SUSE-SU-2026:1574-1 - Vulnerability-Lookup

SUSE-SU-2026:1574-1

Vulnerability from csaf_suse - Published: 2026-04-23 15:52 - Updated: 2026-04-23 15:52

Summary

Security update for the Linux Kernel

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel

Description of the patch: The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2025-38234: sched/rt: Fix race in push_rt_task (bsc#1246057). - CVE-2025-68818: scsi: Revert 'scsi: qla2xxx: Perform lockless command completion in abort path' (bsc#1256675). - CVE-2026-23103: ipvlan: Make the addrs_lock be per port (bsc#1257773). - CVE-2026-23243: RDMA/umad: Reject negative data_len in ib_umad_write (bsc#1259797). - CVE-2026-23272: netfilter: nf_tables: unconditionally bump set->nelems before insertion (bsc#1260009). - CVE-2026-23274: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (bsc#1260005). - CVE-2026-23317: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1260562). The following non-security bugs were fixed: - PCI/ACS: Fix 'pci=config_acs=' parameter (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix pci_slot_trylock() error handling (git-fixes). - PCI: dwc: ep: Return -ENOMEM for allocation failures (git-fixes). - PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() (git-fixes). - nvme-fc: use ctrl state getter (git-fixes bsc#1215492). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - x86/platform/uv: Handle deconfigured sockets (bsc#1260347).

