Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0421
Vulnerability from csaf_certbund - Published: 2026-02-15 23:00 - Updated: 2026-02-15 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service- Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0421 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0421.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0421 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0421"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71200",
"url": "https://lore.kernel.org/linux-cve-announce/2026021403-CVE-2025-71200-b7c7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71201",
"url": "https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2025-71201-9d67@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71202",
"url": "https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2025-71202-4c01@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71203",
"url": "https://lore.kernel.org/linux-cve-announce/2026021423-CVE-2025-71203-a81c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71204",
"url": "https://lore.kernel.org/linux-cve-announce/2026021425-CVE-2025-71204-88b2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71220",
"url": "https://lore.kernel.org/linux-cve-announce/2026021425-CVE-2025-71220-162f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71221",
"url": "https://lore.kernel.org/linux-cve-announce/2026021426-CVE-2025-71221-2987@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71222",
"url": "https://lore.kernel.org/linux-cve-announce/2026021426-CVE-2025-71222-1437@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71223",
"url": "https://lore.kernel.org/linux-cve-announce/2026021426-CVE-2025-71223-65b9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71224",
"url": "https://lore.kernel.org/linux-cve-announce/2026021427-CVE-2025-71224-318e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23111",
"url": "https://lore.kernel.org/linux-cve-announce/2026021300-CVE-2026-23111-9762@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23112",
"url": "https://lore.kernel.org/linux-cve-announce/2026021302-CVE-2026-23112-6499@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23113",
"url": "https://lore.kernel.org/linux-cve-announce/2026021405-CVE-2026-23113-a027@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23114",
"url": "https://lore.kernel.org/linux-cve-announce/2026021405-CVE-2026-23114-21a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23115",
"url": "https://lore.kernel.org/linux-cve-announce/2026021406-CVE-2026-23115-64da@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23116",
"url": "https://lore.kernel.org/linux-cve-announce/2026021406-CVE-2026-23116-41e5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23117",
"url": "https://lore.kernel.org/linux-cve-announce/2026021406-CVE-2026-23117-0b29@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23118",
"url": "https://lore.kernel.org/linux-cve-announce/2026021407-CVE-2026-23118-7579@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23119",
"url": "https://lore.kernel.org/linux-cve-announce/2026021407-CVE-2026-23119-0f44@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23120",
"url": "https://lore.kernel.org/linux-cve-announce/2026021407-CVE-2026-23120-5f82@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23121",
"url": "https://lore.kernel.org/linux-cve-announce/2026021408-CVE-2026-23121-73e6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23123",
"url": "https://lore.kernel.org/linux-cve-announce/2026021408-CVE-2026-23123-9ee2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23124",
"url": "https://lore.kernel.org/linux-cve-announce/2026021409-CVE-2026-23124-2074@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23125",
"url": "https://lore.kernel.org/linux-cve-announce/2026021409-CVE-2026-23125-1ee3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23126",
"url": "https://lore.kernel.org/linux-cve-announce/2026021409-CVE-2026-23126-b259@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23127",
"url": "https://lore.kernel.org/linux-cve-announce/2026021410-CVE-2026-23127-d01a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23128",
"url": "https://lore.kernel.org/linux-cve-announce/2026021410-CVE-2026-23128-fab1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23129",
"url": "https://lore.kernel.org/linux-cve-announce/2026021410-CVE-2026-23129-81ae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23130",
"url": "https://lore.kernel.org/linux-cve-announce/2026021411-CVE-2026-23130-4390@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23131",
"url": "https://lore.kernel.org/linux-cve-announce/2026021411-CVE-2026-23131-6201@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23132",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23132-175d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23133",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23133-19ce@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23134",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23134-22cb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23135",
"url": "https://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23135-74c1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23136",
"url": "https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23136-f28c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23137",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23137-b77f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23138",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23138-9853@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23139",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23139-a7b4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23140",
"url": "https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23140-fed3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23141",
"url": "https://lore.kernel.org/linux-cve-announce/2026021415-CVE-2026-23141-c6bd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23142",
"url": "https://lore.kernel.org/linux-cve-announce/2026021416-CVE-2026-23142-f91e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23143",
"url": "https://lore.kernel.org/linux-cve-announce/2026021416-CVE-2026-23143-9346@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23144",
"url": "https://lore.kernel.org/linux-cve-announce/2026021417-CVE-2026-23144-297b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23145",
"url": "https://lore.kernel.org/linux-cve-announce/2026021417-CVE-2026-23145-0c0b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23146",
"url": "https://lore.kernel.org/linux-cve-announce/2026021411-CVE-2026-23146-3658@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23147",
"url": "https://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23147-1f6d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23148",
"url": "https://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23148-bb5d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23149",
"url": "https://lore.kernel.org/linux-cve-announce/2026021413-CVE-2026-23149-8329@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23150",
"url": "https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23150-5706@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23151",
"url": "https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23151-74d4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23152",
"url": "https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23152-c2ae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23153",
"url": "https://lore.kernel.org/linux-cve-announce/2026021415-CVE-2026-23153-9e56@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23154",
"url": "https://lore.kernel.org/linux-cve-announce/2026021415-CVE-2026-23154-f658@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23155",
"url": "https://lore.kernel.org/linux-cve-announce/2026021415-CVE-2026-23155-32be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23156",
"url": "https://lore.kernel.org/linux-cve-announce/2026021416-CVE-2026-23156-b2f4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23157",
"url": "https://lore.kernel.org/linux-cve-announce/2026021416-CVE-2026-23157-6214@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23158",
"url": "https://lore.kernel.org/linux-cve-announce/2026021417-CVE-2026-23158-052d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23159",
"url": "https://lore.kernel.org/linux-cve-announce/2026021417-CVE-2026-23159-7d2c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23160",
"url": "https://lore.kernel.org/linux-cve-announce/2026021417-CVE-2026-23160-d1e6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23161",
"url": "https://lore.kernel.org/linux-cve-announce/2026021418-CVE-2026-23161-d727@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23162",
"url": "https://lore.kernel.org/linux-cve-announce/2026021418-CVE-2026-23162-da25@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23163",
"url": "https://lore.kernel.org/linux-cve-announce/2026021418-CVE-2026-23163-abc8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23164",
"url": "https://lore.kernel.org/linux-cve-announce/2026021419-CVE-2026-23164-9874@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23165",
"url": "https://lore.kernel.org/linux-cve-announce/2026021419-CVE-2026-23165-3437@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23166",
"url": "https://lore.kernel.org/linux-cve-announce/2026021419-CVE-2026-23166-c1fa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23167",
"url": "https://lore.kernel.org/linux-cve-announce/2026021420-CVE-2026-23167-1892@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23168",
"url": "https://lore.kernel.org/linux-cve-announce/2026021420-CVE-2026-23168-0630@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23169",
"url": "https://lore.kernel.org/linux-cve-announce/2026021420-CVE-2026-23169-38ea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23170",
"url": "https://lore.kernel.org/linux-cve-announce/2026021421-CVE-2026-23170-7a51@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23171",
"url": "https://lore.kernel.org/linux-cve-announce/2026021421-CVE-2026-23171-5a73@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23172",
"url": "https://lore.kernel.org/linux-cve-announce/2026021421-CVE-2026-23172-acf0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23173",
"url": "https://lore.kernel.org/linux-cve-announce/2026021422-CVE-2026-23173-4a20@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23174",
"url": "https://lore.kernel.org/linux-cve-announce/2026021427-CVE-2026-23174-0b41@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23175",
"url": "https://lore.kernel.org/linux-cve-announce/2026021427-CVE-2026-23175-8c89@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23176",
"url": "https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23176-4baf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23177",
"url": "https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23177-a343@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23178",
"url": "https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23178-ffd4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23179",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23179-6ff7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23180",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23180-19a8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23181",
"url": "https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23181-7c82@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23182",
"url": "https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23182-651e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23183",
"url": "https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23183-b758@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23184",
"url": "https://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23184-a1f1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23185",
"url": "https://lore.kernel.org/linux-cve-announce/2026021431-CVE-2026-23185-7d56@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23186",
"url": "https://lore.kernel.org/linux-cve-announce/2026021431-CVE-2026-23186-c917@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23187",
"url": "https://lore.kernel.org/linux-cve-announce/2026021431-CVE-2026-23187-018e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23188",
"url": "https://lore.kernel.org/linux-cve-announce/2026021432-CVE-2026-23188-c03c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23189",
"url": "https://lore.kernel.org/linux-cve-announce/2026021432-CVE-2026-23189-3d9f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23190",
"url": "https://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23190-0719@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23191",
"url": "https://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23191-f990@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23192",
