dd5461ab2167a61e98caac1",
"status": "affected",
"version": "fe601b70eac6cd266e8d7d55030e90a73ed0e339",
"versionType": "git"
},
{
"lessThan": "633ab680c405ac390e6bec5b74aaf46197c837b6",
"status": "affected",
"version": "743a2753a02e805347969f6f89f38b736850d808",
"versionType": "git"
},
{
"lessThan": "576543bedd616254032d4ebe54a90076f9e31740",
"status": "affected",
"version": "743a2753a02e805347969f6f89f38b736850d808",
"versionType": "git"
},
{
"lessThan": "9316a820b9aae07d44469d6485376dad824c5b3f",
"status": "affected",
"version": "743a2753a02e805347969f6f89f38b736850d808",
"versionType": "git"
},
{
"lessThan": "f58df566524ebcdfa394329c64f47e3c9257516e",
"status": "affected",
"version": "743a2753a02e805347969f6f89f38b736850d808",
"versionType": "git"
},
{
"status": "affected",
"version": "84ede15f27c06b111d1398dfa80b6fac4b135e34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.159",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page\u2019s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio\u2019s size.\n\nBy adding more debug information, I found that \u0027nr_pages\u0027 had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page-\u003e_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode-\u003ei_size\n next_uptodate_folio()\n\n .......\n //shrink the inode-\u003ei_size\n i_size_write(inode, attr-\u003eia_size);\n\n //calculate the end_pgoff with the new inode-\u003ei_size\n file_end = DIV_ROUND_UP(i_size_read(mapping-\u003ehost), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index \u003e end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode-\u003ei_size);\n\nTo fix this issue, move the \u0027end_pgoff\u0027 calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:41.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1"
},
{
"url": "https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6"
},
{
"url": "https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740"
},
{
"url": "https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f"
},
{
"url": "https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e"
}
],
"title": "mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31648",
"datePublished": "2026-04-24T14:45:01.728Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-04-27T14:04:41.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31588 (GCVE-0-2026-31588)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
KVM: x86: Use scratch field in MMIO fragment to hold small write values
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Use scratch field in MMIO fragment to hold small write values
When exiting to userspace to service an emulated MMIO write, copy the
to-be-written value to a scratch field in the MMIO fragment if the size
of the data payload is 8 bytes or less, i.e. can fit in a single chunk,
instead of pointing the fragment directly at the source value.
This fixes a class of use-after-free bugs that occur when the emulator
initiates a write using an on-stack, local variable as the source, the
write splits a page boundary, *and* both pages are MMIO pages. Because
KVM's ABI only allows for physically contiguous MMIO requests, accesses
that split MMIO pages are separated into two fragments, and are sent to
userspace one at a time. When KVM attempts to complete userspace MMIO in
response to KVM_RUN after the first fragment, KVM will detect the second
fragment and generate a second userspace exit, and reference the on-stack
variable.
The issue is most visible if the second KVM_RUN is performed by a separate
task, in which case the stack of the initiating task can show up as truly
freed data.
==================================================================
BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420
Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984
CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:
dump_stack+0xbe/0xfd
print_address_description.constprop.0+0x19/0x170
__kasan_report.cold+0x6c/0x84
kasan_report+0x3a/0x50
check_memory_region+0xfd/0x1f0
memcpy+0x20/0x60
complete_emulated_mmio+0x305/0x420
kvm_arch_vcpu_ioctl_run+0x63f/0x6d0
kvm_vcpu_ioctl+0x413/0xb20
__se_sys_ioctl+0x111/0x160
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1
RIP: 0033:0x42477d
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c
R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720
The buggy address belongs to the page:
page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37
flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
The bug can also be reproduced with a targeted KVM-Unit-Test by hacking
KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by
overwrite the data value with garbage.
Limit the use of the scratch fields to 8-byte or smaller accesses, and to
just writes, as larger accesses and reads are not affected thanks to
implementation details in the emulator, but add a sanity check to ensure
those details don't change in the future. Specifically, KVM never uses
on-stack variables for accesses larger that 8 bytes, e.g. uses an operand
in the emulator context, and *al
---truncated---
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f78146b0f9230765c6315b2e14f56112513389ad , < dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7
(git)
Affected: f78146b0f9230765c6315b2e14f56112513389ad , < b5a02d37eb0739f462fa12df449ab9b3480c783b (git) Affected: f78146b0f9230765c6315b2e14f56112513389ad , < 22d2ff69d487a32a8b88f9c970120fc2daa08a77 (git) Affected: f78146b0f9230765c6315b2e14f56112513389ad , < 2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e (git) Affected: f78146b0f9230765c6315b2e14f56112513389ad , < 3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe (git) Affected: f78146b0f9230765c6315b2e14f56112513389ad , < 0b16e69d17d8c35c5c9d5918bf596c75a44655d3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c",
"include/linux/kvm_host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
},
{
"lessThan": "b5a02d37eb0739f462fa12df449ab9b3480c783b",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
},
{
"lessThan": "22d2ff69d487a32a8b88f9c970120fc2daa08a77",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
},
{
"lessThan": "2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
},
{
"lessThan": "3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
},
{
"lessThan": "0b16e69d17d8c35c5c9d5918bf596c75a44655d3",
"status": "affected",
"version": "f78146b0f9230765c6315b2e14f56112513389ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c",
"include/linux/kvm_host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\n\nWhen exiting to userspace to service an emulated MMIO write, copy the\nto-be-written value to a scratch field in the MMIO fragment if the size\nof the data payload is 8 bytes or less, i.e. can fit in a single chunk,\ninstead of pointing the fragment directly at the source value.\n\nThis fixes a class of use-after-free bugs that occur when the emulator\ninitiates a write using an on-stack, local variable as the source, the\nwrite splits a page boundary, *and* both pages are MMIO pages. Because\nKVM\u0027s ABI only allows for physically contiguous MMIO requests, accesses\nthat split MMIO pages are separated into two fragments, and are sent to\nuserspace one at a time. When KVM attempts to complete userspace MMIO in\nresponse to KVM_RUN after the first fragment, KVM will detect the second\nfragment and generate a second userspace exit, and reference the on-stack\nvariable.\n\nThe issue is most visible if the second KVM_RUN is performed by a separate\ntask, in which case the stack of the initiating task can show up as truly\nfreed data.\n\n ==================================================================\n BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420\n Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984\n\n CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:\n dump_stack+0xbe/0xfd\n print_address_description.constprop.0+0x19/0x170\n __kasan_report.cold+0x6c/0x84\n kasan_report+0x3a/0x50\n check_memory_region+0xfd/0x1f0\n memcpy+0x20/0x60\n complete_emulated_mmio+0x305/0x420\n kvm_arch_vcpu_ioctl_run+0x63f/0x6d0\n kvm_vcpu_ioctl+0x413/0xb20\n __se_sys_ioctl+0x111/0x160\n do_syscall_64+0x30/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n RIP: 0033:0x42477d\n Code: \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d\n RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005\n RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c\n R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720\n\n The buggy address belongs to the page:\n page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37\n flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n \u003effff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ==================================================================\n\nThe bug can also be reproduced with a targeted KVM-Unit-Test by hacking\nKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by\noverwrite the data value with garbage.\n\nLimit the use of the scratch fields to 8-byte or smaller accesses, and to\njust writes, as larger accesses and reads are not affected thanks to\nimplementation details in the emulator, but add a sanity check to ensure\nthose details don\u0027t change in the future. Specifically, KVM never uses\non-stack variables for accesses larger that 8 bytes, e.g. uses an operand\nin the emulator context, and *al\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:13.501Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7"
},
{
"url": "https://git.kernel.org/stable/c/b5a02d37eb0739f462fa12df449ab9b3480c783b"
},
{
"url": "https://git.kernel.org/stable/c/22d2ff69d487a32a8b88f9c970120fc2daa08a77"
},
{
"url": "https://git.kernel.org/stable/c/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e"
},
{
"url": "https://git.kernel.org/stable/c/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe"
},
{
"url": "https://git.kernel.org/stable/c/0b16e69d17d8c35c5c9d5918bf596c75a44655d3"
}
],
"title": "KVM: x86: Use scratch field in MMIO fragment to hold small write values",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31588",
"datePublished": "2026-04-24T14:42:16.288Z",
"dateReserved": "2026-03-09T15:48:24.120Z",
"dateUpdated": "2026-04-27T14:04:13.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31684 (GCVE-0-2026-31684)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:47 – Updated: 2026-04-27 13:57
VLAI?
EPSS
Title
net: sched: act_csum: validate nested VLAN headers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_csum: validate nested VLAN headers
tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.
If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.
Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2ecba2d1e45b24620a7c3df9531895cf68d5dec6 , < eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2
(git)
Affected: 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 , < a69738efea0996d05a3c7d2178551b891744df1b (git) Affected: 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 , < ec4930979b3f7bbeb7af5744599fc6603a4dba62 (git) Affected: 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 , < 3d165d975305cf76ff0b10a3c798fb31e5f5f9a5 (git) Affected: 2ecba2d1e45b24620a7c3df9531895cf68d5dec6 , < c842743d073bdd683606cb414eb0ca84465dd834 (git) Affected: 3764bfae5056e95617b6ee074129297e11710886 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_csum.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2",
"status": "affected",
"version": "2ecba2d1e45b24620a7c3df9531895cf68d5dec6",
"versionType": "git"
},
{
"lessThan": "a69738efea0996d05a3c7d2178551b891744df1b",
"status": "affected",
"version": "2ecba2d1e45b24620a7c3df9531895cf68d5dec6",
"versionType": "git"
},
{
"lessThan": "ec4930979b3f7bbeb7af5744599fc6603a4dba62",
"status": "affected",
"version": "2ecba2d1e45b24620a7c3df9531895cf68d5dec6",
"versionType": "git"
},
{
"lessThan": "3d165d975305cf76ff0b10a3c798fb31e5f5f9a5",
"status": "affected",
"version": "2ecba2d1e45b24620a7c3df9531895cf68d5dec6",
"versionType": "git"
},
{
"lessThan": "c842743d073bdd683606cb414eb0ca84465dd834",
"status": "affected",
"version": "2ecba2d1e45b24620a7c3df9531895cf68d5dec6",
"versionType": "git"
},
{
"status": "affected",
"version": "3764bfae5056e95617b6ee074129297e11710886",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_csum.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_csum: validate nested VLAN headers\n\ntcf_csum_act() walks nested VLAN headers directly from skb-\u003edata when an\nskb still carries in-payload VLAN tags. The current code reads\nvlan-\u003eh_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without\nfirst ensuring that the full VLAN header is present in the linear area.\n\nIf only part of an inner VLAN header is linearized, accessing\nh_vlan_encapsulated_proto reads past the linear area, and the following\nskb_pull(VLAN_HLEN) may violate skb invariants.\n\nFix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and\npulling each nested VLAN header. If the header still is not fully\navailable, drop the packet through the existing error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:57:15.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2"
},
{
"url": "https://git.kernel.org/stable/c/a69738efea0996d05a3c7d2178551b891744df1b"
},
{
"url": "https://git.kernel.org/stable/c/ec4930979b3f7bbeb7af5744599fc6603a4dba62"
},
{
"url": "https://git.kernel.org/stable/c/3d165d975305cf76ff0b10a3c798fb31e5f5f9a5"
},
{
"url": "https://git.kernel.org/stable/c/c842743d073bdd683606cb414eb0ca84465dd834"
}
],
"title": "net: sched: act_csum: validate nested VLAN headers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31684",
"datePublished": "2026-04-25T08:47:01.555Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T13:57:15.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31651 (GCVE-0-2026-31651)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
mmc: vub300: fix NULL-deref on disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: vub300: fix NULL-deref on disconnect
Make sure to deregister the controller before dropping the reference to
the driver data on disconnect to avoid NULL-pointer dereferences or
use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 6446516e626ce7c44bdadbcbb3d7677a2c52ce93
(git)
Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < ba3b9429de94958dc0060d9816a915dd75c34919 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 517b58e1d067115f80d198feee10192da4c424d0 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 53f2642d77ab5f1f303388bff5500363c6cf962c (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < c83a282615d8f7ba28cebddd54600b419d562d82 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < 8d09e75759cb2afc0732acfb5a14a93c03805a61 (git) Affected: 88095e7b473a3d9ec3b9c60429576e9cbd327c89 , < dff34ef879c5e73298443956a8b391311ba78d57 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6446516e626ce7c44bdadbcbb3d7677a2c52ce93",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "ba3b9429de94958dc0060d9816a915dd75c34919",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "517b58e1d067115f80d198feee10192da4c424d0",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "53f2642d77ab5f1f303388bff5500363c6cf962c",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "c83a282615d8f7ba28cebddd54600b419d562d82",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "8d09e75759cb2afc0732acfb5a14a93c03805a61",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
},
{
"lessThan": "dff34ef879c5e73298443956a8b391311ba78d57",
"status": "affected",
"version": "88095e7b473a3d9ec3b9c60429576e9cbd327c89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/vub300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:03.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93"
},
{
"url": "https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919"
},
{
"url": "https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0"
},
{
"url": "https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a"
},
{
"url": "https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c"
},
{
"url": "https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82"
},
{
"url": "https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61"
},
{
"url": "https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57"
}
],
"title": "mmc: vub300: fix NULL-deref on disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31651",
"datePublished": "2026-04-24T14:45:03.905Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-04-24T14:45:03.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43033 (GCVE-0-2026-43033)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
EPSS
Title
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.
However, the data to be hashed need to be rearranged accordingly.