Patchnames: SUSE-2026-1574,SUSE-SLE-Micro-5.5-2026-1574

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2025-38234

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-68818

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23103

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23243

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23272

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23274

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-23317

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-updates/2026…	self
	https://bugzilla.suse.com/1215492	self
	https://bugzilla.suse.com/1246057	self
	https://bugzilla.suse.com/1256675	self
	https://bugzilla.suse.com/1257773	self
	https://bugzilla.suse.com/1259797	self
	https://bugzilla.suse.com/1260005	self
	https://bugzilla.suse.com/1260009	self
	https://bugzilla.suse.com/1260347	self
	https://bugzilla.suse.com/1260562	self
	https://www.suse.com/security/cve/CVE-2025-38234/	self
	https://www.suse.com/security/cve/CVE-2025-68818/	self
	https://www.suse.com/security/cve/CVE-2026-23103/	self
	https://www.suse.com/security/cve/CVE-2026-23243/	self
	https://www.suse.com/security/cve/CVE-2026-23272/	self
	https://www.suse.com/security/cve/CVE-2026-23274/	self
	https://www.suse.com/security/cve/CVE-2026-23317/	self
	https://www.suse.com/security/cve/CVE-2025-38234	external
	https://bugzilla.suse.com/1246057	external
	https://www.suse.com/security/cve/CVE-2025-68818	external
	https://bugzilla.suse.com/1256675	external
	https://www.suse.com/security/cve/CVE-2026-23103	external
	https://bugzilla.suse.com/1257773	external
	https://www.suse.com/security/cve/CVE-2026-23243	external
	https://bugzilla.suse.com/1259797	external
	https://bugzilla.suse.com/1259798	external
	https://www.suse.com/security/cve/CVE-2026-23272	external
	https://bugzilla.suse.com/1260009	external
	https://bugzilla.suse.com/1260909	external
	https://www.suse.com/security/cve/CVE-2026-23274	external
	https://bugzilla.suse.com/1260005	external
	https://bugzilla.suse.com/1260908	external
	https://www.suse.com/security/cve/CVE-2026-23317	external
	https://bugzilla.suse.com/1260562	external
	https://bugzilla.suse.com/1260563	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes.\n\n\nThe following security bugs were fixed:\n\n- CVE-2025-38234: sched/rt: Fix race in push_rt_task (bsc#1246057).\n- CVE-2025-68818: scsi: Revert \u0027scsi: qla2xxx: Perform lockless command completion in abort path\u0027 (bsc#1256675).\n- CVE-2026-23103: ipvlan: Make the addrs_lock be per port (bsc#1257773).\n- CVE-2026-23243: RDMA/umad: Reject negative data_len in ib_umad_write (bsc#1259797).\n- CVE-2026-23272: netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion (bsc#1260009).\n- CVE-2026-23274: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (bsc#1260005).\n- CVE-2026-23317: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1260562).\n\nThe following non-security bugs were fixed:\n\n- PCI/ACS: Fix \u0027pci=config_acs=\u0027 parameter (git-fixes).\n- PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes).\n- PCI: Fix pci_slot_trylock() error handling (git-fixes).\n- PCI: dwc: ep: Return -ENOMEM for allocation failures (git-fixes).\n- PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() (git-fixes).\n- nvme-fc: use ctrl state getter (git-fixes bsc#1215492).\n- nvme-pci: fix queue unquiesce check on slot_reset (git-fixes).\n- nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes).\n- x86/platform/uv: Handle deconfigured sockets (bsc#1260347).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-1574,SUSE-SLE-Micro-5.5-2026-1574",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1574-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:1574-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261574-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:1574-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045916.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1215492",
        "url": "https://bugzilla.suse.com/1215492"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1246057",
        "url": "https://bugzilla.suse.com/1246057"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256675",
        "url": "https://bugzilla.suse.com/1256675"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1257773",
        "url": "https://bugzilla.suse.com/1257773"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259797",
        "url": "https://bugzilla.suse.com/1259797"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1260005",
        "url": "https://bugzilla.suse.com/1260005"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1260009",
        "url": "https://bugzilla.suse.com/1260009"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1260347",
        "url": "https://bugzilla.suse.com/1260347"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1260562",
        "url": "https://bugzilla.suse.com/1260562"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-38234 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-38234/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68818 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68818/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23103 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23103/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23243 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23243/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23272 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23272/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23274 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23274/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23317 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23317/"
      }
    ],
    "title": "Security update for the Linux Kernel",
    "tracking": {
      "current_release_date": "2026-04-23T15:52:59Z",
      "generator": {
        "date": "2026-04-23T15:52:59Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:1574-1",
      "initial_release_date": "2026-04-23T15:52:59Z",
      "revision_history": [
        {
          "date": "2026-04-23T15:52:59Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
                "product": {
                  "name": "kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
                  "product_id": "kernel-devel-rt-5.14.21-150500.13.127.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-source-rt-5.14.21-150500.13.127.1.noarch",
                "product": {
                  "name": "kernel-source-rt-5.14.21-150500.13.127.1.noarch",
                  "product_id": "kernel-source-rt-5.14.21-150500.13.127.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cluster-md-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "cluster-md-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "cluster-md-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "dlm-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "dlm-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "dlm-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "gfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "gfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-devel-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-devel-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-devel-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-extra-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-extra-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-extra-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-livepatch-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-livepatch-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-livepatch-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-livepatch-devel-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-livepatch-devel-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-livepatch-devel-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-optional-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-optional-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-optional-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-vdso-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt-vdso-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt-vdso-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt_debug-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt_debug-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt_debug-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt_debug-devel-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt_debug-devel-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt_debug-devel-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt_debug-vdso-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-rt_debug-vdso-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-rt_debug-vdso-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-syms-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kernel-syms-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kernel-syms-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kselftests-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "kselftests-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "kselftests-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ocfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "ocfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "ocfs2-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "reiserfs-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                "product": {