"url": "https://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23192-72a9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23193",
"url": "https://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23193-2c6c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23194",
"url": "https://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23194-5976@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23195",
"url": "https://lore.kernel.org/linux-cve-announce/2026021434-CVE-2026-23195-6042@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23196",
"url": "https://lore.kernel.org/linux-cve-announce/2026021435-CVE-2026-23196-2812@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23197",
"url": "https://lore.kernel.org/linux-cve-announce/2026021435-CVE-2026-23197-59da@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23198",
"url": "https://lore.kernel.org/linux-cve-announce/2026021435-CVE-2026-23198-8a25@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23199",
"url": "https://lore.kernel.org/linux-cve-announce/2026021436-CVE-2026-23199-0dc0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23200",
"url": "https://lore.kernel.org/linux-cve-announce/2026021436-CVE-2026-23200-e35e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23201",
"url": "https://lore.kernel.org/linux-cve-announce/2026021436-CVE-2026-23201-4530@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23202",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23202-0480@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23203",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23203-de1a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23204",
"url": "https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23204-be85@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23205",
"url": "https://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23205-a62a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23206",
"url": "https://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23206-ed03@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23207",
"url": "https://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23207-a80c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23208",
"url": "https://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23208-cc9e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23209",
"url": "https://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23209-9ad6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2026-23210",
"url": "https://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23210-7cac@gregkh/"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-02-15T23:00:00.000+00:00",
"generator": {
"date": "2026-02-16T11:30:28.482+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0421",
"initial_release_date": "2026-02-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T050933",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-23156",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23156"
},
{
"cve": "CVE-2026-23157",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23157"
},
{
"cve": "CVE-2026-23158",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23158"
},
{
"cve": "CVE-2026-23159",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23159"
},
{
"cve": "CVE-2026-23160",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23160"
},
{
"cve": "CVE-2026-23161",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23161"
},
{
"cve": "CVE-2026-23162",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23162"
},
{
"cve": "CVE-2026-23163",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23163"
},
{
"cve": "CVE-2026-23164",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23164"
},
{
"cve": "CVE-2026-23165",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23165"
},
{
"cve": "CVE-2026-23166",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23166"
},
{
"cve": "CVE-2026-23167",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23167"
},
{
"cve": "CVE-2026-23168",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23168"
},
{
"cve": "CVE-2026-23169",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23169"
},
{
"cve": "CVE-2026-23170",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23170"
},
{
"cve": "CVE-2026-23171",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23171"
},
{
"cve": "CVE-2026-23172",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23172"
},
{
"cve": "CVE-2026-23173",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23173"
},
{
"cve": "CVE-2026-23174",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23174"
},
{
"cve": "CVE-2026-23175",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23175"
},
{
"cve": "CVE-2026-23176",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23176"
},
{
"cve": "CVE-2026-23177",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23177"
},
{
"cve": "CVE-2026-23178",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23178"
},
{
"cve": "CVE-2026-23179",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23179"
},
{
"cve": "CVE-2026-23180",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23180"
},
{
"cve": "CVE-2026-23181",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23181"
},
{
"cve": "CVE-2026-23182",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23182"
},
{
"cve": "CVE-2026-23183",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23183"
},
{
"cve": "CVE-2026-23184",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23184"
},
{
"cve": "CVE-2026-23185",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23185"
},
{
"cve": "CVE-2026-23186",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23186"
},
{
"cve": "CVE-2026-23187",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23187"
},
{
"cve": "CVE-2026-23188",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23188"
},
{
"cve": "CVE-2026-23189",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23189"
},
{
"cve": "CVE-2026-23190",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23190"
},
{
"cve": "CVE-2026-23191",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23191"
},
{
"cve": "CVE-2026-23192",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23192"
},
{
"cve": "CVE-2026-23193",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23193"
},
{
"cve": "CVE-2026-23194",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23194"
},
{
"cve": "CVE-2026-23195",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23195"
},
{
"cve": "CVE-2026-23196",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23196"
},
{
"cve": "CVE-2026-23197",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23197"
},
{
"cve": "CVE-2026-23198",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23198"
},
{
"cve": "CVE-2026-23199",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23199"
},
{
"cve": "CVE-2026-23200",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23200"
},
{
"cve": "CVE-2026-23201",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23201"
},
{
"cve": "CVE-2026-23202",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23202"
},
{
"cve": "CVE-2026-23203",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23203"
},
{
"cve": "CVE-2026-23204",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23204"
},
{
"cve": "CVE-2026-23205",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23205"
},
{
"cve": "CVE-2026-23206",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23206"
},
{
"cve": "CVE-2026-23207",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23207"
},
{
"cve": "CVE-2026-23208",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23208"
},
{
"cve": "CVE-2026-23209",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23209"
},
{
"cve": "CVE-2026-23210",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23210"
},
{
"cve": "CVE-2025-71200",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71200"
},
{
"cve": "CVE-2025-71201",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71201"
},
{
"cve": "CVE-2025-71202",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71202"
},
{
"cve": "CVE-2025-71203",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71203"
},
{
"cve": "CVE-2025-71204",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71204"
},
{
"cve": "CVE-2025-71220",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71220"
},
{
"cve": "CVE-2025-71221",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71221"
},
{
"cve": "CVE-2025-71222",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71222"
},
{
"cve": "CVE-2025-71223",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71223"
},
{
"cve": "CVE-2025-71224",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2025-71224"
},
{
"cve": "CVE-2026-23111",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23111"
},
{
"cve": "CVE-2026-23112",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23112"
},
{
"cve": "CVE-2026-23113",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23113"
},
{
"cve": "CVE-2026-23114",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23114"
},
{
"cve": "CVE-2026-23115",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23115"
},
{
"cve": "CVE-2026-23116",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23116"
},
{
"cve": "CVE-2026-23117",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23117"
},
{
"cve": "CVE-2026-23118",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23118"
},
{
"cve": "CVE-2026-23119",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23119"
},
{
"cve": "CVE-2026-23120",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23120"
},
{
"cve": "CVE-2026-23121",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23121"
},
{
"cve": "CVE-2026-23123",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23123"
},
{
"cve": "CVE-2026-23124",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23124"
},
{
"cve": "CVE-2026-23125",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23125"
},
{
"cve": "CVE-2026-23126",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23126"
},
{
"cve": "CVE-2026-23127",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23127"
},
{
"cve": "CVE-2026-23128",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23128"
},
{
"cve": "CVE-2026-23129",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23129"
},
{
"cve": "CVE-2026-23130",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23130"
},
{
"cve": "CVE-2026-23131",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23131"
},
{
"cve": "CVE-2026-23132",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23132"
},
{
"cve": "CVE-2026-23133",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23133"
},
{
"cve": "CVE-2026-23134",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23134"
},
{
"cve": "CVE-2026-23135",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23135"
},
{
"cve": "CVE-2026-23136",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23136"
},
{
"cve": "CVE-2026-23137",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23137"
},
{
"cve": "CVE-2026-23138",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23138"
},
{
"cve": "CVE-2026-23139",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23139"
},
{
"cve": "CVE-2026-23140",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23140"
},
{
"cve": "CVE-2026-23141",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23141"
},
{
"cve": "CVE-2026-23142",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23142"
},
{
"cve": "CVE-2026-23143",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23143"
},
{
"cve": "CVE-2026-23144",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23144"
},
{
"cve": "CVE-2026-23145",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23145"
},
{
"cve": "CVE-2026-23146",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23146"
},
{
"cve": "CVE-2026-23147",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23147"
},
{
"cve": "CVE-2026-23148",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23148"
},
{
"cve": "CVE-2026-23149",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23149"
},
{
"cve": "CVE-2026-23150",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23150"
},
{
"cve": "CVE-2026-23151",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23151"
},
{
"cve": "CVE-2026-23152",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23152"
},
{
"cve": "CVE-2026-23153",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23153"
},
{
"cve": "CVE-2026-23154",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23154"
},
{
"cve": "CVE-2026-23155",
"product_status": {
"known_affected": [
"T050933"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-23155"
}
]
}
CVE-2026-23123 (GCVE-0-2026-23123)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
interconnect: debugfs: initialize src_node and dst_node to empty strings
Summary
In the Linux kernel, the following vulnerability has been resolved:
interconnect: debugfs: initialize src_node and dst_node to empty strings
The debugfs_create_str() API assumes that the string pointer is either NULL
or points to valid kmalloc() memory. Leaving the pointer uninitialized can
cause problems.
