Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0809
Vulnerability from certfr_avis - Published: 2026-06-26 - Updated: 2026-06-26
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-45842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45842"
},
{
"name": "CVE-2026-45845",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45845"
},
{
"name": "CVE-2025-22069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22069"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-31486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31486"
},
{
"name": "CVE-2026-23346",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23346"
},
{
"name": "CVE-2026-23247",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23247"
},
{
"name": "CVE-2026-46170",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46170"
},
{
"name": "CVE-2026-46117",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46117"
},
{
"name": "CVE-2025-71289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71289"
},
{
"name": "CVE-2026-31613",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31613"
},
{
"name": "CVE-2026-43331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43331"
},
{
"name": "CVE-2026-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46158"
},
{
"name": "CVE-2026-46320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46320"
},
{
"name": "CVE-2026-46137",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46137"
},
{
"name": "CVE-2026-45841",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45841"
},
{
"name": "CVE-2026-46331",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46331"
},
{
"name": "CVE-2026-23469",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23469"
},
{
"name": "CVE-2026-31420",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31420"
},
{
"name": "CVE-2026-46203",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46203"
},
{
"name": "CVE-2026-31663",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31663"
},
{
"name": "CVE-2026-45846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45846"
},
{
"name": "CVE-2026-46323",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46323"
},
{
"name": "CVE-2025-68768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68768"
},
{
"name": "CVE-2026-46315",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46315"
},
{
"name": "CVE-2025-68251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68251"
},
{
"name": "CVE-2026-46321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46321"
},
{
"name": "CVE-2026-52908",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52908"
},
{
"name": "CVE-2026-45840",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45840"
},
{
"name": "CVE-2026-45844",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45844"
},
{
"name": "CVE-2026-52910",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52910"
},
{
"name": "CVE-2026-45930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45930"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46244",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46244"
},
{
"name": "CVE-2026-31717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31717"
},
{
"name": "CVE-2026-52911",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52911"
},
{
"name": "CVE-2026-45843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45843"
},
{
"name": "CVE-2026-46316",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46316"
},
{
"name": "CVE-2026-46160",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46160"
},
{
"name": "CVE-2026-43303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43303"
},
{
"name": "CVE-2026-43245",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43245"
},
{
"name": "CVE-2026-52909",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-52909"
},
{
"name": "CVE-2026-23394",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23394"
},
{
"name": "CVE-2026-45838",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45838"
},
{
"name": "CVE-2026-23272",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23272"
},
{
"name": "CVE-2026-31560",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31560"
},
{
"name": "CVE-2026-46216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46216"
},
{
"name": "CVE-2026-46275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46275"
},
{
"name": "CVE-2026-45850",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45850"
},
{
"name": "CVE-2026-43116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43116"
},
{
"name": "CVE-2026-46322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46322"
},
{
"name": "CVE-2026-45839",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45839"
},
{
"name": "CVE-2026-43219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43219"
}
],
"initial_release_date": "2026-06-26T00:00:00",
"last_revision_date": "2026-06-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0809",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian",
"vendor_advisories": [
{
"published_at": "2026-06-21",
"title": "Bulletin de s\u00e9curit\u00e9 Debian msg00266",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00266.html"
}
]
}
CVE-2026-52909 (GCVE-0-2026-52909)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-07-04 11:50
VLAI
EPSS
VEX
Title
ip6_vti: set netns_immutable on the fallback device.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: set netns_immutable on the fallback device.
john1988 and Noam Rathaus reported that vti6_init_net() does not set the
netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
correctly set this flag during their fallback device initialization to
prevent them from being moved to another network namespace.