                  "name": "reiserfs-kmp-rt-5.14.21-150500.13.127.1.x86_64",
                  "product_id": "reiserfs-kmp-rt-5.14.21-150500.13.127.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.5",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.5",
                  "product_id": "SUSE Linux Enterprise Micro 5.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-devel-rt-5.14.21-150500.13.127.1.noarch as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch"
        },
        "product_reference": "kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-5.14.21-150500.13.127.1.x86_64 as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64"
        },
        "product_reference": "kernel-rt-5.14.21-150500.13.127.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-source-rt-5.14.21-150500.13.127.1.noarch as component of SUSE Linux Enterprise Micro 5.5",
          "product_id": "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        },
        "product_reference": "kernel-source-rt-5.14.21-150500.13.127.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-38234",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-38234"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? do_error_trap+0x64/0xa0\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? exc_invalid_op+0x4c/0x60\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? pick_next_task_rt+0x6e/0x1d0\n   __schedule+0x5cb/0x790\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? __warn+0x8a/0xe0\n   ? exc_page_fault+0x3d6/0x520\n   ? asm_exc_page_fault+0x1e/0x30\n   ? pick_next_task_rt+0xb5/0x1d0\n   ? pick_next_task_rt+0x8c/0x1d0\n   __schedule+0x583/0x7e0\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n   kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? do_error_trap+0x64/0xa0\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? exc_invalid_op+0x4c/0x60\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   dequeue_rt_entity+0x1f/0x70\n   dequeue_task_rt+0x2d/0x70\n   __schedule+0x1a8/0x7e0\n   ? blk_finish_plug+0x25/0x40\n   schedule+0x3c/0xb0\n   futex_wait_queue_me+0xb6/0x120\n   futex_wait+0xd9/0x240\n   do_futex+0x344/0xa90\n   ? get_mm_exe_file+0x30/0x60\n   ? audit_exe_compare+0x58/0x70\n   ? audit_filter_rules.constprop.26+0x65e/0x1220\n   __x64_sys_futex+0x148/0x1f0\n   do_syscall_64+0x30/0x80\n   entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? spurious_kernel_fault+0x171/0x1c0\n   ? exc_page_fault+0x3b6/0x520\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? asm_exc_page_fault+0x1e/0x30\n   ? _cond_resched+0x15/0x30\n   ? futex_wait_queue_me+0xc8/0x120\n   ? futex_wait+0xd9/0x240\n   ? try_to_wake_up+0x1b8/0x490\n   ? futex_wake+0x78/0x160\n   ? do_futex+0xcd/0xa90\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? plist_del+0x6a/0xd0\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? dequeue_pushable_task+0x20/0x70\n   ? __schedule+0x382/0x7e0\n   ? asm_sysvec_reschedule_i\n---truncated---",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-38234",
          "url": "https://www.suse.com/security/cve/CVE-2025-38234"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246057 for CVE-2025-38234",
          "url": "https://bugzilla.suse.com/1246057"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-38234"
    },
    {
      "cve": "CVE-2025-68818",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68818"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock.  But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n  0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n  mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n  0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n  ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G           O       6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS:  0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash.  But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68818",
          "url": "https://www.suse.com/security/cve/CVE-2025-68818"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256675 for CVE-2025-68818",
          "url": "https://bugzilla.suse.com/1256675"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-68818"
    },
    {
      "cve": "CVE-2026-23103",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23103"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23103",
          "url": "https://www.suse.com/security/cve/CVE-2026-23103"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257773 for CVE-2026-23103",
          "url": "https://bugzilla.suse.com/1257773"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-23103"
    },
    {
      "cve": "CVE-2026-23243",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23243"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[  211.365867] ib_create_send_mad+0xa01/0x11b0\n[  211.365887] ib_umad_write+0x853/0x1c80",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23243",
          "url": "https://www.suse.com/security/cve/CVE-2026-23243"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259797 for CVE-2026-23243",
          "url": "https://bugzilla.suse.com/1259797"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259798 for CVE-2026-23243",
          "url": "https://bugzilla.suse.com/1259798"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23243"
    },
    {
      "cve": "CVE-2026-23272",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23272"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23272",
          "url": "https://www.suse.com/security/cve/CVE-2026-23272"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260009 for CVE-2026-23272",
          "url": "https://bugzilla.suse.com/1260009"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260909 for CVE-2026-23272",
          "url": "https://bugzilla.suse.com/1260909"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23272"
    },
    {
      "cve": "CVE-2026-23274",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23274"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23274",
          "url": "https://www.suse.com/security/cve/CVE-2026-23274"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260005 for CVE-2026-23274",
          "url": "https://bugzilla.suse.com/1260005"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260908 for CVE-2026-23274",
          "url": "https://bugzilla.suse.com/1260908"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23274"
    },
    {
      "cve": "CVE-2026-23317",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23317"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
          "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
          "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23317",
          "url": "https://www.suse.com/security/cve/CVE-2026-23317"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260562 for CVE-2026-23317",
          "url": "https://bugzilla.suse.com/1260562"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260563 for CVE-2026-23317",
          "url": "https://bugzilla.suse.com/1260563"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.127.1.noarch",
            "SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.127.1.x86_64",
            "SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.127.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T15:52:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23317"
    }
  ]
}