Thanks,
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 8c62f618576519dbed6816fafc623ce592953025
(git)
Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d589abd8b019b07075fda255ceab8c8e950cdb3f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < d0c4ff6812386880f30bc64c2921299cc4d7b47f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 89fe118b6470119b20c04afc36e45b81a69ea11f (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < 153d5520c3f9fd62e71c7e7f9e34b59cf411e555 (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < cded4002d22177e8deaca1f257ecd932c9582b6b (git) Affected: 104880a6b470958ddc30e139c41aa4f6ed3a5234 , < e02494114ebf7c8b42777c6cd6982f113bfdbec7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c62f618576519dbed6816fafc623ce592953025",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d589abd8b019b07075fda255ceab8c8e950cdb3f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "d0c4ff6812386880f30bc64c2921299cc4d7b47f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "89fe118b6470119b20c04afc36e45b81a69ea11f",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "153d5520c3f9fd62e71c7e7f9e34b59cf411e555",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "cded4002d22177e8deaca1f257ecd932c9582b6b",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
},
{
"lessThan": "e02494114ebf7c8b42777c6cd6982f113bfdbec7",
"status": "affected",
"version": "104880a6b470958ddc30e139c41aa4f6ed3a5234",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/authencesn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:15.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c62f618576519dbed6816fafc623ce592953025"
},
{
"url": "https://git.kernel.org/stable/c/d589abd8b019b07075fda255ceab8c8e950cdb3f"
},
{
"url": "https://git.kernel.org/stable/c/5466e7d0cd9e4f9cef9d8f18f18b60e7bc1c77e5"
},
{
"url": "https://git.kernel.org/stable/c/d0c4ff6812386880f30bc64c2921299cc4d7b47f"
},
{
"url": "https://git.kernel.org/stable/c/89fe118b6470119b20c04afc36e45b81a69ea11f"
},
{
"url": "https://git.kernel.org/stable/c/153d5520c3f9fd62e71c7e7f9e34b59cf411e555"
},
{
"url": "https://git.kernel.org/stable/c/cded4002d22177e8deaca1f257ecd932c9582b6b"
},
{
"url": "https://git.kernel.org/stable/c/e02494114ebf7c8b42777c6cd6982f113bfdbec7"
}
],
"title": "crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43033",
"datePublished": "2026-05-01T14:15:32.583Z",
"dateReserved": "2026-05-01T14:12:55.977Z",
"dateUpdated": "2026-05-03T05:46:15.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31698 (GCVE-0-2026-31698)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
When retrieving the PDH cert, don't attempt to copy the blobs to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033
CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347
sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < b5c14bd4da1f376f385722fe1da993f1edab6472
(git)
Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 051e51aa55fd4cdc3e8283cf4476aeeb5f563274 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < 50808c13452dae43a2c90b1bbbf9daa16501ce70 (git) Affected: 76a2b524a4b1d6dc0f2421f9854a01d55d5e5436 , < e76239fed3cffd6d304d8ca3ce23984fd24f57d3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5c14bd4da1f376f385722fe1da993f1edab6472",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "051e51aa55fd4cdc3e8283cf4476aeeb5f563274",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "50808c13452dae43a2c90b1bbbf9daa16501ce70",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
},
{
"lessThan": "e76239fed3cffd6d304d8ca3ce23984fd24f57d3",
"status": "affected",
"version": "76a2b524a4b1d6dc0f2421f9854a01d55d5e5436",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don\u0027t attempt to copy the blobs to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:23.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472"
},
{
"url": "https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf"
},
{
"url": "https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274"
},
{
"url": "https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70"
},
{
"url": "https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy PDH cert to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31698",
"datePublished": "2026-05-01T13:55:58.854Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-03T05:45:23.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31721 (GCVE-0-2026-31721)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-02 06:14
VLAI?
EPSS
Title
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
There was an issue when you did the following:
- setup and bind an hid gadget
- open /dev/hidg0
- use the resulting fd in EPOLL_CTL_ADD
- unbind the UDC
- bind the UDC
- use the fd in EPOLL_CTL_DEL
When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported
within remove_wait_queue (via ep_remove_wait_queue). After some
debugging I found out that the queues, which f_hid registers via
poll_wait were the problem. These were initialized using
init_waitqueue_head inside hidg_bind. So effectively, the bind function
re-initialized the queues while there were still items in them.
The solution is to move the initialization from hidg_bind to hidg_alloc
to extend their lifetimes to the lifetime of the function instance.
Additionally, I found many other possibly problematic init calls in the
bind function, which I moved as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cb382536052fcc7713988869b54a81137069e5a9 , < 13440c0db227c5db01da751ed966dde4cdd2ea18
(git)
Affected: cb382536052fcc7713988869b54a81137069e5a9 , < de93e0862169b5539e00c2b9980b93fd80c37c0d (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 81aee4500055876883658b024b6fb61801afe134 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 8ec6a58586f195a88479edcdb0b8027c39f12d03 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < f7d00ee1c8082c8a134340aaf16d71a27e29c362 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 5d1bb391ceeebb28327703dd07af8c6324af298f (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 26a879a41ed960b3fb4ec773ef2788c515c0e488 (git) Affected: cb382536052fcc7713988869b54a81137069e5a9 , < 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13440c0db227c5db01da751ed966dde4cdd2ea18",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "de93e0862169b5539e00c2b9980b93fd80c37c0d",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "81aee4500055876883658b024b6fb61801afe134",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "8ec6a58586f195a88479edcdb0b8027c39f12d03",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "f7d00ee1c8082c8a134340aaf16d71a27e29c362",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "5d1bb391ceeebb28327703dd07af8c6324af298f",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "26a879a41ed960b3fb4ec773ef2788c515c0e488",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
},
{
"lessThan": "4e0a88254ad59f6c53a34bf5fa241884ec09e8b2",
"status": "affected",
"version": "cb382536052fcc7713988869b54a81137069e5a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_hid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: move list and spinlock inits from bind to alloc\n\nThere was an issue when you did the following:\n- setup and bind an hid gadget\n- open /dev/hidg0\n- use the resulting fd in EPOLL_CTL_ADD\n- unbind the UDC\n- bind the UDC\n- use the fd in EPOLL_CTL_DEL\n\nWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported\nwithin remove_wait_queue (via ep_remove_wait_queue). After some\ndebugging I found out that the queues, which f_hid registers via\npoll_wait were the problem. These were initialized using\ninit_waitqueue_head inside hidg_bind. So effectively, the bind function\nre-initialized the queues while there were still items in them.\n\nThe solution is to move the initialization from hidg_bind to hidg_alloc\nto extend their lifetimes to the lifetime of the function instance.\n\nAdditionally, I found many other possibly problematic init calls in the\nbind function, which I moved as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:22.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18"
},
{
"url": "https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d"
},
{
"url": "https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134"
},
{
"url": "https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03"
},
{
"url": "https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362"
},
{
"url": "https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f"
},
{
"url": "https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488"
},
{
"url": "https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2"
}
],
"title": "usb: gadget: f_hid: move list and spinlock inits from bind to alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31721",
"datePublished": "2026-05-01T14:14:23.492Z",
"dateReserved": "2026-03-09T15:48:24.134Z",
"dateUpdated": "2026-05-02T06:14:22.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31705 (GCVE-0-2026-31705)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
smb2_get_ea() applies 4-byte alignment padding via memset() after
writing each EA entry. The bounds check on buf_free_len is performed
before the value memcpy, but the alignment memset fires unconditionally
afterward with no check on remaining space.
When the EA value exactly fills the remaining buffer (buf_free_len == 0
after value subtraction), the alignment memset writes 1-3 NUL bytes
past the buf_free_len boundary. In compound requests where the response
buffer is shared across commands, the first command (e.g., READ) can
consume most of the buffer, leaving a tight remainder for the QUERY_INFO
EA response. The alignment memset then overwrites past the physical
kvmalloc allocation into adjacent kernel heap memory.
Add a bounds check before the alignment memset to ensure buf_free_len
can accommodate the padding bytes.
This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fix
potencial OOB in get_file_all_info() for compound requests") and
commit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compound
requests"), both of which added bounds checks before unconditional
writes in QUERY_INFO response handlers.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < ffbce350c6fd1e99116ea57383b9031717e36d3b
(git)
Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 98f3de6ef4efbd899348d333f0902dc4ff14380c (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 790304c02bf9bd7b8171feda4294d6e62d32ae8f (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 922d48fe8c19f388ffa2f709f33acaae4e408de2 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 30010c952077a1c89ecdd71fc4d574c75a8f5617 (git) Affected: f2283680a80571ca82d710bc6ecd8f8beac67d63 (git) Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffbce350c6fd1e99116ea57383b9031717e36d3b",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "98f3de6ef4efbd899348d333f0902dc4ff14380c",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "790304c02bf9bd7b8171feda4294d6e62d32ae8f",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "922d48fe8c19f388ffa2f709f33acaae4e408de2",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "30010c952077a1c89ecdd71fc4d574c75a8f5617",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:28.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b"
},
{
"url": "https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c"
},
{
"url": "https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f"
},
{
"url": "https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2"
},
{
"url": "https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617"
}
],
"title": "ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31705",
"datePublished": "2026-05-01T13:56:03.896Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-03T05:45:28.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31672 (GCVE-0-2026-31672)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
wifi: rt2x00usb: fix devres lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rt2x00usb: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the USB anchor lifetime so that it is released on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 64a457f6afbf15f984d95201a9a1e71eed3f9dd1
(git)
Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 65518a6965d527c53013947031f26754f6a4f6af (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 15b233e33b35b927bd8d0044c15325564ea1ba24 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 1de5c76bf40e9cdeebf54662f63011fb10fa452f (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < b245db719bc7e57abf48bd5701662b270c3880f7 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < e360d15fcb1e819eef49e3d4434d8050542eed16 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < c99f198841b41735796e2ddfcd573783fb552eb9 (git) Affected: 8b4c0009313f3d42e2540e3e1f776097dd0db73d , < 25369b22223d1c56e42a0cd4ac9137349d5a898e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64a457f6afbf15f984d95201a9a1e71eed3f9dd1",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "65518a6965d527c53013947031f26754f6a4f6af",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "15b233e33b35b927bd8d0044c15325564ea1ba24",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "1de5c76bf40e9cdeebf54662f63011fb10fa452f",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "b245db719bc7e57abf48bd5701662b270c3880f7",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "e360d15fcb1e819eef49e3d4434d8050542eed16",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "c99f198841b41735796e2ddfcd573783fb552eb9",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
},
{
"lessThan": "25369b22223d1c56e42a0cd4ac9137349d5a898e",
"status": "affected",
"version": "8b4c0009313f3d42e2540e3e1f776097dd0db73d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00usb: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the USB anchor lifetime so that it is released on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:19.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64a457f6afbf15f984d95201a9a1e71eed3f9dd1"
},
{
"url": "https://git.kernel.org/stable/c/65518a6965d527c53013947031f26754f6a4f6af"
},
{
"url": "https://git.kernel.org/stable/c/15b233e33b35b927bd8d0044c15325564ea1ba24"
},
{
"url": "https://git.kernel.org/stable/c/1de5c76bf40e9cdeebf54662f63011fb10fa452f"
},
{
"url": "https://git.kernel.org/stable/c/b245db719bc7e57abf48bd5701662b270c3880f7"
},
{
"url": "https://git.kernel.org/stable/c/e360d15fcb1e819eef49e3d4434d8050542eed16"
},
{
"url": "https://git.kernel.org/stable/c/c99f198841b41735796e2ddfcd573783fb552eb9"
},
{
"url": "https://git.kernel.org/stable/c/25369b22223d1c56e42a0cd4ac9137349d5a898e"
}
],
"title": "wifi: rt2x00usb: fix devres lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31672",
"datePublished": "2026-04-24T14:45:19.725Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-24T14:45:19.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31626 (GCVE-0-2026-31626)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using
uninitialized data.
Smatch warns that only 6 bytes are copied to this 8-byte (u64)
variable, leaving the last two bytes uninitialized:
drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()
warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)
Initializing the variable at the start of the function fixes this
warning and ensures predictable behavior.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c65ee4d3be5df395e48afbcd0946dd5fce4338a9
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d5b8f5f8d6fc09a8af5ed139c688660f578ed732 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < b487a7754d874230299d5a9c2710ec4df8b2ed8a (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c2026c6b603ebec52f55015496703fe79077accf (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < ef74ce5f0bc0e53ce702d8a794f3957884a26efc (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 8c964b82a4e97ec7f25e17b803ee196009b38a57 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c65ee4d3be5df395e48afbcd0946dd5fce4338a9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d5b8f5f8d6fc09a8af5ed139c688660f578ed732",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "b487a7754d874230299d5a9c2710ec4df8b2ed8a",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "c2026c6b603ebec52f55015496703fe79077accf",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "ef74ce5f0bc0e53ce702d8a794f3957884a26efc",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "8c964b82a4e97ec7f25e17b803ee196009b38a57",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_security.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for \u0027\u0026le_tmp64\u0027 (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:27.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c65ee4d3be5df395e48afbcd0946dd5fce4338a9"
},
{
"url": "https://git.kernel.org/stable/c/d5b8f5f8d6fc09a8af5ed139c688660f578ed732"
},
{
"url": "https://git.kernel.org/stable/c/b487a7754d874230299d5a9c2710ec4df8b2ed8a"
},
{
"url": "https://git.kernel.org/stable/c/c2026c6b603ebec52f55015496703fe79077accf"
},
{
"url": "https://git.kernel.org/stable/c/ef74ce5f0bc0e53ce702d8a794f3957884a26efc"
},
{
"url": "https://git.kernel.org/stable/c/8c964b82a4e97ec7f25e17b803ee196009b38a57"
}
],
"title": "staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31626",
"datePublished": "2026-04-24T14:42:47.493Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T14:04:27.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31638 (GCVE-0-2026-31638)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
rxrpc: Only put the call ref if one was acquired
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Only put the call ref if one was acquired
rxrpc_input_packet_on_conn() can process a to-client packet after the
current client call on the channel has already been torn down. In that
case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is
no reference to drop.
The client-side implicit-end error path does not account for that and
unconditionally calls rxrpc_put_call(). This turns a protocol error
path into a kernel crash instead of rejecting the packet.