Severity
7.8 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
61220ab349485d911083d0b7990ccd3db6c63297 , < 12acc977838c943636fb01e2f3087d2e4cc3b7cc
(git)
Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < 7f28e3948c59481f8db9c9638e204258d26b4e41 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < 12c65e2c7fef507551bd7b52123598a761662c01 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < f4b6b4af7ef0661ac153c6f7eb1030aa8482c1a3 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < c5dbd669db5a426b3025512322e1bf2cdbe14305 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < ecf8904067dcba0dad86ece80874841e60317885 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < dcdce3bc9f08026ff3739ee7339e1bef526fc5f3 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < d289d5307762d1838aaece22c6b6fcad9e8865f9 (git) |
|
| Linux | Linux |
Affected:
3.15
Unaffected: 0 , < 3.15 (semver) Unaffected: 5.10.260 , ≤ 5.10.* (semver) Unaffected: 5.15.211 , ≤ 5.15.* (semver) Unaffected: 6.1.177 , ≤ 6.1.* (semver) Unaffected: 6.6.144 , ≤ 6.6.* (semver) Unaffected: 6.12.95 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12acc977838c943636fb01e2f3087d2e4cc3b7cc",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "7f28e3948c59481f8db9c9638e204258d26b4e41",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "12c65e2c7fef507551bd7b52123598a761662c01",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "f4b6b4af7ef0661ac153c6f7eb1030aa8482c1a3",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "c5dbd669db5a426b3025512322e1bf2cdbe14305",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "ecf8904067dcba0dad86ece80874841e60317885",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "dcdce3bc9f08026ff3739ee7339e1bef526fc5f3",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "d289d5307762d1838aaece22c6b6fcad9e8865f9",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.260",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.260",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.211",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.177",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.144",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.95",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T11:50:46.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12acc977838c943636fb01e2f3087d2e4cc3b7cc"
},
{
"url": "https://git.kernel.org/stable/c/7f28e3948c59481f8db9c9638e204258d26b4e41"
},
{
"url": "https://git.kernel.org/stable/c/12c65e2c7fef507551bd7b52123598a761662c01"
},
{
"url": "https://git.kernel.org/stable/c/f4b6b4af7ef0661ac153c6f7eb1030aa8482c1a3"
},
{
"url": "https://git.kernel.org/stable/c/c5dbd669db5a426b3025512322e1bf2cdbe14305"
},
{
"url": "https://git.kernel.org/stable/c/ecf8904067dcba0dad86ece80874841e60317885"
},
{
"url": "https://git.kernel.org/stable/c/dcdce3bc9f08026ff3739ee7339e1bef526fc5f3"
},
{
"url": "https://git.kernel.org/stable/c/d289d5307762d1838aaece22c6b6fcad9e8865f9"
}
],
"title": "ip6_vti: set netns_immutable on the fallback device.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52909",
"datePublished": "2026-06-19T14:43:33.214Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-07-04T11:50:46.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52910 (GCVE-0-2026-52910)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-07-07 12:05
VLAI
EPSS
VEX
Title
bpf: Free reuseport cBPF prog after RCU grace period.
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free reuseport cBPF prog after RCU grace period.