CVE-2025-68818 (GCVE-0-2025-68818)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34

Title

scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b04b3733fff7e9456…
	https://git.kernel.org/stable/c/50b097d92c99f7188…
	https://git.kernel.org/stable/c/c5c37a821bd1708f2…
	https://git.kernel.org/stable/c/e9e601b7df58ba0c6…
	https://git.kernel.org/stable/c/b10ebbfd59a535c8d…
	https://git.kernel.org/stable/c/1c728951bc769b795…
	https://git.kernel.org/stable/c/b57fbc88715b6d18f…

Impacted products

Vendor

Product

Version

Affected: 231cfa78ec5badd84a1a2b09465bfad1a926aba1 , < b04b3733fff7e94566386b962e4795550fbdfd3d (git)
Affected: d6f7377528d2abf338e504126e44439541be8f7d , < 50b097d92c99f718831b8b349722bc79f718ba1b (git)
Affected: cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 , < c5c37a821bd1708f26a9522b4a6f47b9f7a20003 (git)
Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < e9e601b7df58ba0c667baf30263331df2c02ffe1 (git)
Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 (git)
Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < 1c728951bc769b795d377852eae1abddad88635d (git)
Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b57fbc88715b6d18f379463f48a15b560b087ffe (git)
Affected: 9189f20b4c5307c0998682bb522e481b4567a8b8 (git)
Affected: 415d614344a4f1bbddf55d724fc7eb9ef4b39aad (git)

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b04b3733fff7e94566386b962e4795550fbdfd3d",
              "status": "affected",
              "version": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
              "versionType": "git"
            },
            {
              "lessThan": "50b097d92c99f718831b8b349722bc79f718ba1b",
              "status": "affected",
              "version": "d6f7377528d2abf338e504126e44439541be8f7d",
              "versionType": "git"
            },
            {
              "lessThan": "c5c37a821bd1708f26a9522b4a6f47b9f7a20003",
              "status": "affected",
              "version": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
              "versionType": "git"
            },
            {
              "lessThan": "e9e601b7df58ba0c667baf30263331df2c02ffe1",
              "status": "affected",
              "version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
              "versionType": "git"
            },
            {
              "lessThan": "b10ebbfd59a535c8d22f4ede6e8389622ce98dc0",
              "status": "affected",
              "version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
              "versionType": "git"
            },
            {
              "lessThan": "1c728951bc769b795d377852eae1abddad88635d",
              "status": "affected",
              "version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
              "versionType": "git"
            },
            {
              "lessThan": "b57fbc88715b6d18f379463f48a15b560b087ffe",
              "status": "affected",
              "version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9189f20b4c5307c0998682bb522e481b4567a8b8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_os.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.10.177",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.15.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "6.1.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock.  But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n  0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n  mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n  0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n  ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G           O       6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS:  0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash.  But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:34:08.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe"
        }
      ],
      "title": "scsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68818",
    "datePublished": "2026-01-13T15:29:22.018Z",
    "dateReserved": "2025-12-24T10:30:51.048Z",
    "dateUpdated": "2026-02-09T08:34:08.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38234 (GCVE-0-2025-38234)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-02-12 08:19