Initialize src_node and dst_node to empty strings before creating the
debugfs entries to guarantee that reads and writes are safe.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
770c69f037c18cfaa37c3d6c6ef8bd257635513f , < aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7
(git)
Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 935d0938b570589c8b0a1733d2cba3c39d027f25 (git) Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8 (git) Affected: 770c69f037c18cfaa37c3d6c6ef8bd257635513f , < 8cc27f5c6dd17dd090f3a696683f04336c162ff5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/debugfs-client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "935d0938b570589c8b0a1733d2cba3c39d027f25",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
},
{
"lessThan": "8cc27f5c6dd17dd090f3a696683f04336c162ff5",
"status": "affected",
"version": "770c69f037c18cfaa37c3d6c6ef8bd257635513f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/interconnect/debugfs-client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: debugfs: initialize src_node and dst_node to empty strings\n\nThe debugfs_create_str() API assumes that the string pointer is either NULL\nor points to valid kmalloc() memory. Leaving the pointer uninitialized can\ncause problems.\n\nInitialize src_node and dst_node to empty strings before creating the\ndebugfs entries to guarantee that reads and writes are safe."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:53.369Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa79a5a959c7c414bd6fba01ea8dbaddd44f13e7"
},
{
"url": "https://git.kernel.org/stable/c/935d0938b570589c8b0a1733d2cba3c39d027f25"
},
{
"url": "https://git.kernel.org/stable/c/5d7c7e1fb3ec24fdd0f9faa27b666d6789e891e8"
},
{
"url": "https://git.kernel.org/stable/c/8cc27f5c6dd17dd090f3a696683f04336c162ff5"
}
],
"title": "interconnect: debugfs: initialize src_node and dst_node to empty strings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23123",
"datePublished": "2026-02-14T15:09:53.369Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:53.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23206 (GCVE-0-2026-23206)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
The driver allocates arrays for ports, FDBs, and filter blocks using
kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the
device reports zero interfaces (either due to hardware configuration
or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)
instead of NULL.
Later in dpaa2_switch_probe(), the NAPI initialization unconditionally
accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.
Add a check to ensure num_ifs is greater than zero after retrieving
device attributes. This prevents the zero-sized allocations and
subsequent invalid pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0b1b71370458860579831e77485883fcf2e8fbbe , < 2fcccca88456b592bd668db13aa1d29ed257ca2b
(git)
Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 80165ff16051448d6f840585ebe13f2400415df3 (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < b97415c4362f739e25ec6f71012277086fabdf6f (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 4acc40db06ffd0fd92683505342b00c8a7394c60 (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < 155eb99aff2920153bf21217ae29565fff81e6af (git) Affected: 0b1b71370458860579831e77485883fcf2e8fbbe , < ed48a84a72fefb20a82dd90a7caa7807e90c6f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fcccca88456b592bd668db13aa1d29ed257ca2b",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "80165ff16051448d6f840585ebe13f2400415df3",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "b97415c4362f739e25ec6f71012277086fabdf6f",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "4acc40db06ffd0fd92683505342b00c8a7394c60",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "155eb99aff2920153bf21217ae29565fff81e6af",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
},
{
"lessThan": "ed48a84a72fefb20a82dd90a7caa7807e90c6f66",
"status": "affected",
"version": "0b1b71370458860579831e77485883fcf2e8fbbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\n\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw-\u003esw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\n\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw-\u003eports[0]-\u003enetdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\n\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:29.095Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b"
},
{
"url": "https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3"
},
{
"url": "https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f"
},
{
"url": "https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60"
},
{
"url": "https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af"
},
{
"url": "https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66"
}
],
"title": "dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23206",
"datePublished": "2026-02-14T16:27:29.095Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:29.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23195 (GCVE-0-2026-23195)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
cgroup/dmem: avoid pool UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup/dmem: avoid pool UAF
An UAF issue was observed:
BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150
Write of size 8 at addr ffff888106715440 by task insmod/527
CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11
Tainted: [O]=OOT_MODULE
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
kasan_report+0xca/0x100
kasan_check_range+0x39/0x1c0
page_counter_uncharge+0x65/0x150
dmem_cgroup_uncharge+0x1f/0x260
Allocated by task 527:
Freed by task 0:
The buggy address belongs to the object at ffff888106715400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
freed 512-byte region [ffff888106715400, ffff888106715600)
The buggy address belongs to the physical page:
Memory state around the buggy address:
ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
The issue occurs because a pool can still be held by a caller after its
associated memory region is unregistered. The current implementation frees
the pool even if users still hold references to it (e.g., before uncharge
operations complete).
This patch adds a reference counter to each pool, ensuring that a pool is
only freed when its reference count drops to zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/dmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3081353acaa6a638dcf75726066ea556a2de8d5",
"status": "affected",
"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
"versionType": "git"
},
{
"lessThan": "99a2ef500906138ba58093b9893972a5c303c734",
"status": "affected",
"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/dmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: avoid pool UAF\n\nAn UAF issue was observed:\n\nBUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150\nWrite of size 8 at addr ffff888106715440 by task insmod/527\n\nCPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11\nTainted: [O]=OOT_MODULE\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x82/0xd0\nkasan_report+0xca/0x100\nkasan_check_range+0x39/0x1c0\npage_counter_uncharge+0x65/0x150\ndmem_cgroup_uncharge+0x1f/0x260\n\nAllocated by task 527:\n\nFreed by task 0:\n\nThe buggy address belongs to the object at ffff888106715400\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 64 bytes inside of\nfreed 512-byte region [ffff888106715400, ffff888106715600)\n\nThe buggy address belongs to the physical page:\n\nMemory state around the buggy address:\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\t\t\t\t ^\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThe issue occurs because a pool can still be held by a caller after its\nassociated memory region is unregistered. The current implementation frees\nthe pool even if users still hold references to it (e.g., before uncharge\noperations complete).\n\nThis patch adds a reference counter to each pool, ensuring that a pool is\nonly freed when its reference count drops to zero."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:21.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5"
},
{
"url": "https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734"
}
],
"title": "cgroup/dmem: avoid pool UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23195",
"datePublished": "2026-02-14T16:27:21.621Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:21.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23178 (GCVE-0-2026-23178)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.