Only drop the call reference if one was actually acquired. Keep the
existing protocol error handling unchanged.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e6ef4f1017c7f844e305283bbd8875af475e2fc , < b8f66447448d6c305a51413a67ec8ed26aa7d1dd
(git)
Affected: 5e6ef4f1017c7f844e305283bbd8875af475e2fc , < 0c156aff8a2d4fa0d61db7837641975cf0e5452d (git) Affected: 5e6ef4f1017c7f844e305283bbd8875af475e2fc , < 8299ca146489664e3c0c90a3b8900d8335b1ede4 (git) Affected: 5e6ef4f1017c7f844e305283bbd8875af475e2fc , < 9fb09861e2b8d1abfe2efaf260c9f1d30080ea38 (git) Affected: 5e6ef4f1017c7f844e305283bbd8875af475e2fc , < 6331f1b24a3e85465f6454e003a3e6c22005a5c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/io_thread.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8f66447448d6c305a51413a67ec8ed26aa7d1dd",
"status": "affected",
"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc",
"versionType": "git"
},
{
"lessThan": "0c156aff8a2d4fa0d61db7837641975cf0e5452d",
"status": "affected",
"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc",
"versionType": "git"
},
{
"lessThan": "8299ca146489664e3c0c90a3b8900d8335b1ede4",
"status": "affected",
"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc",
"versionType": "git"
},
{
"lessThan": "9fb09861e2b8d1abfe2efaf260c9f1d30080ea38",
"status": "affected",
"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc",
"versionType": "git"
},
{
"lessThan": "6331f1b24a3e85465f6454e003a3e6c22005a5c5",
"status": "affected",
"version": "5e6ef4f1017c7f844e305283bbd8875af475e2fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/io_thread.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down. In that\ncase chan-\u003ecall is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call(). This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired. Keep the\nexisting protocol error handling unchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:37.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8f66447448d6c305a51413a67ec8ed26aa7d1dd"
},
{
"url": "https://git.kernel.org/stable/c/0c156aff8a2d4fa0d61db7837641975cf0e5452d"
},
{
"url": "https://git.kernel.org/stable/c/8299ca146489664e3c0c90a3b8900d8335b1ede4"
},
{
"url": "https://git.kernel.org/stable/c/9fb09861e2b8d1abfe2efaf260c9f1d30080ea38"
},
{
"url": "https://git.kernel.org/stable/c/6331f1b24a3e85465f6454e003a3e6c22005a5c5"
}
],
"title": "rxrpc: Only put the call ref if one was acquired",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31638",
"datePublished": "2026-04-24T14:44:52.122Z",
"dateReserved": "2026-03-09T15:48:24.125Z",
"dateUpdated": "2026-04-27T14:04:37.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31642 (GCVE-0-2026-31642)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:44 – Updated: 2026-04-24 14:44
VLAI?
EPSS
Title
rxrpc: Fix call removal to use RCU safe deletion
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix call removal to use RCU safe deletion
Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
rather than list_del_init() to prevent stuffing up reading
/proc/net/rxrpc/calls from potentially getting into an infinite loop.
This, however, means that list_empty() no longer works on an entry that's
been deleted from the list, making it harder to detect prior deletion. Fix
this by:
Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that
are unexpectedly still on the list. Limiting the number of steps means
there's no need to call cond_resched() or to remove calls from the list
here, thereby eliminating the need for rxrpc_put_call() to check for that.
rxrpc_put_call() can then be fixed to unconditionally delete the call from
the list as it is the only place that the deletion occurs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2baec2c3f854d1f79c7bb28386484e144e864a14 , < 93fc15be44a35b8e3c58d0238ac0d9b7c53465ff
(git)
Affected: 2baec2c3f854d1f79c7bb28386484e144e864a14 , < c63abf25203b50243fe228090526f9dbf37727bd (git) Affected: 2baec2c3f854d1f79c7bb28386484e144e864a14 , < 3be718f659683ad89fad6f1eb66bee99727cae64 (git) Affected: 2baec2c3f854d1f79c7bb28386484e144e864a14 , < ac5f54691be06a32246179d41be2d73598036deb (git) Affected: 2baec2c3f854d1f79c7bb28386484e144e864a14 , < 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/call_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93fc15be44a35b8e3c58d0238ac0d9b7c53465ff",
"status": "affected",
"version": "2baec2c3f854d1f79c7bb28386484e144e864a14",
"versionType": "git"
},
{
"lessThan": "c63abf25203b50243fe228090526f9dbf37727bd",
"status": "affected",
"version": "2baec2c3f854d1f79c7bb28386484e144e864a14",
"versionType": "git"
},
{
"lessThan": "3be718f659683ad89fad6f1eb66bee99727cae64",
"status": "affected",
"version": "2baec2c3f854d1f79c7bb28386484e144e864a14",
"versionType": "git"
},
{
"lessThan": "ac5f54691be06a32246179d41be2d73598036deb",
"status": "affected",
"version": "2baec2c3f854d1f79c7bb28386484e144e864a14",
"versionType": "git"
},
{
"lessThan": "146d4ab94cf129ee06cd467cb5c71368a6b5bad6",
"status": "affected",
"version": "2baec2c3f854d1f79c7bb28386484e144e864a14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/rxrpc.h",
"net/rxrpc/call_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call removal to use RCU safe deletion\n\nFix rxrpc call removal from the rxnet-\u003ecalls list to use list_del_rcu()\nrather than list_del_init() to prevent stuffing up reading\n/proc/net/rxrpc/calls from potentially getting into an infinite loop.\n\nThis, however, means that list_empty() no longer works on an entry that\u0027s\nbeen deleted from the list, making it harder to detect prior deletion. Fix\nthis by:\n\nFirstly, make rxrpc_destroy_all_calls() only dump the first ten calls that\nare unexpectedly still on the list. Limiting the number of steps means\nthere\u0027s no need to call cond_resched() or to remove calls from the list\nhere, thereby eliminating the need for rxrpc_put_call() to check for that.\n\nrxrpc_put_call() can then be fixed to unconditionally delete the call from\nthe list as it is the only place that the deletion occurs."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:44:56.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93fc15be44a35b8e3c58d0238ac0d9b7c53465ff"
},
{
"url": "https://git.kernel.org/stable/c/c63abf25203b50243fe228090526f9dbf37727bd"
},
{
"url": "https://git.kernel.org/stable/c/3be718f659683ad89fad6f1eb66bee99727cae64"
},
{
"url": "https://git.kernel.org/stable/c/ac5f54691be06a32246179d41be2d73598036deb"
},
{
"url": "https://git.kernel.org/stable/c/146d4ab94cf129ee06cd467cb5c71368a6b5bad6"
}
],
"title": "rxrpc: Fix call removal to use RCU safe deletion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31642",
"datePublished": "2026-04-24T14:44:56.888Z",
"dateReserved": "2026-03-09T15:48:24.127Z",
"dateUpdated": "2026-04-24T14:44:56.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31430 (GCVE-0-2026-31430)
Vulnerability from cvelistv5 – Published: 2026-04-20 09:43 – Updated: 2026-04-20 09:43
VLAI?
EPSS
Title
X.509: Fix out-of-bounds access when parsing extensions
Summary
In the Linux kernel, the following vulnerability has been resolved:
X.509: Fix out-of-bounds access when parsing extensions
Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
30eae2b037af54b24109dcaea21db46f6285c69b , < 672b526def1f94c1be8eb11b885b803da0d8c2f1
(git)
Affected: 30eae2b037af54b24109dcaea21db46f6285c69b , < 30ab358fad0c7daa1d282ec48089901b21b36a20 (git) Affected: 30eae2b037af54b24109dcaea21db46f6285c69b , < 206121294b9cf27f0589857f80d64f87e496ffb2 (git) Affected: 30eae2b037af54b24109dcaea21db46f6285c69b , < 7fb4dadc2734f4020d7543d688b8d49c8e569c61 (git) Affected: 30eae2b037af54b24109dcaea21db46f6285c69b , < d702c3408213bb12bd570bb97204d8340d141c51 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/x509_cert_parser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "672b526def1f94c1be8eb11b885b803da0d8c2f1",
"status": "affected",
"version": "30eae2b037af54b24109dcaea21db46f6285c69b",
"versionType": "git"
},
{
"lessThan": "30ab358fad0c7daa1d282ec48089901b21b36a20",
"status": "affected",
"version": "30eae2b037af54b24109dcaea21db46f6285c69b",
"versionType": "git"
},
{
"lessThan": "206121294b9cf27f0589857f80d64f87e496ffb2",
"status": "affected",
"version": "30eae2b037af54b24109dcaea21db46f6285c69b",
"versionType": "git"
},
{
"lessThan": "7fb4dadc2734f4020d7543d688b8d49c8e569c61",
"status": "affected",
"version": "30eae2b037af54b24109dcaea21db46f6285c69b",
"versionType": "git"
},
{
"lessThan": "d702c3408213bb12bd570bb97204d8340d141c51",
"status": "affected",
"version": "30eae2b037af54b24109dcaea21db46f6285c69b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/x509_cert_parser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nX.509: Fix out-of-bounds access when parsing extensions\n\nLeo reports an out-of-bounds access when parsing a certificate with\nempty Basic Constraints or Key Usage extension because the first byte of\nthe extension is read before checking its length. Fix it.\n\nThe bug can be triggered by an unprivileged user by submitting a\nspecially crafted certificate to the kernel through the keyrings(7) API.\nLeo has demonstrated this with a proof-of-concept program responsibly\ndisclosed off-list."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T09:43:03.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/672b526def1f94c1be8eb11b885b803da0d8c2f1"
},
{
"url": "https://git.kernel.org/stable/c/30ab358fad0c7daa1d282ec48089901b21b36a20"
},
{
"url": "https://git.kernel.org/stable/c/206121294b9cf27f0589857f80d64f87e496ffb2"
},
{
"url": "https://git.kernel.org/stable/c/7fb4dadc2734f4020d7543d688b8d49c8e569c61"
},
{
"url": "https://git.kernel.org/stable/c/d702c3408213bb12bd570bb97204d8340d141c51"
}
],
"title": "X.509: Fix out-of-bounds access when parsing extensions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31430",
"datePublished": "2026-04-20T09:43:03.919Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-04-20T09:43:03.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31618 (GCVE-0-2026-31618)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 859a239d58a812b61267d9944b701affe6a6244e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 53cb4e79a07124d2ebe502983c29800104080b47 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fc386daa6846551a88d338ba9864fc2812cd9030 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6567d3e1aaadfebf44ce7dc9ea2630323cd4c736 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 63dfb0b4741f46d65b667c4275132b3d1966acc8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/tdfxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "859a239d58a812b61267d9944b701affe6a6244e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "53cb4e79a07124d2ebe502983c29800104080b47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc386daa6846551a88d338ba9864fc2812cd9030",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6567d3e1aaadfebf44ce7dc9ea2630323cd4c736",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "63dfb0b4741f46d65b667c4275132b3d1966acc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8f98b81fe011e1879e6a7b1247e69e06a5e17af2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/tdfxfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:58.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/859a239d58a812b61267d9944b701affe6a6244e"
},
{
"url": "https://git.kernel.org/stable/c/53cb4e79a07124d2ebe502983c29800104080b47"
},
{
"url": "https://git.kernel.org/stable/c/fc386daa6846551a88d338ba9864fc2812cd9030"
},
{
"url": "https://git.kernel.org/stable/c/6567d3e1aaadfebf44ce7dc9ea2630323cd4c736"
},
{
"url": "https://git.kernel.org/stable/c/63dfb0b4741f46d65b667c4275132b3d1966acc8"
},
{
"url": "https://git.kernel.org/stable/c/8f98b81fe011e1879e6a7b1247e69e06a5e17af2"
}
],
"title": "fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31618",
"datePublished": "2026-04-24T14:42:37.173Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-04-27T13:56:58.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31596 (GCVE-0-2026-31596)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
ocfs2: handle invalid dinode in ocfs2_group_extend
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: handle invalid dinode in ocfs2_group_extend
[BUG]
kernel BUG at fs/ocfs2/resize.c:308!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
Call Trace:
...
ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
[CAUSE]
ocfs2_group_extend() assumes that the global bitmap inode block
returned from ocfs2_inode_lock() has already been validated and
BUG_ONs when the signature is not a dinode. That assumption is too
strong for crafted filesystems because the JBD2-managed buffer path
can bypass structural validation and return an invalid dinode to the
resize ioctl.
[FIX]
Validate the dinode explicitly in ocfs2_group_extend(). If the global
bitmap buffer does not contain a valid dinode, report filesystem
corruption with ocfs2_error() and fail the resize operation instead of
crashing the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
10995aa2451afa20b721cc7de856cae1a13dba57 , < 6575f9fbf084502b7118a628425bf7866666498d
(git)
Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 911b557dd7817460881fd51a03069b539c674d0e (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < e384a850a3370d89a7a446cdeccd964bfba2a302 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 10fb72c47aac446f12a4ccd962c7daa60cc890a1 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 41c6e9bc3a09539deab43957a3211d902a4818f0 (git) Affected: 10995aa2451afa20b721cc7de856cae1a13dba57 , < 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6575f9fbf084502b7118a628425bf7866666498d",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "911b557dd7817460881fd51a03069b539c674d0e",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "e384a850a3370d89a7a446cdeccd964bfba2a302",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "10fb72c47aac446f12a4ccd962c7daa60cc890a1",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "41c6e9bc3a09539deab43957a3211d902a4818f0",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
},
{
"lessThan": "4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f",
"status": "affected",
"version": "10995aa2451afa20b721cc7de856cae1a13dba57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/resize.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle invalid dinode in ocfs2_group_extend\n\n[BUG]\nkernel BUG at fs/ocfs2/resize.c:308!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308\nCode: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe\nCall Trace:\n ...\n ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583\n x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\n[CAUSE]\nocfs2_group_extend() assumes that the global bitmap inode block\nreturned from ocfs2_inode_lock() has already been validated and\nBUG_ONs when the signature is not a dinode. That assumption is too\nstrong for crafted filesystems because the JBD2-managed buffer path\ncan bypass structural validation and return an invalid dinode to the\nresize ioctl.\n\n[FIX]\nValidate the dinode explicitly in ocfs2_group_extend(). If the global\nbitmap buffer does not contain a valid dinode, report filesystem\ncorruption with ocfs2_error() and fail the resize operation instead of\ncrashing the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:39.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6575f9fbf084502b7118a628425bf7866666498d"
},
{
"url": "https://git.kernel.org/stable/c/911b557dd7817460881fd51a03069b539c674d0e"
},
{
"url": "https://git.kernel.org/stable/c/e384a850a3370d89a7a446cdeccd964bfba2a302"
},
{
"url": "https://git.kernel.org/stable/c/10fb72c47aac446f12a4ccd962c7daa60cc890a1"
},
{
"url": "https://git.kernel.org/stable/c/41c6e9bc3a09539deab43957a3211d902a4818f0"
},
{
"url": "https://git.kernel.org/stable/c/4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f"
}
],
"title": "ocfs2: handle invalid dinode in ocfs2_group_extend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31596",
"datePublished": "2026-04-24T14:42:22.003Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-04-27T13:56:39.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31708 (GCVE-0-2026-31708)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path. The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.
A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.
Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5778c398713692a16150ae96e5c8270bab8399f , < a34d456934fe42e4da5d2cc07787bf418bee99c6
(git)
Affected: f5778c398713692a16150ae96e5c8270bab8399f , < ac2f14e4705d020f04e806efa0d49ab8dc2b145f (git) Affected: f5778c398713692a16150ae96e5c8270bab8399f , < 078fae8f50adebb903ccf2252b44391324571e78 (git) Affected: f5778c398713692a16150ae96e5c8270bab8399f , < 85fd46ee26a11841c670449508025965f61ce131 (git) Affected: f5778c398713692a16150ae96e5c8270bab8399f , < a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a34d456934fe42e4da5d2cc07787bf418bee99c6",
"status": "affected",
"version": "f5778c398713692a16150ae96e5c8270bab8399f",
"versionType": "git"
},
{
"lessThan": "ac2f14e4705d020f04e806efa0d49ab8dc2b145f",
"status": "affected",
"version": "f5778c398713692a16150ae96e5c8270bab8399f",
"versionType": "git"
},
{
"lessThan": "078fae8f50adebb903ccf2252b44391324571e78",
"status": "affected",
"version": "f5778c398713692a16150ae96e5c8270bab8399f",
"versionType": "git"
},
{
"lessThan": "85fd46ee26a11841c670449508025965f61ce131",
"status": "affected",
"version": "f5778c398713692a16150ae96e5c8270bab8399f",
"versionType": "git"
},
{
"lessThan": "a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e",
"status": "affected",
"version": "f5778c398713692a16150ae96e5c8270bab8399f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path\n\nsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL\nand the default QUERY_INFO path. The QUERY_INFO branch clamps\nqi.input_buffer_length to the server-reported OutputBufferLength and then\ncopies qi.input_buffer_length bytes from qi_rsp-\u003eBuffer to userspace, but\nit never verifies that the flexible-array payload actually fits within\nrsp_iov[1].iov_len.\n\nA malicious server can return OutputBufferLength larger than the actual\nQUERY_INFO response, causing copy_to_user() to walk past the response\nbuffer and expose adjacent kernel heap to userspace.\n\nGuard the QUERY_INFO copy with a bounds check on the actual Buffer\npayload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)\nrather than an open-coded addition so the guard cannot overflow on\n32-bit builds."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:31.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6"
},
{
"url": "https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f"
},
{
"url": "https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78"
},
{
"url": "https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131"
},
{
"url": "https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e"
}
],
"title": "smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31708",
"datePublished": "2026-05-01T13:56:05.880Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-03T05:45:31.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31612 (GCVE-0-2026-31612)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
ksmbd: validate EaNameLength in smb2_get_ea()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate EaNameLength in smb2_get_ea()
smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.
Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 4b73376feecb3b61172fe5b4ff42bbbb8531669d
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 551dfb15b182abad4600eaf7b37e6eb7000d5b1b (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 3363a770b193f555f29d76ddf4ced3305c0ccf6d (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 243b206bcb5a7137e8bddd57b2eec81e1ebd3859 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < dfc6878d14acafffbe670bf2576620757a10a3d8 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 66751841212c2cc196577453c37f7774ff363f02 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b73376feecb3b61172fe5b4ff42bbbb8531669d",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "551dfb15b182abad4600eaf7b37e6eb7000d5b1b",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "3363a770b193f555f29d76ddf4ced3305c0ccf6d",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "243b206bcb5a7137e8bddd57b2eec81e1ebd3859",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "dfc6878d14acafffbe670bf2576620757a10a3d8",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "66751841212c2cc196577453c37f7774ff363f02",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate EaNameLength in smb2_get_ea()\n\nsmb2_get_ea() reads ea_req-\u003eEaNameLength from the client request and\npasses it directly to strncmp() as the comparison length without\nverifying that the length of the name really is the size of the input\nbuffer received.\n\nFix this up by properly checking the size of the name based on the value\nreceived and the overall size of the request, to prevent a later\nstrncmp() call to use the length as a \"trusted\" size of the buffer.\nWithout this check, uninitialized heap values might be slowly leaked to\nthe client."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:24.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d"
},
{
"url": "https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b"
},
{
"url": "https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d"
},
{
"url": "https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859"
},
{
"url": "https://git.kernel.org/stable/c/dfc6878d14acafffbe670bf2576620757a10a3d8"
},
{
"url": "https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02"
}
],
"title": "ksmbd: validate EaNameLength in smb2_get_ea()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31612",
"datePublished": "2026-04-24T14:42:32.760Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-04-27T14:04:24.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31607 (GCVE-0-2026-31607)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
usbip: validate number_of_packets in usbip_pack_ret_submit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbip: validate number_of_packets in usbip_pack_ret_submit()
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.
A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.
KASAN confirmed this with kernel 7.0.0-rc5:
BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
The buggy address is located 0 bytes to the right of
allocated 320-byte region [ffff888106351c00, ffff888106351d40)
The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.
This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.
Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.
Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1325f85fa49f57df034869de430f7c302ae23109 , < 885c8591784da6314f9aa82fa460ac69f9f79e5f
(git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 8d155e2d1c4102f74f82a2bf9c016164bb0f7384 (git) Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 906f16a836de13fe61f49cdce2f66f2dbd14caf4 (git) Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < ef8ebb1c637b4cfb61a9dd2e013376774ee2033b (git) Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 5e1c4ece08ccdc197177631f111845a2c68eede3 (git) Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 2ab833a16a825373aad2ba7d54b572b277e95b71 (git) Affected: d9638d9236eed035a575feddec61d036dacc2676 (git) Affected: ca7d3501b7a287c18b5b470e871d3029b0f4842a (git) Affected: 1ce528277e1a66856ed3f7526c1e3458c0ed4a70 (git) Affected: db898d0c5c493ce4177d5e1d3a953e079a56a24b (git) Affected: 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/usbip_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "885c8591784da6314f9aa82fa460ac69f9f79e5f",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "8d155e2d1c4102f74f82a2bf9c016164bb0f7384",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "906f16a836de13fe61f49cdce2f66f2dbd14caf4",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "ef8ebb1c637b4cfb61a9dd2e013376774ee2033b",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "5e1c4ece08ccdc197177631f111845a2c68eede3",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"lessThan": "2ab833a16a825373aad2ba7d54b572b277e95b71",
"status": "affected",
"version": "1325f85fa49f57df034869de430f7c302ae23109",
"versionType": "git"
},
{
"status": "affected",
"version": "d9638d9236eed035a575feddec61d036dacc2676",
"versionType": "git"
},
{
"status": "affected",
"version": "ca7d3501b7a287c18b5b470e871d3029b0f4842a",
"versionType": "git"
},
{
"status": "affected",
"version": "1ce528277e1a66856ed3f7526c1e3458c0ed4a70",
"versionType": "git"
},
{
"status": "affected",
"version": "db898d0c5c493ce4177d5e1d3a953e079a56a24b",
"versionType": "git"
},
{
"status": "affected",
"version": "5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/usbip/usbip_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.38.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb-\u003enumber_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb-\u003eiso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb-\u003eiso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n The buggy address is located 0 bytes to the right of\n allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo\u0027s series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu-\u003enumber_of_packets against\nurb-\u003enumber_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:20.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f"
},
{
"url": "https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384"
},
{
"url": "https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4"
},
{
"url": "https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"
},
{
"url": "https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3"
},
{
"url": "https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71"
}
],
"title": "usbip: validate number_of_packets in usbip_pack_ret_submit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31607",
"datePublished": "2026-04-24T14:42:29.468Z",
"dateReserved": "2026-03-09T15:48:24.122Z",
"dateUpdated": "2026-04-27T14:04:20.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31702 (GCVE-0-2026-31702)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-01 13:56
VLAI?
EPSS
Title
f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.
This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.
Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
(git)
Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < f5154cf3ce1c8193f0c1891d3769f62740cfe6fe (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < c76cf339b87975ae5b2c06d2d774d5667d25a12a (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 2c97dcb6147c8f7f25c629b93be1e69617de5d4a (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 39d4ee19c1e7d753dd655aebee632271b171f43a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef57cd3329b40c739b9a2e1a8a21ecc4171c6280",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "f5154cf3ce1c8193f0c1891d3769f62740cfe6fe",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "c76cf339b87975ae5b2c06d2d774d5667d25a12a",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "2c97dcb6147c8f7f25c629b93be1e69617de5d4a",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "39d4ee19c1e7d753dd655aebee632271b171f43a",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()\n\nIn f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring\nthe F2FS_WB_CP_DATA counter to zero, unblocking\nf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount\nCPU. The unmount path then proceeds to call\nf2fs_destroy_page_array_cache(sbi), which destroys\nsbi-\u003epage_array_slab via kmem_cache_destroy(), and eventually\nkfree(sbi). Meanwhile, the bio completion callback is still executing:\nwhen it reaches page_array_free(sbi, ...), it dereferences\nsbi-\u003epage_array_slab \u2014 a destroyed slab cache \u2014 to call\nkmem_cache_free(), causing a use-after-free.\n\nThis is the same class of bug as CVE-2026-23234 (which fixed the\nequivalent race in f2fs_write_end_io() in data.c), but in the\ncompressed writeback completion path that was not covered by that fix.\n\nFix this by moving dec_page_count() to after page_array_free(), so\nthat all sbi accesses complete before the counter decrement that can\nunblock unmount. For non-last folios (where atomic_dec_return on\ncic-\u003epending_pages is nonzero), dec_page_count is called immediately\nbefore returning \u2014 page_array_free is not reached on this path, so\nthere is no post-decrement sbi access. For the last folio,\npage_array_free runs while the F2FS_WB_CP_DATA counter is still\nnonzero (this folio has not yet decremented it), keeping sbi alive,\nand dec_page_count runs as the final operation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T13:56:01.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280"
},
{
"url": "https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe"
},
{
"url": "https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a"
},
{
"url": "https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a"
},
{
"url": "https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a"
}
],
"title": "f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31702",
"datePublished": "2026-05-01T13:56:01.601Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-01T13:56:01.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31532 (GCVE-0-2026-31532)
Vulnerability from cvelistv5 – Published: 2026-04-23 11:12 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
can: raw: fix ro->uniq use-after-free in raw_rcv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: raw: fix ro->uniq use-after-free in raw_rcv()
raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.
Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.
[mkl: applied manually]
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 5e9cfffad898bbeaafd0ea608a6d267362f050fc
(git)
Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 572f0bf536ebc14f6e7da3d21a85cf076de8358e (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 7201a531b9a5ed892bfda5ded9194ef622de8ffa (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < 34c1741254ff972e8375faf176678a248826fe3a (git) Affected: 514ac99c64b22d83b52dfee3b8becaa69a92bc4a , < a535a9217ca3f2fccedaafb2fddb4c48f27d36dc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e9cfffad898bbeaafd0ea608a6d267362f050fc",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "572f0bf536ebc14f6e7da3d21a85cf076de8358e",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "7201a531b9a5ed892bfda5ded9194ef622de8ffa",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "34c1741254ff972e8375faf176678a248826fe3a",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
},
{
"lessThan": "a535a9217ca3f2fccedaafb2fddb4c48f27d36dc",
"status": "affected",
"version": "514ac99c64b22d83b52dfee3b8becaa69a92bc4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/raw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro-\u003euniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro-\u003euniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro-\u003euniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:53.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc"
},
{
"url": "https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e"
},
{
"url": "https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0"
},
{
"url": "https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa"
},
{
"url": "https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a"
},
{
"url": "https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc"
}
],
"title": "can: raw: fix ro-\u003euniq use-after-free in raw_rcv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31532",
"datePublished": "2026-04-23T11:12:44.829Z",
"dateReserved": "2026-03-09T15:48:24.112Z",
"dateUpdated": "2026-04-27T14:03:53.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31704 (GCVE-0-2026-31704)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-01 13:56
VLAI?
EPSS
Title
ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past 65535, causing the pointer arithmetic
(char *)pndace + *size to land within already-written ACEs. Subsequent
writes then overwrite earlier entries, and pndacl->size gets a
truncated value.
Use check_add_overflow() at each accumulation point to detect the
wrap before it corrupts the buffer, consistent with existing
check_mul_overflow() usage elsewhere in smbacl.c.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 8d5729350b236896f51379588d9a690b7fafb8db
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < e1955a94b6f17f4b058afa955a6f187eb3ed7615 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 299f962c0b02d048fb45d248b4da493d03f3175d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d5729350b236896f51379588d9a690b7fafb8db",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "e1955a94b6f17f4b058afa955a6f187eb3ed7615",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "299f962c0b02d048fb45d248b4da493d03f3175d",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use check_add_overflow() to prevent u16 DACL size overflow\n\nset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes\nin u16 variables. When a file has many POSIX ACL entries, the\naccumulated size can wrap past 65535, causing the pointer arithmetic\n(char *)pndace + *size to land within already-written ACEs. Subsequent\nwrites then overwrite earlier entries, and pndacl-\u003esize gets a\ntruncated value.\n\nUse check_add_overflow() at each accumulation point to detect the\nwrap before it corrupts the buffer, consistent with existing\ncheck_mul_overflow() usage elsewhere in smbacl.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T13:56:03.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db"
},
{
"url": "https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615"
},
{
"url": "https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43"
},
{
"url": "https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7"
},
{
"url": "https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d"
}
],
"title": "ksmbd: use check_add_overflow() to prevent u16 DACL size overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31704",
"datePublished": "2026-05-01T13:56:03.243Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-01T13:56:03.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31595 (GCVE-0-2026-31595)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
Disable the delayed work before clearing BAR mappings and doorbells to
avoid running the handler after resources have been torn down.
Unable to handle kernel paging request at virtual address ffff800083f46004
[...]
Internal error: Oops: 0000000096000007 [#1] SMP
[...]