Title

sched/rt: Fix race in push_rt_task

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (on_rq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list. Crashes ======= This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself. Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? pick_next_task_rt+0x6e/0x1d0 ? do_error_trap+0x64/0xa0 ? pick_next_task_rt+0x6e/0x1d0 ? exc_invalid_op+0x4c/0x60 ? pick_next_task_rt+0x6e/0x1d0 ? asm_exc_invalid_op+0x12/0x20 ? pick_next_task_rt+0x6e/0x1d0 __schedule+0x5cb/0x790 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? __warn+0x8a/0xe0 ? exc_page_fault+0x3d6/0x520 ? asm_exc_page_fault+0x1e/0x30 ? pick_next_task_rt+0xb5/0x1d0 ? pick_next_task_rt+0x8c/0x1d0 __schedule+0x583/0x7e0 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) -> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? dequeue_top_rt_rq+0xa2/0xb0 ? do_error_trap+0x64/0xa0 ? dequeue_top_rt_rq+0xa2/0xb0 ? exc_invalid_op+0x4c/0x60 ? dequeue_top_rt_rq+0xa2/0xb0 ? asm_exc_invalid_op+0x12/0x20 ? dequeue_top_rt_rq+0xa2/0xb0 dequeue_rt_entity+0x1f/0x70 dequeue_task_rt+0x2d/0x70 __schedule+0x1a8/0x7e0 ? blk_finish_plug+0x25/0x40 schedule+0x3c/0xb0 futex_wait_queue_me+0xb6/0x120 futex_wait+0xd9/0x240 do_futex+0x344/0xa90 ? get_mm_exe_file+0x30/0x60 ? audit_exe_compare+0x58/0x70 ? audit_filter_rules.constprop.26+0x65e/0x1220 __x64_sys_futex+0x148/0x1f0 do_syscall_64+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? spurious_kernel_fault+0x171/0x1c0 ? exc_page_fault+0x3b6/0x520 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? asm_exc_page_fault+0x1e/0x30 ? _cond_resched+0x15/0x30 ? futex_wait_queue_me+0xc8/0x120 ? futex_wait+0xd9/0x240 ? try_to_wake_up+0x1b8/0x490 ? futex_wake+0x78/0x160 ? do_futex+0xcd/0xa90 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? plist_del+0x6a/0xd0 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? dequeue_pushable_task+0x20/0x70 ? __schedule+0x382/0x7e0 ? asm_sysvec_reschedule_i ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9f6022b2573ae0687…
	https://git.kernel.org/stable/c/debfbc047196df1f6…
	https://git.kernel.org/stable/c/07ecabfbca64f4f0b…
	https://git.kernel.org/stable/c/690e47d1403e90b7f…

Impacted products

Vendor

Product

Version

Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 9f6022b2573ae068793810db719e131df3ded405 (git)
Affected: e8fa136262e1121288bb93befe2295928ffd240d , < debfbc047196df1f6bfd52f2d028c21dce67f0de (git)
Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 07ecabfbca64f4f0b6071cf96e49d162fa9d138d (git)
Affected: e8fa136262e1121288bb93befe2295928ffd240d , < 690e47d1403e90b7f2366f03b52ed3304194c793 (git)

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 6.6.124 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.15.4 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f6022b2573ae068793810db719e131df3ded405",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "debfbc047196df1f6bfd52f2d028c21dce67f0de",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "07ecabfbca64f4f0b6071cf96e49d162fa9d138d",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            },
            {
              "lessThan": "690e47d1403e90b7f2366f03b52ed3304194c793",
              "status": "affected",
              "version": "e8fa136262e1121288bb93befe2295928ffd240d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.124",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU\u0027s runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs\u0027 runqueues. If one of the\nlocks aren\u0027t readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-\u003e kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx \u003e= MAX_RT_PRIO)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? do_error_trap+0x64/0xa0\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? exc_invalid_op+0x4c/0x60\n   ? pick_next_task_rt+0x6e/0x1d0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? pick_next_task_rt+0x6e/0x1d0\n   __schedule+0x5cb/0x790\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: kernel NULL pointer dereference, address: 00000000000000c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? __warn+0x8a/0xe0\n   ? exc_page_fault+0x3d6/0x520\n   ? asm_exc_page_fault+0x1e/0x30\n   ? pick_next_task_rt+0xb5/0x1d0\n   ? pick_next_task_rt+0x8c/0x1d0\n   __schedule+0x583/0x7e0\n   ? update_ts_time_stats+0x55/0x70\n   schedule_idle+0x1e/0x40\n   do_idle+0x15e/0x200\n   cpu_startup_entry+0x19/0x20\n   start_secondary+0x117/0x160\n   secondary_startup_64_no_verify+0xb0/0xbb\n\n-\u003e BUG: unable to handle page fault for address: ffff9464daea5900\n   kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-\u003ecpu != task_cpu(p))\n\n-\u003e kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-\u003enr_running)\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? die+0x2a/0x50\n   ? do_trap+0x85/0x100\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? do_error_trap+0x64/0xa0\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? exc_invalid_op+0x4c/0x60\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   ? asm_exc_invalid_op+0x12/0x20\n   ? dequeue_top_rt_rq+0xa2/0xb0\n   dequeue_rt_entity+0x1f/0x70\n   dequeue_task_rt+0x2d/0x70\n   __schedule+0x1a8/0x7e0\n   ? blk_finish_plug+0x25/0x40\n   schedule+0x3c/0xb0\n   futex_wait_queue_me+0xb6/0x120\n   futex_wait+0xd9/0x240\n   do_futex+0x344/0xa90\n   ? get_mm_exe_file+0x30/0x60\n   ? audit_exe_compare+0x58/0x70\n   ? audit_filter_rules.constprop.26+0x65e/0x1220\n   __x64_sys_futex+0x148/0x1f0\n   do_syscall_64+0x30/0x80\n   entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-\u003e BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n   Call Trace:\n   ? __die_body+0x1a/0x60\n   ? no_context+0x183/0x350\n   ? spurious_kernel_fault+0x171/0x1c0\n   ? exc_page_fault+0x3b6/0x520\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? asm_exc_page_fault+0x1e/0x30\n   ? _cond_resched+0x15/0x30\n   ? futex_wait_queue_me+0xc8/0x120\n   ? futex_wait+0xd9/0x240\n   ? try_to_wake_up+0x1b8/0x490\n   ? futex_wake+0x78/0x160\n   ? do_futex+0xcd/0xa90\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? plist_del+0x6a/0xd0\n   ? plist_check_list+0x15/0x40\n   ? plist_check_list+0x2e/0x40\n   ? dequeue_pushable_task+0x20/0x70\n   ? __schedule+0x382/0x7e0\n   ? asm_sysvec_reschedule_i\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T08:19:23.791Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f6022b2573ae068793810db719e131df3ded405"
        },
        {
          "url": "https://git.kernel.org/stable/c/debfbc047196df1f6bfd52f2d028c21dce67f0de"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ecabfbca64f4f0b6071cf96e49d162fa9d138d"
        },
        {
          "url": "https://git.kernel.org/stable/c/690e47d1403e90b7f2366f03b52ed3304194c793"
        }
      ],
      "title": "sched/rt: Fix race in push_rt_task",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38234",
    "datePublished": "2025-07-04T13:37:46.960Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-02-12T08:19:23.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23103 (GCVE-0-2026-23103)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-04-03 13:31