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11:
---truncated---
Severity
7.8 (High)
6.4 (Medium)
CWE
- CWE-364 - Signal Handler Race Condition
Assigner
References
11 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 08264d5bba0bdd3a79bc2984fee09286aba0c4eb
(git)
Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < fec41484e7c2aa7ded44c541bba98872be937754 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < c3e3fddda6b5d9ba505d218b4055e7d8a282ac57 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < f8b8f1d4bb76098e87b8269a0631019648330e6d (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 298db6167f81e9c470a57cf652e4e47757b4293e (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 87dfb977bdb6eaa47e9993a34e18f44970f88b1f (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 90e47dc5c572d1c73971ac51c7428803f42b78eb (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 18fc650ccd7fe3376eca89203668cfb8268f60df (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Linux kernel\u0027s Berkeley Packet Filter (BPF) reuseport mechanism. When a cBPF program is detached from a reuseport group, it is freed immediately without waiting for Read-Copy-Update (RCU) readers to complete. This can lead to a use-after-free condition, resulting in memory corruption (specifically, an out-of-bounds read) if another thread is simultaneously sending UDP packets to the reuseport group. This vulnerability can cause system instability and various other bugs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "Signal Handler Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T12:05:13.649Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-52910"
},
{
"name": "RHBZ#2490779",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490779"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52910.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-19T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "kernel: bpf: Free reuseport cBPF prog after RCU grace period",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08264d5bba0bdd3a79bc2984fee09286aba0c4eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "fec41484e7c2aa7ded44c541bba98872be937754",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "c3e3fddda6b5d9ba505d218b4055e7d8a282ac57",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "f8b8f1d4bb76098e87b8269a0631019648330e6d",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "298db6167f81e9c470a57cf652e4e47757b4293e",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "87dfb977bdb6eaa47e9993a34e18f44970f88b1f",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "90e47dc5c572d1c73971ac51c7428803f42b78eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "18fc650ccd7fe3376eca89203668cfb8268f60df",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free reuseport cBPF prog after RCU grace period.\n\nEulgyu Kim reported the splat below with a repro. [0]\n\nThe repro sets up a UDP reuseport group with a cBPF prog and\nreplaces it with a new one while another thread is sending\na UDP packet to the group.\n\nThe reuseport prog is freed by sk_reuseport_prog_free().\nbpf_prog_put() is called for \"e\"BPF prog to destruct through\nmultiple stages while cBPF prog is freed immediately by\nbpf_release_orig_filter() and bpf_prog_free().\n\nIf a reuseport prog is detached from the setsockopt() path\n(reuseport_attach_prog() or reuseport_detach_prog()),\nsk_reuseport_prog_free() is called without waiting for RCU\nreaders to complete, resulting in various bugs.\n\nLet\u0027s defer freeing the reuseport cBPF prog after one RCU\ngrace period.\n\nNote \"e\"BPF prog is safe as is unless the fast path starts\nto touch fields destroyed in bpf_prog_put_deferred() and\n__bpf_prog_put_noref().\n\n[0]:\nBUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\nRead of size 4 at addr ffffc9000051e004 by task slowme/10208\nCPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\n udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495\n __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723\n __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752\n __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752\n ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6181 [inline]\n __netif_receive_skb net/core/dev.c:6294 [inline]\n process_backlog+0xaa4/0x1960 net/core/dev.c:6645\n __napi_poll+0xae/0x340 net/core/dev.c:7709\n napi_poll net/core/dev.c:7772 [inline]\n net_rx_action+0x5d7/0xf50 net/core/dev.c:7929\n handle_softirqs+0x22b/0x870 kernel/softirq.c:622\n do_softirq+0x76/0xd0 kernel/softirq.c:523\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip_output+0x29f/0x450 net/ipv4/ip_output.c:438\n ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508\n udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195\n udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n __sys_sendto+0x554/0x680 net/socket.c:2206\n __do_sys_sendto net/socket.c:2213 [inline]\n __se_sys_sendto net/socket.c:2209 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2209\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x415a2d\nCode: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d\nRDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003\nRBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010\nR10: 0000000000000000 R11: \n---truncated---"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:27.818Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08264d5bba0bdd3a79bc2984fee09286aba0c4eb"