The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).
The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.
Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.
The impact is low since access to hidraw devices requires root.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < f9c9ad89d845f88a1509e9d672f65d234425fde9
(git)
Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < cff3f619fd1cb40cdd89971df9001f075613d219 (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 786ec171788bdf9dda38789163f1b1fbb47f2d1e (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 2124279f1f8c32c1646ce98e75a1a39b23b7db76 (git) Affected: 85df713377ddc0482071c3e6b64c37bd1e48f1f1 , < 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9c9ad89d845f88a1509e9d672f65d234425fde9",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "cff3f619fd1cb40cdd89971df9001f075613d219",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "786ec171788bdf9dda38789163f1b1fbb47f2d1e",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "2124279f1f8c32c1646ce98e75a1a39b23b7db76",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
},
{
"lessThan": "2497ff38c530b1af0df5130ca9f5ab22c5e92f29",
"status": "affected",
"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid-\u003erawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid-\u003ebufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:51.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"
},
{
"url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"
},
{
"url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"
},
{
"url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"
},
{
"url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"
}
],
"title": "HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23178",
"datePublished": "2026-02-14T16:27:10.108Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-16T08:58:51.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23197 (GCVE-0-2026-23197)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
i2c: imx: preserve error state in block data length handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: imx: preserve error state in block data length handler
When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
the length handler sets the state to IMX_I2C_STATE_FAILED. However,
i2c_imx_master_isr() unconditionally overwrites this with
IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
buffers and crashes the system.
Guard the state transition to preserve error states set by the length
handler.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f9b508b3eecc00a243edf320bd83834d6a9b482",
"status": "affected",
"version": "5f5c2d4579ca6836f5604cca979debd68ecfe23f",
"versionType": "git"
},
{
"lessThan": "b126097b0327437048bd045a0e4d273dea2910dd",
"status": "affected",
"version": "5f5c2d4579ca6836f5604cca979debd68ecfe23f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: preserve error state in block data length handler\n\nWhen a block read returns an invalid length, zero or \u003eI2C_SMBUS_BLOCK_MAX,\nthe length handler sets the state to IMX_I2C_STATE_FAILED. However,\ni2c_imx_master_isr() unconditionally overwrites this with\nIMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns\nbuffers and crashes the system.\n\nGuard the state transition to preserve error states set by the length\nhandler."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:22.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f9b508b3eecc00a243edf320bd83834d6a9b482"
},
{
"url": "https://git.kernel.org/stable/c/b126097b0327437048bd045a0e4d273dea2910dd"
}
],
"title": "i2c: imx: preserve error state in block data length handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23197",
"datePublished": "2026-02-14T16:27:22.919Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:22.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23174 (GCVE-0-2026-23174)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
nvme-pci: handle changing device dma map requirements
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: handle changing device dma map requirements
The initial state of dma_needs_unmap may be false, but change to true
while mapping the data iterator. Enabling swiotlb is one such case that
can change the result. The nvme driver needs to save the mapped dma
vectors to be unmapped later, so allocate as needed during iteration
rather than assume it was always allocated at the beginning. This fixes
a NULL dereference from accessing an uninitialized dma_vecs when the
device dma unmapping requirements change mid-iteration.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3ed399e9aa6f36e92d2d0fe88b387915e9705fe",
"status": "affected",
"version": "b8b7570a7ec872f2a27b775c4f8710ca8a357adf",
"versionType": "git"
},
{
"lessThan": "071be3b0b6575d45be9df9c5b612f5882bfc5e88",
"status": "affected",
"version": "b8b7570a7ec872f2a27b775c4f8710ca8a357adf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: handle changing device dma map requirements\n\nThe initial state of dma_needs_unmap may be false, but change to true\nwhile mapping the data iterator. Enabling swiotlb is one such case that\ncan change the result. The nvme driver needs to save the mapped dma\nvectors to be unmapped later, so allocate as needed during iteration\nrather than assume it was always allocated at the beginning. This fixes\na NULL dereference from accessing an uninitialized dma_vecs when the\ndevice dma unmapping requirements change mid-iteration."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:07.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3ed399e9aa6f36e92d2d0fe88b387915e9705fe"
},
{
"url": "https://git.kernel.org/stable/c/071be3b0b6575d45be9df9c5b612f5882bfc5e88"
}
],
"title": "nvme-pci: handle changing device dma map requirements",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23174",
"datePublished": "2026-02-14T16:27:07.421Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:27:07.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23165 (GCVE-0-2026-23165)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
sfc: fix deadlock in RSS config read
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix deadlock in RSS config read
Since cited commit, core locks the net_device's rss_lock when handling
ethtool -x command, so driver's implementation should not lock it
again. Remove the latter.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/mcdi_filters.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "590c8179ffb01c17644181408821b55b8704c50c",
"status": "affected",
"version": "040cef30b5e67271e3193e0206f82b206fc97095",
"versionType": "git"
},
{
"lessThan": "944c614b0a7afa5b87612c3fb557b95a50ad654c",
"status": "affected",
"version": "040cef30b5e67271e3193e0206f82b206fc97095",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/mcdi_filters.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix deadlock in RSS config read\n\nSince cited commit, core locks the net_device\u0027s rss_lock when handling\n ethtool -x command, so driver\u0027s implementation should not lock it\n again. Remove the latter."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:29.336Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/590c8179ffb01c17644181408821b55b8704c50c"
},
{
"url": "https://git.kernel.org/stable/c/944c614b0a7afa5b87612c3fb557b95a50ad654c"
}
],
"title": "sfc: fix deadlock in RSS config read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23165",
"datePublished": "2026-02-14T16:01:29.336Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-02-14T16:01:29.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23167 (GCVE-0-2026-23167)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
nfc: nci: Fix race between rfkill and nci_unregister_device().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: Fix race between rfkill and nci_unregister_device().
syzbot reported the splat below [0] without a repro.
It indicates that struct nci_dev.cmd_wq had been destroyed before
nci_close_device() was called via rfkill.
nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
(I think) was called from virtual_ncidev_close() when syzbot close()d
an fd of virtual_ncidev.
The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
first and then calls nfc_unregister_device(), which removes the
device from rfkill by rfkill_unregister().
So, the device is still visible via rfkill even after nci_dev.cmd_wq
is destroyed.
Let's unregister the device from rfkill first in nci_unregister_device().
Note that we cannot call nfc_unregister_device() before
nci_close_device() because
1) nfc_unregister_device() calls device_del() which frees
all memory allocated by devm_kzalloc() and linked to
ndev->conn_info_list
2) nci_rx_work() could try to queue nci_conn_info to
ndev->conn_info_list which could be leaked
Thus, nfc_unregister_device() is split into two functions so we
can remove rfkill interfaces only before nci_close_device().