Title

ipvlan: Make the addrs_lock be per port

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3c149b662cbb202a4…
	https://git.kernel.org/stable/c/70feb16e3fbfb10b1…
	https://git.kernel.org/stable/c/88f83e6c9cdb46b8c…
	https://git.kernel.org/stable/c/04ba6de6eff61238e…
	https://git.kernel.org/stable/c/1f300c10d92c547c3…
	https://git.kernel.org/stable/c/6a81e2db096913d7e…
	https://git.kernel.org/stable/c/d3ba32162488283c0…

Impacted products

Vendor

Product

Version

Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 3c149b662cbb202a450e81f938e702ba333864ad (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 70feb16e3fbfb10b15de1396557c38e99f1ab8df (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 88f83e6c9cdb46b8c8ddd0ba01393362963cf589 (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 04ba6de6eff61238e5397c14ac26a6578c7735a5 (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 1f300c10d92c547c3a7d978e1212ff52f18256ed (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < 6a81e2db096913d7e43aada1c350c1282e76db39 (git)
Affected: 8230819494b3bf284ca7262ac5f877333147b937 , < d3ba32162488283c0a4c5bedd8817aec91748802 (git)

Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 5.10.249 , ≤ 5.10.* (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan.h",
            "drivers/net/ipvlan/ipvlan_core.c",
            "drivers/net/ipvlan/ipvlan_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c149b662cbb202a450e81f938e702ba333864ad",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "70feb16e3fbfb10b15de1396557c38e99f1ab8df",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "88f83e6c9cdb46b8c8ddd0ba01393362963cf589",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "04ba6de6eff61238e5397c14ac26a6578c7735a5",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "1f300c10d92c547c3a7d978e1212ff52f18256ed",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "6a81e2db096913d7e43aada1c350c1282e76db39",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            },
            {
              "lessThan": "d3ba32162488283c0a4c5bedd8817aec91748802",
              "status": "affected",
              "version": "8230819494b3bf284ca7262ac5f877333147b937",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ipvlan/ipvlan.h",
            "drivers/net/ipvlan/ipvlan_core.c",
            "drivers/net/ipvlan/ipvlan_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T13:31:56.806Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df"
        },
        {
          "url": "https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589"
        },
        {
          "url": "https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802"
        }
      ],
      "title": "ipvlan: Make the addrs_lock be per port",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23103",
    "datePublished": "2026-02-04T16:08:24.771Z",
    "dateReserved": "2026-01-13T15:37:45.966Z",
    "dateUpdated": "2026-04-03T13:31:56.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23243 (GCVE-0-2026-23243)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-04-13 06:02