},
{
"url": "https://git.kernel.org/stable/c/fec41484e7c2aa7ded44c541bba98872be937754"
},
{
"url": "https://git.kernel.org/stable/c/c3e3fddda6b5d9ba505d218b4055e7d8a282ac57"
},
{
"url": "https://git.kernel.org/stable/c/f8b8f1d4bb76098e87b8269a0631019648330e6d"
},
{
"url": "https://git.kernel.org/stable/c/298db6167f81e9c470a57cf652e4e47757b4293e"
},
{
"url": "https://git.kernel.org/stable/c/87dfb977bdb6eaa47e9993a34e18f44970f88b1f"
},
{
"url": "https://git.kernel.org/stable/c/90e47dc5c572d1c73971ac51c7428803f42b78eb"
},
{
"url": "https://git.kernel.org/stable/c/18fc650ccd7fe3376eca89203668cfb8268f60df"
}
],
"title": "bpf: Free reuseport cBPF prog after RCU grace period.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52910",
"datePublished": "2026-06-19T14:43:33.952Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-07-07T12:05:13.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52911 (GCVE-0-2026-52911)
Vulnerability from cvelistv5 – Published: 2026-06-21 06:18 – Updated: 2026-06-28 06:36
VLAI
EPSS
VEX
Title
ksmbd: scope conn->binding slowpath to bound sessions only
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: scope conn->binding slowpath to bound sessions only
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Severity
8.8 (High)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f5a544e3bab78142207e0242d22442db85ba1eff , < e74c00c6af428a39e564cdc5bd3a3648c6d8de87
(git)
Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1ff46c9915c1cbf454db58a8cb87f7cac818e6a6 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 974c1c224e85549dc3459f3bb2255bbbdd2b9372 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 2cc8a4db633b10715450b291c1343859a4b2c509 (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < 1e2bec062c5c9ec282636715166056d0998d746d (git) Affected: f5a544e3bab78142207e0242d22442db85ba1eff , < b0da97c034b6107d14e537e212d4ce8b22109a58 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e74c00c6af428a39e564cdc5bd3a3648c6d8de87",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1ff46c9915c1cbf454db58a8cb87f7cac818e6a6",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "974c1c224e85549dc3459f3bb2255bbbdd2b9372",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "2cc8a4db633b10715450b291c1343859a4b2c509",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "1e2bec062c5c9ec282636715166056d0998d746d",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
},
{
"lessThan": "b0da97c034b6107d14e537e212d4ce8b22109a58",
"status": "affected",
"version": "f5a544e3bab78142207e0242d22442db85ba1eff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/user_session.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: scope conn-\u003ebinding slowpath to bound sessions only\n\nWhen the binding SESSION_SETUP sets conn-\u003ebinding = true, the flag stays\nset after the call so that the global session lookup in\nksmbd_session_lookup_all() can find the session, which was not added to\nconn-\u003esessions. Because the flag is connection-wide, the global lookup\npath will also resolve any other session by id if asked.\n\nTighten the global lookup so that the returned session must have this\nconnection registered in its channel xarray (sess-\u003eksmbd_chann_list).\nThe channel entry is installed by the existing binding_session path in\nntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes\nsuccessfully, so this condition is a strict equivalent of \"this\nconnection has been accepted as a channel of this session\". Connections\nthat have not bound to a given session cannot reach it via the global\ntable.\n\nThe existing conn-\u003ebinding gate for entering the slowpath is preserved\nso that non-binding connections keep the fast-path-only behavior, and\nthe session-\u003estate check is unchanged."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T06:36:29.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e74c00c6af428a39e564cdc5bd3a3648c6d8de87"
},
{
"url": "https://git.kernel.org/stable/c/e3a93ce6e25757b8f375e38b8f91e1d9da4edc1a"
},
{
"url": "https://git.kernel.org/stable/c/1ff46c9915c1cbf454db58a8cb87f7cac818e6a6"
},
{
"url": "https://git.kernel.org/stable/c/974c1c224e85549dc3459f3bb2255bbbdd2b9372"
},
{
"url": "https://git.kernel.org/stable/c/2cc8a4db633b10715450b291c1343859a4b2c509"
},
{
"url": "https://git.kernel.org/stable/c/1e2bec062c5c9ec282636715166056d0998d746d"
},
{
"url": "https://git.kernel.org/stable/c/b0da97c034b6107d14e537e212d4ce8b22109a58"
}
],
"title": "ksmbd: scope conn-\u003ebinding slowpath to bound sessions only",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52911",
"datePublished": "2026-06-21T06:18:49.342Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-28T06:36:29.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…