Call trace:
epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
process_one_work+0x154/0x3b0
worker_thread+0x2c8/0x400
kthread+0x148/0x210
ret_from_fork+0x10/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e35f56bb03304abc92c928b641af41ca372966bb , < ceb73484e7204f661f770069ecdf35f6e941879c
(git)
Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 6773cc24c004930903a57761132c1e7728907f8f (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 9921cce25bfe4021f6e55ca995351eb967165297 (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 5999067140c67530a6cb6f41a8471596e60452cb (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < fbb6c353fa2fb5f5f990eda034a1074b0356127e (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < d799984233a50abd2667a7d17a9a710a3f10ebe2 (git) Affected: e2b6ef72b7aea9d7d480d2df499bcd1c93247abb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-vntb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb73484e7204f661f770069ecdf35f6e941879c",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "6773cc24c004930903a57761132c1e7728907f8f",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "9921cce25bfe4021f6e55ca995351eb967165297",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "5999067140c67530a6cb6f41a8471596e60452cb",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "fbb6c353fa2fb5f5f990eda034a1074b0356127e",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "d799984233a50abd2667a7d17a9a710a3f10ebe2",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"status": "affected",
"version": "e2b6ef72b7aea9d7d480d2df499bcd1c93247abb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-vntb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.153",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup\n\nDisable the delayed work before clearing BAR mappings and doorbells to\navoid running the handler after resources have been torn down.\n\n Unable to handle kernel paging request at virtual address ffff800083f46004\n [...]\n Internal error: Oops: 0000000096000007 [#1] SMP\n [...]\n Call trace:\n epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)\n process_one_work+0x154/0x3b0\n worker_thread+0x2c8/0x400\n kthread+0x148/0x210\n ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:38.327Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb73484e7204f661f770069ecdf35f6e941879c"
},
{
"url": "https://git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8f"
},
{
"url": "https://git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297"
},
{
"url": "https://git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cb"
},
{
"url": "https://git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127e"
},
{
"url": "https://git.kernel.org/stable/c/d799984233a50abd2667a7d17a9a710a3f10ebe2"
}
],
"title": "PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31595",
"datePublished": "2026-04-24T14:42:21.355Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-04-27T13:56:38.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31508 (GCVE-0-2026-31508)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net: openvswitch: Avoid releasing netdev before teardown completes
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: Avoid releasing netdev before teardown completes
The patch cited in the Fixes tag below changed the teardown code for
OVS ports to no longer unconditionally take the RTNL. After this change,
the netdev_destroy() callback can proceed immediately to the call_rcu()
invocation if the IFF_OVS_DATAPATH flag is already cleared on the
netdev.
The ovs_netdev_detach_dev() function clears the flag before completing
the unregistration, and if it gets preempted after clearing the flag (as
can happen on an -rt kernel), netdev_destroy() can complete and the
device can be freed before the unregistration completes. This leads to a
splat like:
[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI
[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT
[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025
[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0
[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90
[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246
[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000
[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05
[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000
[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006
[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000
[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000
[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0
[ 998.393944] PKRU: 55555554
[ 998.393946] Call Trace:
[ 998.393949] <TASK>
[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0
[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]
[ 998.394009] ? __die_body.cold+0x8/0x12
[ 998.394016] ? die_addr+0x3c/0x60
[ 998.394027] ? exc_general_protection+0x16d/0x390
[ 998.394042] ? asm_exc_general_protection+0x26/0x30
[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0
[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]
[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]
[ 998.394102] notifier_call_chain+0x5a/0xd0
[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60
[ 998.394110] rtnl_dellink+0x169/0x3e0
[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0
[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0
[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0
[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 998.394132] netlink_rcv_skb+0x50/0x100
[ 998.394138] netlink_unicast+0x292/0x3f0
[ 998.394141] netlink_sendmsg+0x21b/0x470
[ 998.394145] ____sys_sendmsg+0x39d/0x3d0
[ 998.394149] ___sys_sendmsg+0x9a/0xe0
[ 998.394156] __sys_sendmsg+0x7a/0xd0
[ 998.394160] do_syscall_64+0x7f/0x170
[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 998.394165] RIP: 0033:0x7fad61bf4724
[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724
[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003
[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f
[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2
---truncated---
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b823c3344d5446b720227ba561df10a4f0add515 , < df3c95be76103604e752131d9495a24814915ece
(git)
Affected: 052e5db5be4576e0a8ef1460b210da5f328f4cd1 , < 33609454be4f582e686a4bf13d4482a5ca0f6c4b (git) Affected: c98263d5ace597c096a7a60aeef790da7b54979e , < 5fdeaf591a0942772c2d18ff3563697a49ad01c6 (git) Affected: 0fc642f011cb7a7eff41109e66d3b552e9f4d795 , < 4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8 (git) Affected: 5116f61ab11846844585c9082c547c4ccd97ff1a , < 43579baa17270aa51f93eb09b6e4af6e047b7f6e (git) Affected: f31557fb1b35332cca9994aa196cef284bcf3807 , < 95265232b49765a4d00f4d028c100bb7185600f4 (git) Affected: 5498227676303e3ffa9a3a46214af96bc3e81314 , < 755a6300afbd743cda4b102f24f343380ec0e0ff (git) Affected: 5498227676303e3ffa9a3a46214af96bc3e81314 , < 7c770dadfda5cbbde6aa3c4363ed513f1d212bf8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df3c95be76103604e752131d9495a24814915ece",
"status": "affected",
"version": "b823c3344d5446b720227ba561df10a4f0add515",
"versionType": "git"
},
{
"lessThan": "33609454be4f582e686a4bf13d4482a5ca0f6c4b",
"status": "affected",
"version": "052e5db5be4576e0a8ef1460b210da5f328f4cd1",
"versionType": "git"
},
{
"lessThan": "5fdeaf591a0942772c2d18ff3563697a49ad01c6",
"status": "affected",
"version": "c98263d5ace597c096a7a60aeef790da7b54979e",
"versionType": "git"
},
{
"lessThan": "4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8",
"status": "affected",
"version": "0fc642f011cb7a7eff41109e66d3b552e9f4d795",
"versionType": "git"
},
{
"lessThan": "43579baa17270aa51f93eb09b6e4af6e047b7f6e",
"status": "affected",
"version": "5116f61ab11846844585c9082c547c4ccd97ff1a",
"versionType": "git"
},
{
"lessThan": "95265232b49765a4d00f4d028c100bb7185600f4",
"status": "affected",
"version": "f31557fb1b35332cca9994aa196cef284bcf3807",
"versionType": "git"
},
{
"lessThan": "755a6300afbd743cda4b102f24f343380ec0e0ff",
"status": "affected",
"version": "5498227676303e3ffa9a3a46214af96bc3e81314",
"versionType": "git"
},
{
"lessThan": "7c770dadfda5cbbde6aa3c4363ed513f1d212bf8",
"status": "affected",
"version": "5498227676303e3ffa9a3a46214af96bc3e81314",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/vport-netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.18.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 \u003c48\u003e 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[ 998.393944] PKRU: 55555554\n[ 998.393946] Call Trace:\n[ 998.393949] \u003cTASK\u003e\n[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394009] ? __die_body.cold+0x8/0x12\n[ 998.394016] ? die_addr+0x3c/0x60\n[ 998.394027] ? exc_general_protection+0x16d/0x390\n[ 998.394042] ? asm_exc_general_protection+0x26/0x30\n[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0\n[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394102] notifier_call_chain+0x5a/0xd0\n[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60\n[ 998.394110] rtnl_dellink+0x169/0x3e0\n[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0\n[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0\n[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 998.394132] netlink_rcv_skb+0x50/0x100\n[ 998.394138] netlink_unicast+0x292/0x3f0\n[ 998.394141] netlink_sendmsg+0x21b/0x470\n[ 998.394145] ____sys_sendmsg+0x39d/0x3d0\n[ 998.394149] ___sys_sendmsg+0x9a/0xe0\n[ 998.394156] __sys_sendmsg+0x7a/0xd0\n[ 998.394160] do_syscall_64+0x7f/0x170\n[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 998.394165] RIP: 0033:0x7fad61bf4724\n[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:46.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df3c95be76103604e752131d9495a24814915ece"
},
{
"url": "https://git.kernel.org/stable/c/33609454be4f582e686a4bf13d4482a5ca0f6c4b"
},
{
"url": "https://git.kernel.org/stable/c/5fdeaf591a0942772c2d18ff3563697a49ad01c6"
},
{
"url": "https://git.kernel.org/stable/c/4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8"
},
{
"url": "https://git.kernel.org/stable/c/43579baa17270aa51f93eb09b6e4af6e047b7f6e"
},
{
"url": "https://git.kernel.org/stable/c/95265232b49765a4d00f4d028c100bb7185600f4"
},
{
"url": "https://git.kernel.org/stable/c/755a6300afbd743cda4b102f24f343380ec0e0ff"
},
{
"url": "https://git.kernel.org/stable/c/7c770dadfda5cbbde6aa3c4363ed513f1d212bf8"
}
],
"title": "net: openvswitch: Avoid releasing netdev before teardown completes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31508",
"datePublished": "2026-04-22T13:54:26.599Z",
"dateReserved": "2026-03-09T15:48:24.106Z",
"dateUpdated": "2026-04-27T14:03:46.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31676 (GCVE-0-2026-31676)
Vulnerability from cvelistv5 – Published: 2026-04-25 08:46 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
rxrpc: only handle RESPONSE during service challenge
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: only handle RESPONSE during service challenge
Only process RESPONSE packets while the service connection is still in
RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
running response verification and security initialization, then use a local
secured flag to decide whether to queue the secured-connection work after
the state transition. This keeps duplicate or late RESPONSE packets from
re-running the setup path and removes the unlocked post-transition state
test.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17926a79320afa9b95df6b977b40cca6d8713cea , < a6bcf8010af093fe04f7100562e9542ab7882585
(git)
Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 29b44d904dceb832be880def08b8cb17a0aba91c (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < d0035e634dae83237ab7f5681eb52b2f65d0ceb8 (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < 03fd2ef73cb4ffd0af100a95b634af54f474414e (git) Affected: 17926a79320afa9b95df6b977b40cca6d8713cea , < c43ffdcfdbb5567b1f143556df8a04b4eeea041c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6bcf8010af093fe04f7100562e9542ab7882585",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "29b44d904dceb832be880def08b8cb17a0aba91c",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "d0035e634dae83237ab7f5681eb52b2f65d0ceb8",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "03fd2ef73cb4ffd0af100a95b634af54f474414e",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
},
{
"lessThan": "c43ffdcfdbb5567b1f143556df8a04b4eeea041c",
"status": "affected",
"version": "17926a79320afa9b95df6b977b40cca6d8713cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: only handle RESPONSE during service challenge\n\nOnly process RESPONSE packets while the service connection is still in\nRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before\nrunning response verification and security initialization, then use a local\nsecured flag to decide whether to queue the secured-connection work after\nthe state transition. This keeps duplicate or late RESPONSE packets from\nre-running the setup path and removes the unlocked post-transition state\ntest."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:57.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6bcf8010af093fe04f7100562e9542ab7882585"
},
{
"url": "https://git.kernel.org/stable/c/29b44d904dceb832be880def08b8cb17a0aba91c"
},
{
"url": "https://git.kernel.org/stable/c/d0035e634dae83237ab7f5681eb52b2f65d0ceb8"
},
{
"url": "https://git.kernel.org/stable/c/03fd2ef73cb4ffd0af100a95b634af54f474414e"
},
{
"url": "https://git.kernel.org/stable/c/c43ffdcfdbb5567b1f143556df8a04b4eeea041c"
}
],
"title": "rxrpc: only handle RESPONSE during service challenge",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31676",
"datePublished": "2026-04-25T08:46:52.285Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-27T14:04:57.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31696 (GCVE-0-2026-31696)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-05-01 13:55
VLAI?
EPSS
Title
rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.
This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]
Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 , < 1fa36cf495b0023e8475d038535c05e4063211e1
(git)
Affected: 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 , < 4458757c020592a3094366e0fb20457383b42f92 (git) Affected: 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 , < ce383ba615339f8eaec646a166d2c2b015bb5ca0 (git) Affected: 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 , < a1be1c9ece26cea69654f28b255ff9a7906b897b (git) Affected: 8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 , < ac33733b10b484d666f97688561670afd5861383 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1fa36cf495b0023e8475d038535c05e4063211e1",
"status": "affected",
"version": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247",
"versionType": "git"
},
{
"lessThan": "4458757c020592a3094366e0fb20457383b42f92",
"status": "affected",
"version": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247",
"versionType": "git"
},
{
"lessThan": "ce383ba615339f8eaec646a166d2c2b015bb5ca0",
"status": "affected",
"version": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247",
"versionType": "git"
},
{
"lessThan": "a1be1c9ece26cea69654f28b255ff9a7906b897b",
"status": "affected",
"version": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247",
"versionType": "git"
},
{
"lessThan": "ac33733b10b484d666f97688561670afd5861383",
"status": "affected",
"version": "8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads \u003c= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T13:55:57.485Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1"
},
{
"url": "https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92"
},
{
"url": "https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0"
},
{
"url": "https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b"
},
{
"url": "https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383"
}
],
"title": "rxrpc: Fix missing validation of ticket length in non-XDR key preparsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31696",
"datePublished": "2026-05-01T13:55:57.485Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-01T13:55:57.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31671 (GCVE-0-2026-31671)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-25 05:48
VLAI?
EPSS
Title
xfrm_user: fix info leak in build_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm_user: fix info leak in build_report()
struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to userspace. Fix that up by
zeroing the structure before setting individual member variables.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d27c02eec529f78055a46a5c9e6c62684382b2d8
(git)
Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 716c546e88cfe49d841658240e10cb57bc50a2cc (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < e0c8542c3d097ed4205ded51868195d5d6ddac62 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < ff5ee507302303b15859753c3e0d67d38fd12c88 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 6c55714c931051cd7f4839c19ce0867179fd22fe (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < 0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72 (git) Affected: 97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 , < d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d27c02eec529f78055a46a5c9e6c62684382b2d8",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "716c546e88cfe49d841658240e10cb57bc50a2cc",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "e0c8542c3d097ed4205ded51868195d5d6ddac62",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "ff5ee507302303b15859753c3e0d67d38fd12c88",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "6c55714c931051cd7f4839c19ce0867179fd22fe",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
},
{
"lessThan": "d10119968d0e1f2b669604baf2a8b5fdb72fa6b4",
"status": "affected",
"version": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T05:48:30.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d27c02eec529f78055a46a5c9e6c62684382b2d8"
},
{
"url": "https://git.kernel.org/stable/c/716c546e88cfe49d841658240e10cb57bc50a2cc"
},
{
"url": "https://git.kernel.org/stable/c/0616314b3b34f24cbb91da8c6bd8bcdc4c8592f9"
},
{
"url": "https://git.kernel.org/stable/c/e0c8542c3d097ed4205ded51868195d5d6ddac62"
},
{
"url": "https://git.kernel.org/stable/c/ff5ee507302303b15859753c3e0d67d38fd12c88"
},
{
"url": "https://git.kernel.org/stable/c/6c55714c931051cd7f4839c19ce0867179fd22fe"
},
{
"url": "https://git.kernel.org/stable/c/0a30dceb0e1f0c480d2482e6d7cebf8aebb6eb72"
},
{
"url": "https://git.kernel.org/stable/c/d10119968d0e1f2b669604baf2a8b5fdb72fa6b4"
}
],
"title": "xfrm_user: fix info leak in build_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31671",
"datePublished": "2026-04-24T14:45:18.669Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-04-25T05:48:30.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31649 (GCVE-0-2026-31649)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
net: stmmac: fix integer underflow in chain mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix integer underflow in chain mode
The jumbo_frm() chain-mode implementation unconditionally computes
len = nopaged_len - bmax;
where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()
decides to invoke jumbo_frm() based on skb->len (total length including
page fragments):
is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);
When a packet has a small linear portion (nopaged_len <= bmax) but a
large total length due to page fragments (skb->len > bmax), the
subtraction wraps as an unsigned integer, producing a huge len value
(~0xFFFFxxxx). This causes the while (len != 0) loop to execute
hundreds of thousands of iterations, passing skb->data + bmax * i
pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less
SoCs (the typical deployment for stmmac), this maps arbitrary kernel
memory to the DMA engine, constituting a kernel memory disclosure and
potential memory corruption from hardware.