Title

RDMA/umad: Reject negative data_len in ib_umad_write

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1371ef6b1ecf3676b…
	https://git.kernel.org/stable/c/362e45fd9069ffa15…
	https://git.kernel.org/stable/c/6eb2919474ca105c5…
	https://git.kernel.org/stable/c/a6a3e4af10993cb9e…
	https://git.kernel.org/stable/c/9c80d688f402539df…
	https://git.kernel.org/stable/c/205955f29c26330b1…
	https://git.kernel.org/stable/c/52ab82cc5cf8ada5c…
	https://git.kernel.org/stable/c/5551b02fdbfd85a32…

Impacted products

Vendor

Product

Version

Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 1371ef6b1ecf3676b8942f5dfb3634fb0648128e (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 362e45fd9069ffa1523f9f1633b606ebf72060d7 (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 6eb2919474ca105c5b13d19574e25f0ddcf19ca2 (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 9c80d688f402539dfc8f336de1380d6b4ee14316 (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 205955f29c26330b1dc7fdeadd5bb97c38e26f56 (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b (git)
Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 (git)

Affected: 2.6.24
Unaffected: 0 , < 2.6.24 (semver)
Unaffected: 5.10.252 , ≤ 5.10.* (semver)
Unaffected: 5.15.202 , ≤ 5.15.* (semver)
Unaffected: 6.1.165 , ≤ 6.1.* (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/user_mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1371ef6b1ecf3676b8942f5dfb3634fb0648128e",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "362e45fd9069ffa1523f9f1633b606ebf72060d7",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "6eb2919474ca105c5b13d19574e25f0ddcf19ca2",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "9c80d688f402539dfc8f336de1380d6b4ee14316",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "205955f29c26330b1dc7fdeadd5bb97c38e26f56",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "5551b02fdbfd85a325bb857f3a8f9c9f33397ed2",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/user_mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[  211.365867] ib_create_send_mad+0xa01/0x11b0\n[  211.365887] ib_umad_write+0x853/0x1c80"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:02:59.919Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"
        },
        {
          "url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"
        },
        {
          "url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"
        },
        {
          "url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"
        }
      ],
      "title": "RDMA/umad: Reject negative data_len in ib_umad_write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23243",
    "datePublished": "2026-03-18T10:05:05.826Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-04-13T06:02:59.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23317 (GCVE-0-2026-23317)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-13 06:04

Title

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ce3a5cf139787c186…
	https://git.kernel.org/stable/c/7e55d0788b362c936…
	https://git.kernel.org/stable/c/36cb28b6d303a81e6…
	https://git.kernel.org/stable/c/531f45589787799aa…
	https://git.kernel.org/stable/c/149f028772fa2879d…
	https://git.kernel.org/stable/c/5023ca80f9589295c…

Impacted products

Vendor

Product

Version

Affected: 7ac9578e45b20e3f3c0c8eb71f5417a499a7226a , < ce3a5cf139787c186d5d54336107298cacaad2b9 (git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 7e55d0788b362c93660b80cc5603031bbbdefa98 (git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 36cb28b6d303a81e6ed4536017090e85e0143e42 (git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 531f45589787799aa81b63e1e1f8e71db5d93dd1 (git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 149f028772fa2879d9316b924ce948a6a0877e45 (git)
Affected: a309c7194e8a2f8bd4539b9449917913f6c2cd50 , < 5023ca80f9589295cb60735016e39fc5cc714243 (git)