[0]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
Modules linked in:
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
nfc_dev_down+0x152/0x290 net/nfc/core.c:161
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
vfs_write+0x29a/0xb90 fs/read_write.c:684
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa59b39acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
RBP: 00007fa59b408bf7 R08:
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a2968aaf50c7a22fced77a5e24aa636281efca8 , < cd4412d5905ee580e96c48360dc98fcd9e6f3208
(git)
Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < eaa5da5130deda26420273d4610cf6e4f794ed75 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 546eba0b10989de9ccc7fd619e874a30561e2b88 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < 126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5 (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < c3369fc5e6120a72169e71acd72e987907a682af (git) Affected: 6a2968aaf50c7a22fced77a5e24aa636281efca8 , < d2492688bb9fed6ab6e313682c387ae71a66ebae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd4412d5905ee580e96c48360dc98fcd9e6f3208",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "eaa5da5130deda26420273d4610cf6e4f794ed75",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "546eba0b10989de9ccc7fd619e874a30561e2b88",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "c3369fc5e6120a72169e71acd72e987907a682af",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
},
{
"lessThan": "d2492688bb9fed6ab6e313682c387ae71a66ebae",
"status": "affected",
"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/nfc/nfc.h",
"net/nfc/core.c",
"net/nfc/nci/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet\u0027s unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev-\u003econn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev-\u003econn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d \u003c67\u003e 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:30.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208"
},
{
"url": "https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75"
},
{
"url": "https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac"
},
{
"url": "https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88"
},
{
"url": "https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5"
},
{
"url": "https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af"
},
{
"url": "https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae"
}
],
"title": "nfc: nci: Fix race between rfkill and nci_unregister_device().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23167",
"datePublished": "2026-02-14T16:01:30.755Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-02-14T16:01:30.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23137 (GCVE-0-2026-23137)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
of: unittest: Fix memory leak in unittest_data_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: unittest: Fix memory leak in unittest_data_add()
In unittest_data_add(), if of_resolve_phandles() fails, the allocated
unittest_data is not freed, leading to a memory leak.
Fix this by using scope-based cleanup helper __free(kfree) for automatic
resource cleanup. This ensures unittest_data is automatically freed when
it goes out of scope in error paths.
For the success path, use retain_and_null_ptr() to transfer ownership
of the memory to the device tree and prevent double freeing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/unittest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f09b0f705bd7197863b90256ef533a6414d1db2c",
"status": "affected",
"version": "2eb46da2a760e5764c48b752a5ef320e02b96b21",
"versionType": "git"
},
{
"lessThan": "235a1eb8d2dcc49a6cf0a5ee1aa85544a5d0054b",
"status": "affected",
"version": "2eb46da2a760e5764c48b752a5ef320e02b96b21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/unittest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: Fix memory leak in unittest_data_add()\n\nIn unittest_data_add(), if of_resolve_phandles() fails, the allocated\nunittest_data is not freed, leading to a memory leak.\n\nFix this by using scope-based cleanup helper __free(kfree) for automatic\nresource cleanup. This ensures unittest_data is automatically freed when\nit goes out of scope in error paths.\n\nFor the success path, use retain_and_null_ptr() to transfer ownership\nof the memory to the device tree and prevent double freeing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:22.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f09b0f705bd7197863b90256ef533a6414d1db2c"
},
{
"url": "https://git.kernel.org/stable/c/235a1eb8d2dcc49a6cf0a5ee1aa85544a5d0054b"
}
],
"title": "of: unittest: Fix memory leak in unittest_data_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23137",
"datePublished": "2026-02-14T15:22:22.690Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:22:22.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23112 (GCVE-0-2026-23112)
Vulnerability from cvelistv5 – Published: 2026-02-13 13:29 – Updated: 2026-02-13 13:29
VLAI?
EPSS
Title
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU
length or offset exceeds sg_cnt and then use bogus sg->length/offset
values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining
entries, and sg->length/offset before building the bvec.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 043b4307a99f902697349128fde93b2ddde4686c
(git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 42afe8ed8ad2de9c19457156244ef3e1eca94b5d (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 1385be357e8acd09b36e026567f3a9d5c61139de (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < dca1a6ba0da9f472ef040525fab10fd9956db59f (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 19672ae68d52ff75347ebe2420dde1b07adca09f (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < ab200d71553bdcf4de554a5985b05b2dd606bc57 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 52a0a98549344ca20ad81a4176d68d28e3c05a5c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "043b4307a99f902697349128fde93b2ddde4686c",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "42afe8ed8ad2de9c19457156244ef3e1eca94b5d",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "1385be357e8acd09b36e026567f3a9d5c61139de",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "dca1a6ba0da9f472ef040525fab10fd9956db59f",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "19672ae68d52ff75347ebe2420dde1b07adca09f",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "ab200d71553bdcf4de554a5985b05b2dd606bc57",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "52a0a98549344ca20ad81a4176d68d28e3c05a5c",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd-\u003ereq.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg-\u003elength/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg-\u003elength/offset before building the bvec."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T13:29:56.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/043b4307a99f902697349128fde93b2ddde4686c"
},
{
"url": "https://git.kernel.org/stable/c/42afe8ed8ad2de9c19457156244ef3e1eca94b5d"
},
{
"url": "https://git.kernel.org/stable/c/1385be357e8acd09b36e026567f3a9d5c61139de"
},
{
"url": "https://git.kernel.org/stable/c/dca1a6ba0da9f472ef040525fab10fd9956db59f"
},
{
"url": "https://git.kernel.org/stable/c/19672ae68d52ff75347ebe2420dde1b07adca09f"
},
{
"url": "https://git.kernel.org/stable/c/ab200d71553bdcf4de554a5985b05b2dd606bc57"
},
{
"url": "https://git.kernel.org/stable/c/52a0a98549344ca20ad81a4176d68d28e3c05a5c"
}
],
"title": "nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23112",
"datePublished": "2026-02-13T13:29:56.724Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-02-13T13:29:56.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23128 (GCVE-0-2026-23128)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
arm64: Set __nocfi on swsusp_arch_resume()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: Set __nocfi on swsusp_arch_resume()
A DABT is reported[1] on an android based system when resume from hiberate.
This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
and does not have a CFI hash, but swsusp_arch_resume() will attempt to
verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
Given that there's an existing requirement that the entrypoint to
swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
section, we cannot fix this by marking swsusp_arch_suspend_exit() with
SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
swsusp_arch_resume().
Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
[1]
[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
[ 22.991934][ T1] Mem abort info:
[ 22.991934][ T1] ESR = 0x0000000096000007
[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
[ 22.991934][ T1] SET = 0, FnV = 0
[ 22.991934][ T1] EA = 0, S1PTW = 0
[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
[ 22.991934][ T1] Data abort info:
[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
[ 22.991934][ T1] Dumping ftrace buffer:
[ 22.991934][ T1] (ftrace buffer empty)
[ 22.991934][ T1] Modules linked in:
[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
[ 22.991934][ T1] sp : ffffffc08006b960
[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
[ 22.991934][ T1] Call trace:
[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
[ 22.991934][ T1] hibernation_restore+0x158/0x18c
[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
[ 22.991934][ T1] software_resume+0xf4/0x19c
[ 22.991934][ T1] software_resume_initcall+0x34/0x78
[ 22.991934][ T1] do_one_initcall+0xe8/0x370
[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
[ 22.991934][ T1] do_initcalls+0x70/0xc0
[ 22.991934][ T1] do_basic_setup+0x1c/0x28
[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
[ 22.991934][ T1] kernel_init+0x20/0x1a8
[ 22.991934][ T1] ret_from_fork+0x10/0x20
[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
[catalin.marinas@arm.com: commit log updated by Mark Rutland]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 122b7cb80f7d468fcc2d18cf7eb320f09f310a96
(git)
Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 8557bdd9af8dd04911fba56ff92b17842b0b5c7f (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 9773a886f26766a8db92d4b342b620a82c2de7dd (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < 6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08 (git) Affected: 89245600941e4e0f87d77f60ee269b5e61ef4e49 , < e2f8216ca2d8e61a23cb6ec355616339667e0ba6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "122b7cb80f7d468fcc2d18cf7eb320f09f310a96",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "8557bdd9af8dd04911fba56ff92b17842b0b5c7f",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "9773a886f26766a8db92d4b342b620a82c2de7dd",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
},
{
"lessThan": "e2f8216ca2d8e61a23cb6ec355616339667e0ba6",
"status": "affected",
"version": "89245600941e4e0f87d77f60ee269b5e61ef4e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/hibernate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Set __nocfi on swsusp_arch_resume()\n\nA DABT is reported[1] on an android based system when resume from hiberate.\nThis happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()\nand does not have a CFI hash, but swsusp_arch_resume() will attempt to\nverify the CFI hash when calling a copy of swsusp_arch_suspend_exit().\n\nGiven that there\u0027s an existing requirement that the entrypoint to\nswsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text\nsection, we cannot fix this by marking swsusp_arch_suspend_exit() with\nSYM_FUNC_*(). The simplest fix for now is to disable the CFI check in\nswsusp_arch_resume().\n\nMark swsusp_arch_resume() as __nocfi to disable the CFI check.\n\n[1]\n[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc\n[ 22.991934][ T1] Mem abort info:\n[ 22.991934][ T1] ESR = 0x0000000096000007\n[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 22.991934][ T1] SET = 0, FnV = 0\n[ 22.991934][ T1] EA = 0, S1PTW = 0\n[ 22.991934][ T1] FSC = 0x07: level 3 translation fault\n[ 22.991934][ T1] Data abort info:\n[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper\n[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP\n[ 22.991934][ T1] Dumping ftrace buffer:\n[ 22.991934][ T1] (ftrace buffer empty)\n[ 22.991934][ T1] Modules linked in:\n[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419\n[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)\n[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344\n[ 22.991934][ T1] sp : ffffffc08006b960\n[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000\n[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820\n[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000\n[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058\n[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004\n[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000\n[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000\n[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b\n[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530\n[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000\n[ 22.991934][ T1] Call trace:\n[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] hibernation_restore+0x158/0x18c\n[ 22.991934][ T1] load_image_and_restore+0xb0/0xec\n[ 22.991934][ T1] software_resume+0xf4/0x19c\n[ 22.991934][ T1] software_resume_initcall+0x34/0x78\n[ 22.991934][ T1] do_one_initcall+0xe8/0x370\n[ 22.991934][ T1] do_initcall_level+0xc8/0x19c\n[ 22.991934][ T1] do_initcalls+0x70/0xc0\n[ 22.991934][ T1] do_basic_setup+0x1c/0x28\n[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148\n[ 22.991934][ T1] kernel_init+0x20/0x1a8\n[ 22.991934][ T1] ret_from_fork+0x10/0x20\n[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)\n\n[catalin.marinas@arm.com: commit log updated by Mark Rutland]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:49.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/122b7cb80f7d468fcc2d18cf7eb320f09f310a96"
},
{
"url": "https://git.kernel.org/stable/c/8557bdd9af8dd04911fba56ff92b17842b0b5c7f"
},
{
"url": "https://git.kernel.org/stable/c/9773a886f26766a8db92d4b342b620a82c2de7dd"
},
{
"url": "https://git.kernel.org/stable/c/6e32070d29d1a35d8f4b3c03babf6c0e5efd1d08"
},
{
"url": "https://git.kernel.org/stable/c/e2f8216ca2d8e61a23cb6ec355616339667e0ba6"
}
],
"title": "arm64: Set __nocfi on swsusp_arch_resume()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23128",
"datePublished": "2026-02-14T15:09:56.916Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-16T08:58:49.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23193 (GCVE-0-2026-23193)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < 2b64015550a13bcc72910be0565548d9a754d46d
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < fd8b0900173307039d3a84644c2fee041a7ed4fb (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < d8dbdc146e9e9a976931b78715be2e91299049f9 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 11ebafffce31efc6abeb28c509017976fc49f1ca (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 41b86a9ec037bd3435d68dd3692f0891a207e7e7 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 4530f4e4d0e6a207110b0ffed0c911bca43531a4 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 84dc6037390b8607c5551047d3970336cb51ba9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b64015550a13bcc72910be0565548d9a754d46d",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fd8b0900173307039d3a84644c2fee041a7ed4fb",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "d8dbdc146e9e9a976931b78715be2e91299049f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "11ebafffce31efc6abeb28c509017976fc49f1ca",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "41b86a9ec037bd3435d68dd3692f0891a207e7e7",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "4530f4e4d0e6a207110b0ffed0c911bca43531a4",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "84dc6037390b8607c5551047d3970336cb51ba9a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\n\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess-\u003esession_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\n\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\n\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:56.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b64015550a13bcc72910be0565548d9a754d46d"
},
{
"url": "https://git.kernel.org/stable/c/fd8b0900173307039d3a84644c2fee041a7ed4fb"
},
{
"url": "https://git.kernel.org/stable/c/d8dbdc146e9e9a976931b78715be2e91299049f9"
},
{
"url": "https://git.kernel.org/stable/c/11ebafffce31efc6abeb28c509017976fc49f1ca"
},
{
"url": "https://git.kernel.org/stable/c/41b86a9ec037bd3435d68dd3692f0891a207e7e7"
},
{
"url": "https://git.kernel.org/stable/c/4530f4e4d0e6a207110b0ffed0c911bca43531a4"
},
{
"url": "https://git.kernel.org/stable/c/84dc6037390b8607c5551047d3970336cb51ba9a"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23193",
"datePublished": "2026-02-14T16:27:20.251Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-16T08:58:56.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23155 (GCVE-0-2026-23155)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
an info message.