Fix this by introducing a buf_len local variable clamped to
min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then
always safe: it is zero when the linear portion fits within a single
descriptor, causing the while (len != 0) loop to be skipped naturally,
and the fragment loop in stmmac_xmit() handles page fragments afterward.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
286a837217204b1ef105e3a554d0757e4fdfaac1 , < 513e06735f5be575b409d195822195348b164e48
(git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 275bdf762e82082f064e60a92448fa2ac43cf95b (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < b7b8012193fd98236d7ae05d4b553f010a77b2ef (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 2c91b39912278d0878f9ba60ba04d2518b18a08d (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 6fca757c20396dc2e604dcc61922264e9e3dc803 (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 10d12b9240ebf96c785f0e2e4228318cd5f3a3eb (git) Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "513e06735f5be575b409d195822195348b164e48",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "275bdf762e82082f064e60a92448fa2ac43cf95b",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "b7b8012193fd98236d7ae05d4b553f010a77b2ef",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "2c91b39912278d0878f9ba60ba04d2518b18a08d",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "6fca757c20396dc2e604dcc61922264e9e3dc803",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
},
{
"lessThan": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67",
"status": "affected",
"version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:42.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
},
{
"url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
},
{
"url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
},
{
"url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
},
{
"url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
},
{
"url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
},
{
"url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
},
{
"url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
}
],
"title": "net: stmmac: fix integer underflow in chain mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31649",
"datePublished": "2026-04-24T14:45:02.520Z",
"dateReserved": "2026-03-09T15:48:24.128Z",
"dateUpdated": "2026-04-27T14:04:42.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31619 (GCVE-0-2026-31619)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
ALSA: fireworks: bound device-supplied status before string array lookup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: fireworks: bound device-supplied status before string array lookup
The status field in an EFW response is a 32-bit value supplied by the
firewire device. efr_status_names[] has 17 entries so a status value
outside that range goes off into the weeds when looking at the %s value.
Even worse, the status could return EFR_STATUS_INCOMPLETE which is
0x80000000, and is obviously not in that array of potential strings.
Fix this up by properly bounding the index against the array size and
printing "unknown" if it's not recognized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < f856f4b6efd51be7950e4b84c06cd961961ca41c
(git)
Affected: bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < e103f98f6615ed2934e9cf340654f0cad9eb8a8a (git) Affected: bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < 67cfd14074cdafab5de3f7cfc0952c1a9b653e5d (git) Affected: bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < cc624b3d2be13297100539b64ad950695188e046 (git) Affected: bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < 682d8accf0d83a871e8c327b95c81f53902c922b (git) Affected: bde8a8f23bbe6db51fa4e81644273af18fef3d7a , < 07704bbf36f57e4379e4cadf96410dab14621e3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/fireworks/fireworks_command.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f856f4b6efd51be7950e4b84c06cd961961ca41c",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
},
{
"lessThan": "e103f98f6615ed2934e9cf340654f0cad9eb8a8a",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
},
{
"lessThan": "67cfd14074cdafab5de3f7cfc0952c1a9b653e5d",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
},
{
"lessThan": "cc624b3d2be13297100539b64ad950695188e046",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
},
{
"lessThan": "682d8accf0d83a871e8c327b95c81f53902c922b",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
},
{
"lessThan": "07704bbf36f57e4379e4cadf96410dab14621e3b",
"status": "affected",
"version": "bde8a8f23bbe6db51fa4e81644273af18fef3d7a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/fireworks/fireworks_command.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: fireworks: bound device-supplied status before string array lookup\n\nThe status field in an EFW response is a 32-bit value supplied by the\nfirewire device. efr_status_names[] has 17 entries so a status value\noutside that range goes off into the weeds when looking at the %s value.\n\nEven worse, the status could return EFR_STATUS_INCOMPLETE which is\n0x80000000, and is obviously not in that array of potential strings.\n\nFix this up by properly bounding the index against the array size and\nprinting \"unknown\" if it\u0027s not recognized."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:59.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f856f4b6efd51be7950e4b84c06cd961961ca41c"
},
{
"url": "https://git.kernel.org/stable/c/e103f98f6615ed2934e9cf340654f0cad9eb8a8a"
},
{
"url": "https://git.kernel.org/stable/c/67cfd14074cdafab5de3f7cfc0952c1a9b653e5d"
},
{
"url": "https://git.kernel.org/stable/c/cc624b3d2be13297100539b64ad950695188e046"
},
{
"url": "https://git.kernel.org/stable/c/682d8accf0d83a871e8c327b95c81f53902c922b"
},
{
"url": "https://git.kernel.org/stable/c/07704bbf36f57e4379e4cadf96410dab14621e3b"
}
],
"title": "ALSA: fireworks: bound device-supplied status before string array lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31619",
"datePublished": "2026-04-24T14:42:37.944Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-04-27T13:56:59.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31658 (GCVE-0-2026-31658)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
When dma_map_single() fails in tse_start_xmit(), the function returns
NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the
stack the packet was consumed, the skb is never freed, leaking memory
on every DMA mapping failure.
Add dev_kfree_skb_any() before returning to properly free the skb.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < ae2cd46f57f422b51aedd406ff5d75cbff401d5d
(git)
Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < cb1d318702fdf643061350d164250198df4116f2 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < d5ec406f0543bd6cdfd563b08015fdec8c4d5712 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 2eb9d67704ca8f1101f7435b85f113ede471f9f2 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 60f462cd2716d86bd2174f9d5e035c9278f30480 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 3aca300e88afe56afb000cdc4c65383014fb17f9 (git) Affected: bbd2190ce96d8fce031f0526c1f970b68adc9d1a , < 6dede3967619b5944003227a5d09fdc21ed57d10 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae2cd46f57f422b51aedd406ff5d75cbff401d5d",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "cb1d318702fdf643061350d164250198df4116f2",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "d5ec406f0543bd6cdfd563b08015fdec8c4d5712",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "2eb9d67704ca8f1101f7435b85f113ede471f9f2",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "60f462cd2716d86bd2174f9d5e035c9278f30480",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "3aca300e88afe56afb000cdc4c65383014fb17f9",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
},
{
"lessThan": "6dede3967619b5944003227a5d09fdc21ed57d10",
"status": "affected",
"version": "bbd2190ce96d8fce031f0526c1f970b68adc9d1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/altera/altera_tse_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()\n\nWhen dma_map_single() fails in tse_start_xmit(), the function returns\nNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the\nstack the packet was consumed, the skb is never freed, leaking memory\non every DMA mapping failure.\n\nAdd dev_kfree_skb_any() before returning to properly free the skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:09.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae2cd46f57f422b51aedd406ff5d75cbff401d5d"
},
{
"url": "https://git.kernel.org/stable/c/cb1d318702fdf643061350d164250198df4116f2"
},
{
"url": "https://git.kernel.org/stable/c/d5ec406f0543bd6cdfd563b08015fdec8c4d5712"
},
{
"url": "https://git.kernel.org/stable/c/2eb9d67704ca8f1101f7435b85f113ede471f9f2"
},
{
"url": "https://git.kernel.org/stable/c/9f3ec44aeb58501d11834048d5d0dbaeacb6d4e7"
},
{
"url": "https://git.kernel.org/stable/c/60f462cd2716d86bd2174f9d5e035c9278f30480"
},
{
"url": "https://git.kernel.org/stable/c/3aca300e88afe56afb000cdc4c65383014fb17f9"
},
{
"url": "https://git.kernel.org/stable/c/6dede3967619b5944003227a5d09fdc21ed57d10"
}
],
"title": "net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31658",
"datePublished": "2026-04-24T14:45:09.566Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:09.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31597 (GCVE-0-2026-31597)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:
"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.
Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
614a9e849ca6ea24843795251cb30af525d5336b , < 6f072daefcab1d84ce37c073645615f63be91006
(git)
Affected: 614a9e849ca6ea24843795251cb30af525d5336b , < 4cf2768a0291a0cdd0dae801ea0eafa3878a349d (git) Affected: 614a9e849ca6ea24843795251cb30af525d5336b , < d45ff441b416d4aa1af72b1db23d959601c04da2 (git) Affected: 614a9e849ca6ea24843795251cb30af525d5336b , < 76a602fdbb78dd05b2da06f74a988cebc97e82d0 (git) Affected: 614a9e849ca6ea24843795251cb30af525d5336b , < 925bf22c1b823e231b1baea761fe8a1512e442f2 (git) Affected: 614a9e849ca6ea24843795251cb30af525d5336b , < 7de554cabf160e331e4442e2a9ad874ca9875921 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/mmap.c",
"fs/ocfs2/ocfs2_trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f072daefcab1d84ce37c073645615f63be91006",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
},
{
"lessThan": "4cf2768a0291a0cdd0dae801ea0eafa3878a349d",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
},
{
"lessThan": "d45ff441b416d4aa1af72b1db23d959601c04da2",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
},
{
"lessThan": "76a602fdbb78dd05b2da06f74a988cebc97e82d0",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
},
{
"lessThan": "925bf22c1b823e231b1baea761fe8a1512e442f2",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
},
{
"lessThan": "7de554cabf160e331e4442e2a9ad874ca9875921",
"status": "affected",
"version": "614a9e849ca6ea24843795251cb30af525d5336b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/mmap.c",
"fs/ocfs2/ocfs2_trace.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\n\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\n \"If our return value has VM_FAULT_RETRY set, it\u0027s because the mmap_lock\n may be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\n\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved \u0027vma\u0027 pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\n\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:15.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006"
},
{
"url": "https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d"
},
{
"url": "https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2"
},
{
"url": "https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0"
},
{
"url": "https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2"
},
{
"url": "https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921"
}
],
"title": "ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31597",
"datePublished": "2026-04-24T14:42:22.655Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-04-27T14:04:15.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31624 (GCVE-0-2026-31624)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:57
VLAI?
EPSS
Title
HID: core: clamp report_size in s32ton() to avoid undefined shift
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: clamp report_size in s32ton() to avoid undefined shift
s32ton() shifts by n-1 where n is the field's report_size, a value that
comes directly from a HID device. The HID parser bounds report_size
only to <= 256, so a broken HID device can supply a report descriptor
with a wide field that triggers shift exponents up to 256 on a 32-bit
type when an output report is built via hid_output_field() or
hid_set_field().
Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in
hid_report_raw_event") added the same n > 32 clamp to the function
snto32(), but s32ton() was never given the same fix as I guess syzbot
hadn't figured out how to fuzz a device the same way.
Fix this up by just clamping the max value of n, just like snto32()
does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dde5845a529ff753364a6d1aea61180946270bfa , < 932ae5309e53561197aa7d1606c7cf63af10e24f
(git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 58386f00af710922cafb0fb69211497beddfaa95 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 8a8333237f1f5caab8d4c3d2c2e7578c4263a97f (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < ea363a34086ddb4231adc581a7f36c39ec154bfc (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 97014719bb8fccb1ffcbbc299e84b1f11b114195 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 69c02ffde6ed4d535fa4e693a9e572729cad3d0d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "932ae5309e53561197aa7d1606c7cf63af10e24f",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "58386f00af710922cafb0fb69211497beddfaa95",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8a8333237f1f5caab8d4c3d2c2e7578c4263a97f",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "ea363a34086ddb4231adc581a7f36c39ec154bfc",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "97014719bb8fccb1ffcbbc299e84b1f11b114195",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "69c02ffde6ed4d535fa4e693a9e572729cad3d0d",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field\u0027s report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to \u003c= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n \u003e 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn\u0027t figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:57:03.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f"
},
{
"url": "https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95"
},
{
"url": "https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f"
},
{
"url": "https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc"
},
{
"url": "https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195"
},
{
"url": "https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d"
}
],
"title": "HID: core: clamp report_size in s32ton() to avoid undefined shift",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31624",
"datePublished": "2026-04-24T14:42:41.655Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T13:57:03.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31662 (GCVE-0-2026-31662)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
bc_ackers on every inbound group ACK, even when the same member has
already acknowledged the current broadcast round.
Because bc_ackers is a u16, a duplicate ACK received after the last
legitimate ACK wraps the counter to 65535. Once wrapped,
tipc_group_bc_cong() keeps reporting congestion and later group
broadcasts on the affected socket stay blocked until the group is
recreated.
Fix this by ignoring duplicate or stale ACKs before touching bc_acked or
bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and
prevents the underflow path.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2f487712b89376fce267223bbb0db93d393d4b09 , < a7db57ccca21f5801609065473c89a38229ecb92
(git)
Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 575faea557f1a184a5f09661bd47ebd3ef3769f8 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 3bcf7aca63f0bcd679ae28e9b99823c608e59ce3 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < a2ea1ef0167d7a84730638d05c20ccdc421b14b6 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 1b6f13f626665cac67ba5a012765427680518711 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682 (git) Affected: 2f487712b89376fce267223bbb0db93d393d4b09 , < 48a5fe38772b6f039522469ee6131a67838221a8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7db57ccca21f5801609065473c89a38229ecb92",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "575faea557f1a184a5f09661bd47ebd3ef3769f8",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "3bcf7aca63f0bcd679ae28e9b99823c608e59ce3",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "a2ea1ef0167d7a84730638d05c20ccdc421b14b6",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "1b6f13f626665cac67ba5a012765427680518711",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
},
{
"lessThan": "48a5fe38772b6f039522469ee6131a67838221a8",
"status": "affected",
"version": "2f487712b89376fce267223bbb0db93d393d4b09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:47.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7db57ccca21f5801609065473c89a38229ecb92"
},
{
"url": "https://git.kernel.org/stable/c/36ec4fdd6250dcd5e73eb09ea92ed92e9cc28412"
},
{
"url": "https://git.kernel.org/stable/c/575faea557f1a184a5f09661bd47ebd3ef3769f8"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aca63f0bcd679ae28e9b99823c608e59ce3"
},
{
"url": "https://git.kernel.org/stable/c/a2ea1ef0167d7a84730638d05c20ccdc421b14b6"
},
{
"url": "https://git.kernel.org/stable/c/1b6f13f626665cac67ba5a012765427680518711"
},
{
"url": "https://git.kernel.org/stable/c/e0bb732eaf77f9ac2f2638bdac9e39b81e0a9682"
},
{
"url": "https://git.kernel.org/stable/c/48a5fe38772b6f039522469ee6131a67838221a8"
}
],
"title": "tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31662",
"datePublished": "2026-04-24T14:45:12.593Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:47.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31699 (GCVE-0-2026-31699)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:55 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
When retrieving the PEK CSR, don't attempt to copy the blob to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Severity ?