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce3a5cf139787c186d5d54336107298cacaad2b9",
              "status": "affected",
              "version": "7ac9578e45b20e3f3c0c8eb71f5417a499a7226a",
              "versionType": "git"
            },
            {
              "lessThan": "7e55d0788b362c93660b80cc5603031bbbdefa98",
              "status": "affected",
              "version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
              "versionType": "git"
            },
            {
              "lessThan": "36cb28b6d303a81e6ed4536017090e85e0143e42",
              "status": "affected",
              "version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
              "versionType": "git"
            },
            {
              "lessThan": "531f45589787799aa81b63e1e1f8e71db5d93dd1",
              "status": "affected",
              "version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
              "versionType": "git"
            },
            {
              "lessThan": "149f028772fa2879d9316b924ce948a6a0877e45",
              "status": "affected",
              "version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
              "versionType": "git"
            },
            {
              "lessThan": "5023ca80f9589295cb60735016e39fc5cc714243",
              "status": "affected",
              "version": "a309c7194e8a2f8bd4539b9449917913f6c2cd50",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "6.1.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:04:16.604Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce3a5cf139787c186d5d54336107298cacaad2b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e55d0788b362c93660b80cc5603031bbbdefa98"
        },
        {
          "url": "https://git.kernel.org/stable/c/36cb28b6d303a81e6ed4536017090e85e0143e42"
        },
        {
          "url": "https://git.kernel.org/stable/c/531f45589787799aa81b63e1e1f8e71db5d93dd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/149f028772fa2879d9316b924ce948a6a0877e45"
        },
        {
          "url": "https://git.kernel.org/stable/c/5023ca80f9589295cb60735016e39fc5cc714243"
        }
      ],
      "title": "drm/vmwgfx: Return the correct value in vmw_translate_ptr functions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23317",
    "datePublished": "2026-03-25T10:27:11.884Z",
    "dateReserved": "2026-01-13T15:37:45.995Z",
    "dateUpdated": "2026-04-13T06:04:16.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23274 (GCVE-0-2026-23274)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-18 08:57

Title

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32e937dc6e97f5ed3…
	https://git.kernel.org/stable/c/144f88054ba018046…
	https://git.kernel.org/stable/c/28c7cfaf0c0ab17cb…
	https://git.kernel.org/stable/c/54080355999381fed…
	https://git.kernel.org/stable/c/5e7ece24c5cb75a60…
	https://git.kernel.org/stable/c/f5ef97c1316554248…
	https://git.kernel.org/stable/c/f228b9ae2a7e84d11…
	https://git.kernel.org/stable/c/329f0b9b48ee6ab59…

Impacted products

Vendor

Product

Version

Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 144f88054ba0180467356f40895bd660b5dceeec (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 28c7cfaf0c0ab17cbd7754092116fd1af45271f9 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 54080355999381fed4a26129579a5765bab87491 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 5e7ece24c5cb75a60402aad4d803c7898ea40aa9 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f228b9ae2a7e84d1153616d8e71c4236cb1f1309 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf (git)

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "144f88054ba0180467356f40895bd660b5dceeec",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "28c7cfaf0c0ab17cbd7754092116fd1af45271f9",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "54080355999381fed4a26129579a5765bab87491",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "5e7ece24c5cb75a60402aad4d803c7898ea40aa9",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:57:32.534Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"
        },
        {
          "url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"
        },
        {
          "url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"
        },
        {
          "url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"
        }
      ],
      "title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23274",
    "datePublished": "2026-03-20T08:08:54.918Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-18T08:57:32.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23272 (GCVE-0-2026-23272)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-04-13 06:03

Title

netfilter: nf_tables: unconditionally bump set->nelems before insertion

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6826131c767432933…
	https://git.kernel.org/stable/c/ccb8c8f3c1127cf34…
	https://git.kernel.org/stable/c/def602e498a4f951d…

Impacted products

Vendor

Product

Version

Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 6826131c7674329335ca25df2550163eb8a1fd0c (git)
Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < ccb8c8f3c1127cf34d18c737309897c68046bf21 (git)
Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < def602e498a4f951da95c95b1b8ce8ae68aa733a (git)
Affected: fefdd79403e89b0c673965343b92e2e01e2713a8 (git)

Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6826131c7674329335ca25df2550163eb8a1fd0c",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "ccb8c8f3c1127cf34d18c737309897c68046bf21",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "def602e498a4f951da95c95b1b8ce8ae68aa733a",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fefdd79403e89b0c673965343b92e2e01e2713a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:03:21.164Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"
        }
      ],
      "title": "netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23272",
    "datePublished": "2026-03-20T08:08:52.946Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-04-13T06:03:21.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.