In the case of a short read where netdev has not yet been assigned,
initialize as NULL to avoid dereferencing an undefined value. Also report
the error value of the failed resubmit.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aa8a8866c533a150be4763bcb27993603bd5426c , < aed58a28ea71a0d7d0947190fab1e3f4daa1d4a5
(git)
Affected: ce4352057fc5a986c76ece90801b9755e7c6e56c , < 923379f1d7e3af8ccbf11edbbcf41f1bb3e9cfe6 (git) Affected: c610b550ccc0438d456dfe1df9f4f36254ccaae3 , < 8986cdf52f86208df9c7887fee23365b5d37da26 (git) Affected: c3edc14da81a8d8398682f6e4ab819f09f37c0b7 , < 713ba826ae114ab339c9a1b31e209bebdadb0ac9 (git) Affected: 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 , < 494fc029f662c331e06b7c2031deff3c64200eed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aed58a28ea71a0d7d0947190fab1e3f4daa1d4a5",
"status": "affected",
"version": "aa8a8866c533a150be4763bcb27993603bd5426c",
"versionType": "git"
},
{
"lessThan": "923379f1d7e3af8ccbf11edbbcf41f1bb3e9cfe6",
"status": "affected",
"version": "ce4352057fc5a986c76ece90801b9755e7c6e56c",
"versionType": "git"
},
{
"lessThan": "8986cdf52f86208df9c7887fee23365b5d37da26",
"status": "affected",
"version": "c610b550ccc0438d456dfe1df9f4f36254ccaae3",
"versionType": "git"
},
{
"lessThan": "713ba826ae114ab339c9a1b31e209bebdadb0ac9",
"status": "affected",
"version": "c3edc14da81a8d8398682f6e4ab819f09f37c0b7",
"versionType": "git"
},
{
"lessThan": "494fc029f662c331e06b7c2031deff3c64200eed",
"status": "affected",
"version": "79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.123",
"status": "affected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThan": "6.12.69",
"status": "affected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThan": "6.18.9",
"status": "affected",
"version": "6.18.8",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.18.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix error message\n\nSinc commit 79a6d1bfe114 (\"can: gs_usb: gs_usb_receive_bulk_callback():\nunanchor URL on usb_submit_urb() error\") a failing resubmit URB will print\nan info message.\n\nIn the case of a short read where netdev has not yet been assigned,\ninitialize as NULL to avoid dereferencing an undefined value. Also report\nthe error value of the failed resubmit."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:22.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aed58a28ea71a0d7d0947190fab1e3f4daa1d4a5"
},
{
"url": "https://git.kernel.org/stable/c/923379f1d7e3af8ccbf11edbbcf41f1bb3e9cfe6"
},
{
"url": "https://git.kernel.org/stable/c/8986cdf52f86208df9c7887fee23365b5d37da26"
},
{
"url": "https://git.kernel.org/stable/c/713ba826ae114ab339c9a1b31e209bebdadb0ac9"
},
{
"url": "https://git.kernel.org/stable/c/494fc029f662c331e06b7c2031deff3c64200eed"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): fix error message",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23155",
"datePublished": "2026-02-14T16:01:22.429Z",
"dateReserved": "2026-01-13T15:37:45.977Z",
"dateUpdated": "2026-02-14T16:01:22.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23205 (GCVE-0-2026-23205)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
smb/client: fix memory leak in smb2_open_file()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix memory leak in smb2_open_file()
Reproducer:
1. server: directories are exported read-only
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
4. client: umount /mnt
5. client: sleep 1
6. client: modprobe -r cifs
The error message is as follows:
=============================================================================
BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000d47521be @offset=14336
...
WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577
...
Call Trace:
<TASK>
kmem_cache_destroy+0x94/0x190
cifs_destroy_request_bufs+0x3e/0x50 [cifs]
cleanup_module+0x4e/0x540 [cifs]
__se_sys_delete_module+0x278/0x400
__x64_sys_delete_module+0x5f/0x70
x64_sys_call+0x2299/0x2ff0
do_syscall_64+0x89/0x350
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
17e53a15e64b65623b8f2b1185d27d7b1cbf69ab , < 743f70406264348c0830f38409eb6c40a42fb2db
(git)
Affected: 18066188eb90cc0c798f3370a8078a79ddb73f70 , < 3a6d6b332f92990958602c1e35ce0173e2dd62e9 (git) Affected: 6ebb9d54eccc8026b386e76eff69364d33373da5 , < b64e3b5d8d759dd4333992e4ba4dadf9359952c8 (git) Affected: e255612b5ed9f179abe8196df7c2ba09dd227900 , < 9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5 (git) Affected: e255612b5ed9f179abe8196df7c2ba09dd227900 , < e3a43633023e3cacaca60d4b8972d084a2b06236 (git) Affected: bcd15f06c7e8904116cfb06526bcc189b86aff85 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "743f70406264348c0830f38409eb6c40a42fb2db",
"status": "affected",
"version": "17e53a15e64b65623b8f2b1185d27d7b1cbf69ab",
"versionType": "git"
},
{
"lessThan": "3a6d6b332f92990958602c1e35ce0173e2dd62e9",
"status": "affected",
"version": "18066188eb90cc0c798f3370a8078a79ddb73f70",
"versionType": "git"
},
{
"lessThan": "b64e3b5d8d759dd4333992e4ba4dadf9359952c8",
"status": "affected",
"version": "6ebb9d54eccc8026b386e76eff69364d33373da5",
"versionType": "git"
},
{
"lessThan": "9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5",
"status": "affected",
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"versionType": "git"
},
{
"lessThan": "e3a43633023e3cacaca60d4b8972d084a2b06236",
"status": "affected",
"version": "e255612b5ed9f179abe8196df7c2ba09dd227900",
"versionType": "git"
},
{
"status": "affected",
"version": "bcd15f06c7e8904116cfb06526bcc189b86aff85",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix memory leak in smb2_open_file()\n\nReproducer:\n\n 1. server: directories are exported read-only\n 2. client: mount -t cifs //${server_ip}/export /mnt\n 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n 4. client: umount /mnt\n 5. client: sleep 1\n 6. client: modprobe -r cifs\n\nThe error message is as follows:\n\n =============================================================================\n BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n -----------------------------------------------------------------------------\n\n Object 0x00000000d47521be @offset=14336\n ...\n WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n ...\n Call Trace:\n \u003cTASK\u003e\n kmem_cache_destroy+0x94/0x190\n cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n cleanup_module+0x4e/0x540 [cifs]\n __se_sys_delete_module+0x278/0x400\n __x64_sys_delete_module+0x5f/0x70\n x64_sys_call+0x2299/0x2ff0\n do_syscall_64+0x89/0x350\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:28.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/743f70406264348c0830f38409eb6c40a42fb2db"
},
{
"url": "https://git.kernel.org/stable/c/3a6d6b332f92990958602c1e35ce0173e2dd62e9"
},
{
"url": "https://git.kernel.org/stable/c/b64e3b5d8d759dd4333992e4ba4dadf9359952c8"
},
{
"url": "https://git.kernel.org/stable/c/9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5"
},
{
"url": "https://git.kernel.org/stable/c/e3a43633023e3cacaca60d4b8972d084a2b06236"
}
],
"title": "smb/client: fix memory leak in smb2_open_file()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23205",
"datePublished": "2026-02-14T16:27:28.409Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:28.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23118 (GCVE-0-2026-23118)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
rxrpc: Fix data-race warning and potential load/store tearing
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix data-race warning and potential load/store tearing
Fix the following:
BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet
which is reporting an issue with the reads and writes to ->last_tx_at in:
conn->peer->last_tx_at = ktime_get_seconds();
and:
keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
The lockless accesses to these to values aren't actually a problem as the
read only needs an approximate time of last transmission for the purposes
of deciding whether or not the transmission of a keepalive packet is
warranted yet.
Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit
arch.