7.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e799035609e1526761aa2f896a974b233d04d36d , < 607ba280f2adb5092cf5386c3935afac2ca0031a
(git)
Affected: e799035609e1526761aa2f896a974b233d04d36d , < 59e9ae81f8670ccc780bc75f45a355736f640ec9 (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 111dcc6d0f016076745824a787d25609d0022f4c (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < 3b4fd8f15765d9a3105b834dba8a05d025e5e16e (git) Affected: e799035609e1526761aa2f896a974b233d04d36d , < abe4a6d6f606113251868c2c4a06ba904bb41eed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "607ba280f2adb5092cf5386c3935afac2ca0031a",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "59e9ae81f8670ccc780bc75f45a355736f640ec9",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "111dcc6d0f016076745824a787d25609d0022f4c",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "3b4fd8f15765d9a3105b834dba8a05d025e5e16e",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
},
{
"lessThan": "abe4a6d6f606113251868c2c4a06ba904bb41eed",
"status": "affected",
"version": "e799035609e1526761aa2f896a974b233d04d36d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/ccp/sev-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don\u0027t attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don\u0027t attempt to copy the blob to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:24.567Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/607ba280f2adb5092cf5386c3935afac2ca0031a"
},
{
"url": "https://git.kernel.org/stable/c/59e9ae81f8670ccc780bc75f45a355736f640ec9"
},
{
"url": "https://git.kernel.org/stable/c/111dcc6d0f016076745824a787d25609d0022f4c"
},
{
"url": "https://git.kernel.org/stable/c/3b4fd8f15765d9a3105b834dba8a05d025e5e16e"
},
{
"url": "https://git.kernel.org/stable/c/abe4a6d6f606113251868c2c4a06ba904bb41eed"
}
],
"title": "crypto: ccp: Don\u0027t attempt to copy CSR to userspace if PSP command failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31699",
"datePublished": "2026-05-01T13:55:59.520Z",
"dateReserved": "2026-03-09T15:48:24.131Z",
"dateUpdated": "2026-05-03T05:45:24.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31711 (GCVE-0-2026-31711)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-03 05:45
VLAI?
EPSS
Title
smb: server: fix active_num_conn leak on transport allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: server: fix active_num_conn leak on transport allocation failure
Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in
ksmbd_tcp_new_connection()") addressed the kthread_run() failure
path. The earlier alloc_transport() == NULL path in the same
function has the same leak, is reachable pre-authentication via any
TCP connect to port 445, and was empirically reproduced on UML
(ARCH=um, v7.0-rc7): a small number of forced allocation failures
were sufficient to put ksmbd into a state where every subsequent
connection attempt was rejected for the remainder of the boot.
ksmbd_kthread_fn() increments active_num_conn before calling
ksmbd_tcp_new_connection() and discards the return value, so when
alloc_transport() returns NULL the socket is released and -ENOMEM
returned without decrementing the counter. Each such failure
permanently consumes one slot from the max_connections pool; once
cumulative failures reach the cap, atomic_inc_return() hits the
threshold on every subsequent accept and every new connection is
rejected. The counter is only reset by module reload.
An unauthenticated remote attacker can drive the server toward the
memory pressure that makes alloc_transport() fail by holding open
connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN
(0x00FFFFFF); natural transient allocation failures on a loaded
host produce the same drift more slowly.
Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the
alloc_transport() failure path, decrement active_num_conn gated on
server_conf.max_connections.
Repro details: with the patch reverted, forced alloc_transport()
NULL returns leaked counter slots and subsequent connection
attempts -- including legitimate connects issued after the
forced-fail window had closed -- were all rejected with "Limit the
maximum number of connections". With this patch applied, the same
connect sequence produces no rejections and the counter cycles
cleanly between zero and one on every accept.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d0d4680db22eda1eea785c47bbf66a9b33a8b16 , < 97f8d2648ef4871e4cd335e2d769cb40054a6772
(git)
Affected: 0d0d4680db22eda1eea785c47bbf66a9b33a8b16 , < 295a9fc6789d1011c36ded9f0f2907bb34fa0de4 (git) Affected: 0d0d4680db22eda1eea785c47bbf66a9b33a8b16 , < 283027aa93380380a0994f35dde3ec95318f2654 (git) Affected: 0d0d4680db22eda1eea785c47bbf66a9b33a8b16 , < fb48185bcd946d42de7017cf27f912f8ab26acf0 (git) Affected: 0d0d4680db22eda1eea785c47bbf66a9b33a8b16 , < 6551300dc452ac16a855a83dbd1e74899542d3b3 (git) Affected: 4210c3555db4b38bade92331b153e583261f05f9 (git) Affected: d5d7847e57ac69fa99c18b363a34419bcdb5a281 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "97f8d2648ef4871e4cd335e2d769cb40054a6772",
"status": "affected",
"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16",
"versionType": "git"
},
{
"lessThan": "295a9fc6789d1011c36ded9f0f2907bb34fa0de4",
"status": "affected",
"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16",
"versionType": "git"
},
{
"lessThan": "283027aa93380380a0994f35dde3ec95318f2654",
"status": "affected",
"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16",
"versionType": "git"
},
{
"lessThan": "fb48185bcd946d42de7017cf27f912f8ab26acf0",
"status": "affected",
"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16",
"versionType": "git"
},
{
"lessThan": "6551300dc452ac16a855a83dbd1e74899542d3b3",
"status": "affected",
"version": "0d0d4680db22eda1eea785c47bbf66a9b33a8b16",
"versionType": "git"
},
{
"status": "affected",
"version": "4210c3555db4b38bade92331b153e583261f05f9",
"versionType": "git"
},
{
"status": "affected",
"version": "d5d7847e57ac69fa99c18b363a34419bcdb5a281",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath. The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter. Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected. The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\". With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:45:34.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772"
},
{
"url": "https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4"
},
{
"url": "https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654"
},
{
"url": "https://git.kernel.org/stable/c/fb48185bcd946d42de7017cf27f912f8ab26acf0"
},
{
"url": "https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3"
}
],
"title": "smb: server: fix active_num_conn leak on transport allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31711",
"datePublished": "2026-05-01T13:56:07.904Z",
"dateReserved": "2026-03-09T15:48:24.133Z",
"dateUpdated": "2026-05-03T05:45:34.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31661 (GCVE-0-2026-31661)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
EPSS
Title
wifi: brcmsmac: Fix dma_free_coherent() size
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: Fix dma_free_coherent() size
dma_alloc_consistent() may change the size to align it. The new size is
saved in alloced.
Change the free size to match the allocation size.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5b435de0d786869c95d1962121af0d7df2542009 , < f449676bab54fea1440775c8c915dadb323fe015
(git)
Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 3c204a0fd079fa7a867151a47d830ad1c2db5177 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 0f87777b74bcce29b966ec42d9aa8f9edd9b1667 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 4bf41c2731a0549e21f66180ff780b1e036639ab (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 77263f053963dea9f3962505ac0c768853d7dc59 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 01f1330d3d1bee07e0c42d40cc48b7be8b6dad84 (git) Affected: 5b435de0d786869c95d1962121af0d7df2542009 , < 12cd7632757a54ce586e36040210b1a738a0fc53 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f449676bab54fea1440775c8c915dadb323fe015",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "3c204a0fd079fa7a867151a47d830ad1c2db5177",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "0f87777b74bcce29b966ec42d9aa8f9edd9b1667",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "4bf41c2731a0549e21f66180ff780b1e036639ab",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "77263f053963dea9f3962505ac0c768853d7dc59",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "01f1330d3d1bee07e0c42d40cc48b7be8b6dad84",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
},
{
"lessThan": "12cd7632757a54ce586e36040210b1a738a0fc53",
"status": "affected",
"version": "5b435de0d786869c95d1962121af0d7df2542009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:45:11.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015"
},
{
"url": "https://git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177"
},
{
"url": "https://git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667"
},
{
"url": "https://git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639ab"
},
{
"url": "https://git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59"
},
{
"url": "https://git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa"
},
{
"url": "https://git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84"
},
{
"url": "https://git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53"
}
],
"title": "wifi: brcmsmac: Fix dma_free_coherent() size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31661",
"datePublished": "2026-04-24T14:45:11.917Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-24T14:45:11.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31594 (GCVE-0-2026-31594)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 13:56
VLAI?
EPSS
Title
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
epf_ntb_epc_destroy() duplicates the teardown that the caller is
supposed to perform later. This leads to an oops when .allow_link fails
or when .drop_link is performed. The following is an example oops of the
former case:
Unable to handle kernel paging request at virtual address dead000000000108
[...]
[dead000000000108] address between user and kernel address ranges
Internal error: Oops: 0000000096000044 [#1] SMP
[...]
Call trace:
pci_epc_remove_epf+0x78/0xe0 (P)
pci_primary_epc_epf_link+0x88/0xa8
configfs_symlink+0x1f4/0x5a0
vfs_symlink+0x134/0x1d8
do_symlinkat+0x88/0x138
__arm64_sys_symlinkat+0x74/0xe0
[...]
Remove the helper, and drop pci_epc_put(). EPC device refcounting is
tied to the configfs EPC group lifetime, and pci_epc_put() in the
.drop_link path is sufficient.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e35f56bb03304abc92c928b641af41ca372966bb , < e238ab12556b00f3b4d8b870b32ba1e4f4d4ebc2
(git)
Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 73bf218de28d039126dc64281d2b47dd3c46a0a3 (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < cec9ead73ab154a7953f6ab8dd5127e0d6bbf95a (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 478e776101592eb63298714e96823ef78a3295ec (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < a7a3cab4d33fd8a8aed864c447d0d7c99e85404e (git) Affected: e35f56bb03304abc92c928b641af41ca372966bb , < 0da63230d3ec1ec5fcc443a2314233e95bfece54 (git) Affected: e2b6ef72b7aea9d7d480d2df499bcd1c93247abb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-vntb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e238ab12556b00f3b4d8b870b32ba1e4f4d4ebc2",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "73bf218de28d039126dc64281d2b47dd3c46a0a3",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "cec9ead73ab154a7953f6ab8dd5127e0d6bbf95a",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "478e776101592eb63298714e96823ef78a3295ec",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "a7a3cab4d33fd8a8aed864c447d0d7c99e85404e",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"lessThan": "0da63230d3ec1ec5fcc443a2314233e95bfece54",
"status": "affected",
"version": "e35f56bb03304abc92c928b641af41ca372966bb",
"versionType": "git"
},
{
"status": "affected",
"version": "e2b6ef72b7aea9d7d480d2df499bcd1c93247abb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/endpoint/functions/pci-epf-vntb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.153",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to perform later. This leads to an oops when .allow_link fails\nor when .drop_link is performed. The following is an example oops of the\nformer case:\n\n Unable to handle kernel paging request at virtual address dead000000000108\n [...]\n [dead000000000108] address between user and kernel address ranges\n Internal error: Oops: 0000000096000044 [#1] SMP\n [...]\n Call trace:\n pci_epc_remove_epf+0x78/0xe0 (P)\n pci_primary_epc_epf_link+0x88/0xa8\n configfs_symlink+0x1f4/0x5a0\n vfs_symlink+0x134/0x1d8\n do_symlinkat+0x88/0x138\n __arm64_sys_symlinkat+0x74/0xe0\n [...]\n\nRemove the helper, and drop pci_epc_put(). EPC device refcounting is\ntied to the configfs EPC group lifetime, and pci_epc_put() in the\n.drop_link path is sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:37.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e238ab12556b00f3b4d8b870b32ba1e4f4d4ebc2"
},
{
"url": "https://git.kernel.org/stable/c/73bf218de28d039126dc64281d2b47dd3c46a0a3"
},
{
"url": "https://git.kernel.org/stable/c/cec9ead73ab154a7953f6ab8dd5127e0d6bbf95a"
},
{
"url": "https://git.kernel.org/stable/c/478e776101592eb63298714e96823ef78a3295ec"
},
{
"url": "https://git.kernel.org/stable/c/a7a3cab4d33fd8a8aed864c447d0d7c99e85404e"
},
{
"url": "https://git.kernel.org/stable/c/0da63230d3ec1ec5fcc443a2314233e95bfece54"
}
],
"title": "PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31594",
"datePublished": "2026-04-24T14:42:20.556Z",
"dateReserved": "2026-03-09T15:48:24.121Z",
"dateUpdated": "2026-04-27T13:56:37.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31622 (GCVE-0-2026-31622)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device. The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).
ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this. This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.
Fix this by rejecting the response when the accumulated UID would exceed
the buffer.
Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c66daecc4092e6049673c281b2e6f0d5e59a94c , < 2819f34e08bdffb6f06a51c67948ec5737fb166a
(git)
Affected: 2c66daecc4092e6049673c281b2e6f0d5e59a94c , < 1bec5698b55aa2be5c3b983dba657c01d0fd3dbc (git) Affected: 2c66daecc4092e6049673c281b2e6f0d5e59a94c , < 5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1 (git) Affected: 2c66daecc4092e6049673c281b2e6f0d5e59a94c , < 8d9d9bf3565271ca7ab9c716a94e87296177e7ba (git) Affected: 2c66daecc4092e6049673c281b2e6f0d5e59a94c , < cc024a3de265ef6c58957f4990eccb9f806208cb (git) Affected: 2c66daecc4092e6049673c281b2e6f0d5e59a94c , < 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/digital_technology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2819f34e08bdffb6f06a51c67948ec5737fb166a",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
},
{
"lessThan": "1bec5698b55aa2be5c3b983dba657c01d0fd3dbc",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
},
{
"lessThan": "5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
},
{
"lessThan": "8d9d9bf3565271ca7ab9c716a94e87296177e7ba",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
},
{
"lessThan": "cc024a3de265ef6c58957f4990eccb9f806208cb",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
},
{
"lessThan": "46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1",
"status": "affected",
"version": "2c66daecc4092e6049673c281b2e6f0d5e59a94c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/digital_technology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: Bounds check NFC-A cascade depth in SDD response handler\n\nThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3\nor 4 bytes to target-\u003enfcid1 on each round, but the number of cascade\nrounds is controlled entirely by the peer device. The peer sets the\ncascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the\ncascade-incomplete bit in the SEL_RES (deciding whether another round\nfollows).\n\nISO 14443-3 limits NFC-A to three cascade levels and target-\u003enfcid1 is\nsized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver\nactually enforces this. This means a malicious peer can keep the\ncascade running, writing past the heap-allocated nfc_target with each\nround.\n\nFix this by rejecting the response when the accumulated UID would exceed\nthe buffer.\n\nCommit e329e71013c9 (\"NFC: nci: Bounds check struct nfc_target arrays\")\nfixed similar missing checks against the same field on the NCI path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:26.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2819f34e08bdffb6f06a51c67948ec5737fb166a"
},
{
"url": "https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc"
},
{
"url": "https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1"
},
{
"url": "https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba"
},
{
"url": "https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb"
},
{
"url": "https://git.kernel.org/stable/c/46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1"
}
],
"title": "NFC: digital: Bounds check NFC-A cascade depth in SDD response handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31622",
"datePublished": "2026-04-24T14:42:39.916Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T14:04:26.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31667 (GCVE-0-2026-31667)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04
VLAI?
EPSS
Title
Input: uinput - fix circular locking dependency with ff-core
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - fix circular locking dependency with ff-core
A lockdep circular locking dependency warning can be triggered
reproducibly when using a force-feedback gamepad with uinput (for
example, playing ELDEN RING under Wine with a Flydigi Vader 5
controller):
ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex
The cycle is caused by four lock acquisition paths:
1. ff upload: input_ff_upload() holds ff->mutex and calls
uinput_dev_upload_effect() -> uinput_request_submit() ->
uinput_request_send(), which acquires udev->mutex.
2. device create: uinput_ioctl_handler() holds udev->mutex and calls
uinput_create_device() -> input_register_device(), which acquires
input_mutex.
3. device register: input_register_device() holds input_mutex and
calls kbd_connect() -> input_register_handle(), which acquires
dev->mutex.
4. evdev release: evdev_release() calls input_flush_device() under
dev->mutex, which calls input_ff_flush() acquiring ff->mutex.
Fix this by introducing a new state_lock spinlock to protect
udev->state and udev->dev access in uinput_request_send() instead of
acquiring udev->mutex. The function only needs to atomically check
device state and queue an input event into the ring buffer via
uinput_dev_event() -- both operations are safe under a spinlock
(ktime_get_ts64() and wake_up_interruptible() do not sleep). This
breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in
the lock ordering and cannot form cycles with mutexes.
To keep state transitions visible to uinput_request_send(), protect
writes to udev->state in uinput_create_device() and
uinput_destroy_device() with the same state_lock spinlock.
Additionally, move init_completion(&request->done) from
uinput_request_send() to uinput_request_submit() before
uinput_request_reserve_slot(). Once the slot is allocated,
uinput_flush_requests() may call complete() on it at any time from
the destroy path, so the completion must be initialised before the
request becomes visible.
Lock ordering after the fix:
ff->mutex -> state_lock (spinlock, leaf)
udev->mutex -> state_lock (spinlock, leaf)
udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff462551235d8d7d843a005950bc90924fcedede , < 71a9729f412e2c692a35c542e14b706fb342927f
(git)
Affected: ff462551235d8d7d843a005950bc90924fcedede , < 271ee71a1917b89f6d73ec82dd091c33d92ee617 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 974f7b138c3a96dd5cd53d1b33409cd7b2229dc6 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 546c18a14924eb521fe168d916d7ce28f1e13c1d (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < a3d6c9c053c9c605651508569230ead633b13f76 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 1e09dfbb4f5d20ee111f92325a00f85778a5f328 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 1534661043c434b81cfde26b97a2fb2460329cf0 (git) Affected: ff462551235d8d7d843a005950bc90924fcedede , < 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71a9729f412e2c692a35c542e14b706fb342927f",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "271ee71a1917b89f6d73ec82dd091c33d92ee617",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "974f7b138c3a96dd5cd53d1b33409cd7b2229dc6",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "546c18a14924eb521fe168d916d7ce28f1e13c1d",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "a3d6c9c053c9c605651508569230ead633b13f76",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1e09dfbb4f5d20ee111f92325a00f85778a5f328",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "1534661043c434b81cfde26b97a2fb2460329cf0",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
},
{
"lessThan": "4cda78d6f8bf2b700529f2fbccb994c3e826d7c2",
"status": "affected",
"version": "ff462551235d8d7d843a005950bc90924fcedede",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff-\u003emutex -\u003e udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff-\u003emutex and calls\n uinput_dev_upload_effect() -\u003e uinput_request_submit() -\u003e\n uinput_request_send(), which acquires udev-\u003emutex.\n\n2. device create: uinput_ioctl_handler() holds udev-\u003emutex and calls\n uinput_create_device() -\u003e input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -\u003e input_register_handle(), which acquires\n dev-\u003emutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev-\u003emutex, which calls input_ff_flush() acquiring ff-\u003emutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev-\u003estate and udev-\u003edev access in uinput_request_send() instead of\nacquiring udev-\u003emutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff-\u003emutex -\u003e udev-\u003emutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev-\u003estate in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(\u0026request-\u003edone) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e state_lock (spinlock, leaf)\n udev-\u003emutex -\u003e input_mutex -\u003e dev-\u003emutex -\u003e ff-\u003emutex (no back-edge)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:51.563Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f"
},
{
"url": "https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617"
},
{
"url": "https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6"
},
{
"url": "https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d"
},
{
"url": "https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76"
},
{
"url": "https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328"
},
{
"url": "https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0"
},
{
"url": "https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2"
}
],
"title": "Input: uinput - fix circular locking dependency with ff-core",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31667",
"datePublished": "2026-04-24T14:45:15.937Z",
"dateReserved": "2026-03-09T15:48:24.129Z",
"dateUpdated": "2026-04-27T14:04:51.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31533 (GCVE-0-2026-31533)
Vulnerability from cvelistv5 – Published: 2026-04-23 15:11 – Updated: 2026-04-27 14:03
VLAI?
EPSS
Title
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
The -EBUSY handling in tls_do_encryption(), introduced by commit
859054147318 ("net: tls: handle backlogging of crypto requests"), has
a use-after-free due to double cleanup of encrypt_pending and the
scatterlist entry.
When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
the cryptd backlog and the async callback tls_encrypt_done() will be
invoked upon completion. That callback unconditionally restores the
scatterlist entry (sge->offset, sge->length) and decrements
ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
error, the synchronous error path in tls_do_encryption() performs the
same cleanup again, double-decrementing encrypt_pending and
double-restoring the scatterlist.
The double-decrement corrupts the encrypt_pending sentinel (initialized
to 1), making tls_encrypt_async_wait() permanently skip the wait for
pending async callbacks. A subsequent sendmsg can then free the
tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
pending, resulting in a use-after-free when the callback fires on the
freed record.
Fix this by skipping the synchronous cleanup when the -EBUSY async
wait returns an error, since the callback has already handled
encrypt_pending and sge restoration.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3ade391adc584f17b5570fd205de3ad029090368 , < 414fc5e5a5aff776c150f1b86770e0a25a35df3a
(git)
Affected: cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 , < 02f3ecadb23558bbe068e6504118f1b712d4ece0 (git) Affected: 13eca403876bbea3716e82cdfe6f1e6febb38754 , < 0e43e0a3c94044acc74b8e0927c27972eb5a59e8 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < aa9facde6c5005205874c37db3fd25799d741baf (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 5d70eb25b41e9b010828cd12818b06a0c3b04412 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < 2694d408b0e595024e0fc1d64ff9db0358580f74 (git) Affected: 8590541473188741055d27b955db0777569438e3 , < a9b8b18364fffce4c451e6f6fd218fa4ab646705 (git) Affected: ab6397f072e5097f267abf5cb08a8004e6b17694 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "414fc5e5a5aff776c150f1b86770e0a25a35df3a",
"status": "affected",
"version": "3ade391adc584f17b5570fd205de3ad029090368",
"versionType": "git"
},
{
"lessThan": "02f3ecadb23558bbe068e6504118f1b712d4ece0",
"status": "affected",
"version": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72",
"versionType": "git"
},
{
"lessThan": "0e43e0a3c94044acc74b8e0927c27972eb5a59e8",
"status": "affected",
"version": "13eca403876bbea3716e82cdfe6f1e6febb38754",
"versionType": "git"
},
{
"lessThan": "aa9facde6c5005205874c37db3fd25799d741baf",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "5d70eb25b41e9b010828cd12818b06a0c3b04412",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "2694d408b0e595024e0fc1d64ff9db0358580f74",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"lessThan": "a9b8b18364fffce4c451e6f6fd218fa4ab646705",
"status": "affected",
"version": "8590541473188741055d27b955db0777569438e3",
"versionType": "git"
},
{
"status": "affected",
"version": "ab6397f072e5097f267abf5cb08a8004e6b17694",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "6.1.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "6.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge-\u003eoffset, sge-\u003elength) and decrements\nctx-\u003eencrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:03:54.811Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/414fc5e5a5aff776c150f1b86770e0a25a35df3a"
},
{
"url": "https://git.kernel.org/stable/c/02f3ecadb23558bbe068e6504118f1b712d4ece0"
},
{
"url": "https://git.kernel.org/stable/c/0e43e0a3c94044acc74b8e0927c27972eb5a59e8"
},
{
"url": "https://git.kernel.org/stable/c/aa9facde6c5005205874c37db3fd25799d741baf"
},
{
"url": "https://git.kernel.org/stable/c/5d70eb25b41e9b010828cd12818b06a0c3b04412"
},
{
"url": "https://git.kernel.org/stable/c/2694d408b0e595024e0fc1d64ff9db0358580f74"
},
{
"url": "https://git.kernel.org/stable/c/a9b8b18364fffce4c451e6f6fd218fa4ab646705"
}
],
"title": "net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31533",
"datePublished": "2026-04-23T15:11:06.955Z",
"dateReserved": "2026-03-09T15:48:24.113Z",
"dateUpdated": "2026-04-27T14:03:54.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31628 (GCVE-0-2026-31628)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-27 11:01
VLAI?
EPSS
Title
x86/CPU: Fix FPDSS on Zen1
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU: Fix FPDSS on Zen1
Zen1's hardware divider can leave, under certain circumstances, partial
results from previous operations. Those results can be leaked by
another, attacker thread.
Fix that with a chicken bit.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < ed7a3a246309ccc807238f1b4f159ee6d37ff9c4
(git)
Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 0548529af20e68c6552817834b766646dd3bd7a7 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 1272cfedf4cd1019ddf583917a99b62f2d3645bb (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 91f02726b2203b71545713ecb7fb006e60a2d66f (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < b731aca06387b195058a9f6449a03b62efa1bd10 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < ad17f07e95e6e8505e2153e5b391f0d27eacce25 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < e6af5286efe5a56128b34032572c9ce9ebeccda3 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < 546785c719418c6166834a47e372a88f5f7ae893 (git) Affected: f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 , < e55d98e7756135f32150b9b8f75d580d0d4b2dd3 (git) Affected: 5abd1583e06b3963e5c9d915760367de86808b78 (git) Affected: 4ba461d426490b6ed7e8298c4d3b7a13aa5d2686 (git) Affected: 5a63725cd18fcee2af6ec46ccb856b64ad3077b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/msr-index.h",
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed7a3a246309ccc807238f1b4f159ee6d37ff9c4",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "0548529af20e68c6552817834b766646dd3bd7a7",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "1272cfedf4cd1019ddf583917a99b62f2d3645bb",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "91f02726b2203b71545713ecb7fb006e60a2d66f",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "b731aca06387b195058a9f6449a03b62efa1bd10",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "ad17f07e95e6e8505e2153e5b391f0d27eacce25",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "e6af5286efe5a56128b34032572c9ce9ebeccda3",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "546785c719418c6166834a47e372a88f5f7ae893",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"lessThan": "e55d98e7756135f32150b9b8f75d580d0d4b2dd3",
"status": "affected",
"version": "f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9",
"versionType": "git"
},
{
"status": "affected",
"version": "5abd1583e06b3963e5c9d915760367de86808b78",
"versionType": "git"
},
{
"status": "affected",
"version": "4ba461d426490b6ed7e8298c4d3b7a13aa5d2686",
"versionType": "git"
},
{
"status": "affected",
"version": "5a63725cd18fcee2af6ec46ccb856b64ad3077b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/msr-index.h",
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.144",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1\u0027s hardware divider can leave, under certain circumstances, partial\nresults from previous operations. Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T11:01:33.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed7a3a246309ccc807238f1b4f159ee6d37ff9c4"
},
{
"url": "https://git.kernel.org/stable/c/0548529af20e68c6552817834b766646dd3bd7a7"
},
{
"url": "https://git.kernel.org/stable/c/1272cfedf4cd1019ddf583917a99b62f2d3645bb"
},
{
"url": "https://git.kernel.org/stable/c/91f02726b2203b71545713ecb7fb006e60a2d66f"
},
{
"url": "https://git.kernel.org/stable/c/b731aca06387b195058a9f6449a03b62efa1bd10"
},
{
"url": "https://git.kernel.org/stable/c/ad17f07e95e6e8505e2153e5b391f0d27eacce25"
},
{
"url": "https://git.kernel.org/stable/c/e6af5286efe5a56128b34032572c9ce9ebeccda3"
},
{
"url": "https://git.kernel.org/stable/c/546785c719418c6166834a47e372a88f5f7ae893"
},
{
"url": "https://git.kernel.org/stable/c/e55d98e7756135f32150b9b8f75d580d0d4b2dd3"
}
],
"title": "x86/CPU: Fix FPDSS on Zen1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31628",
"datePublished": "2026-04-24T14:42:49.181Z",
"dateReserved": "2026-03-09T15:48:24.124Z",
"dateUpdated": "2026-04-27T11:01:33.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…