Fix both of these by switching to an unsigned int for ->last_tx_at and only
storing the LSW of the time64_t. It can then be reconstructed at need
provided no more than 68 years has elapsed since the last transmission.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ace45bec6d77bc061c3c3d8ad99e298ea9800c2b , < c08cf314191cd0f8699089715efb9eff030f0086
(git)
Affected: ace45bec6d77bc061c3c3d8ad99e298ea9800c2b , < f8cf1368e0a5491b27189a695c36f64e48f3d19d (git) Affected: ace45bec6d77bc061c3c3d8ad99e298ea9800c2b , < 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/ar-internal.h",
"net/rxrpc/conn_event.c",
"net/rxrpc/output.c",
"net/rxrpc/peer_event.c",
"net/rxrpc/proc.c",
"net/rxrpc/rxgk.c",
"net/rxrpc/rxkad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c08cf314191cd0f8699089715efb9eff030f0086",
"status": "affected",
"version": "ace45bec6d77bc061c3c3d8ad99e298ea9800c2b",
"versionType": "git"
},
{
"lessThan": "f8cf1368e0a5491b27189a695c36f64e48f3d19d",
"status": "affected",
"version": "ace45bec6d77bc061c3c3d8ad99e298ea9800c2b",
"versionType": "git"
},
{
"lessThan": "5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b",
"status": "affected",
"version": "ace45bec6d77bc061c3c3d8ad99e298ea9800c2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/ar-internal.h",
"net/rxrpc/conn_event.c",
"net/rxrpc/output.c",
"net/rxrpc/peer_event.c",
"net/rxrpc/proc.c",
"net/rxrpc/rxgk.c",
"net/rxrpc/rxkad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix data-race warning and potential load/store tearing\n\nFix the following:\n\n BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet\n\nwhich is reporting an issue with the reads and writes to -\u003elast_tx_at in:\n\n conn-\u003epeer-\u003elast_tx_at = ktime_get_seconds();\n\nand:\n\n keepalive_at = peer-\u003elast_tx_at + RXRPC_KEEPALIVE_TIME;\n\nThe lockless accesses to these to values aren\u0027t actually a problem as the\nread only needs an approximate time of last transmission for the purposes\nof deciding whether or not the transmission of a keepalive packet is\nwarranted yet.\n\nAlso, as -\u003elast_tx_at is a 64-bit value, tearing can occur on a 32-bit\narch.\n\nFix both of these by switching to an unsigned int for -\u003elast_tx_at and only\nstoring the LSW of the time64_t. It can then be reconstructed at need\nprovided no more than 68 years has elapsed since the last transmission."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:49.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c08cf314191cd0f8699089715efb9eff030f0086"
},
{
"url": "https://git.kernel.org/stable/c/f8cf1368e0a5491b27189a695c36f64e48f3d19d"
},
{
"url": "https://git.kernel.org/stable/c/5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b"
}
],
"title": "rxrpc: Fix data-race warning and potential load/store tearing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23118",
"datePublished": "2026-02-14T15:09:49.845Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:49.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71202 (GCVE-0-2025-71202)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
iommu/sva: invalidate stale IOTLB entries for kernel address space
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/sva: invalidate stale IOTLB entries for kernel address space
Introduce a new IOMMU interface to flush IOTLB paging cache entries for
the CPU kernel address space. This interface is invoked from the x86
architecture code that manages combined user and kernel page tables,
specifically before any kernel page table page is freed and reused.
This addresses the main issue with vfree() which is a common occurrence
and can be triggered by unprivileged users. While this resolves the
primary problem, it doesn't address some extremely rare case related to
memory unplug of memory that was present as reserved memory at boot, which
cannot be triggered by unprivileged users. The discussion can be found at
the link below.
Enable SVA on x86 architecture since the IOMMU can now receive
notification to flush the paging cache before freeing the CPU kernel page
table pages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/Kconfig",
"drivers/iommu/iommu-sva.c",
"include/linux/iommu.h",
"mm/pgtable-generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f0a7ab700f8620e433b05c57fbd26c92ea186d9",
"status": "affected",
"version": "2f26e0a9c9860db290d63e9d85c2c8c09813677f",
"versionType": "git"
},
{
"lessThan": "e37d5a2d60a338c5917c45296bac65da1382eda5",
"status": "affected",
"version": "2f26e0a9c9860db290d63e9d85c2c8c09813677f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/Kconfig",
"drivers/iommu/iommu-sva.c",
"include/linux/iommu.h",
"mm/pgtable-generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sva: invalidate stale IOTLB entries for kernel address space\n\nIntroduce a new IOMMU interface to flush IOTLB paging cache entries for\nthe CPU kernel address space. This interface is invoked from the x86\narchitecture code that manages combined user and kernel page tables,\nspecifically before any kernel page table page is freed and reused.\n\nThis addresses the main issue with vfree() which is a common occurrence\nand can be triggered by unprivileged users. While this resolves the\nprimary problem, it doesn\u0027t address some extremely rare case related to\nmemory unplug of memory that was present as reserved memory at boot, which\ncannot be triggered by unprivileged users. The discussion can be found at\nthe link below.\n\nEnable SVA on x86 architecture since the IOMMU can now receive\nnotification to flush the paging cache before freeing the CPU kernel page\ntable pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:38.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f0a7ab700f8620e433b05c57fbd26c92ea186d9"
},
{
"url": "https://git.kernel.org/stable/c/e37d5a2d60a338c5917c45296bac65da1382eda5"
}
],
"title": "iommu/sva: invalidate stale IOTLB entries for kernel address space",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71202",
"datePublished": "2026-02-14T15:36:06.588Z",
"dateReserved": "2026-01-31T11:36:51.194Z",
"dateUpdated": "2026-02-16T08:58:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23173 (GCVE-0-2026-23173)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
net/mlx5e: TC, delete flows only for existing peers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: TC, delete flows only for existing peers
When deleting TC steering flows, iterate only over actual devcom
peers instead of assuming all possible ports exist. This avoids
touching non-existent peers and ensures cleanup is limited to
devices the driver is currently connected to.
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 133c8a067 P4D 0
Oops: Oops: 0002 [#1] SMP
CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]
Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49
RSP: 0018:ff11000143867528 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000
RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0
RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002
R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78
R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0
FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0
Call Trace:
<TASK>
mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]
mlx5e_flow_put+0x25/0x50 [mlx5_core]
mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]
tc_setup_cb_reoffload+0x20/0x80
fl_reoffload+0x26f/0x2f0 [cls_flower]
? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
tcf_block_playback_offloads+0x9e/0x1c0
tcf_block_unbind+0x7b/0xd0
tcf_block_setup+0x186/0x1d0
tcf_block_offload_cmd.isra.0+0xef/0x130
tcf_block_offload_unbind+0x43/0x70
__tcf_block_put+0x85/0x160
ingress_destroy+0x32/0x110 [sch_ingress]
__qdisc_destroy+0x44/0x100
qdisc_graft+0x22b/0x610
tc_get_qdisc+0x183/0x4d0
rtnetlink_rcv_msg+0x2d7/0x3d0
? rtnl_calcit.isra.0+0x100/0x100
netlink_rcv_skb+0x53/0x100
netlink_unicast+0x249/0x320
? __alloc_skb+0x102/0x1f0
netlink_sendmsg+0x1e3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1ef/0x230
? copy_msghdr_from_user+0x6c/0xa0
___sys_sendmsg+0x7f/0xc0
? ___sys_recvmsg+0x8a/0xc0
? __sys_sendto+0x119/0x180
__sys_sendmsg+0x61/0xb0
do_syscall_64+0x55/0x640
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f35238bb764
Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764
RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003
RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20
R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790
R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < 62e1d8920f6920543f4b095a65fb964448c9901d
(git)
Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < 2652e2f1253c53f9a3ce84cc972568b32c892734 (git) Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < fdf8437016f578f18b160c6e14f13ab96bfbc3ba (git) Affected: 9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 , < f67666938ae626cbda63fbf5176b3583c07e7124 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62e1d8920f6920543f4b095a65fb964448c9901d",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "2652e2f1253c53f9a3ce84cc972568b32c892734",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "fdf8437016f578f18b160c6e14f13ab96bfbc3ba",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
},
{
"lessThan": "f67666938ae626cbda63fbf5176b3583c07e7124",
"status": "affected",
"version": "9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, delete flows only for existing peers\n\nWhen deleting TC steering flows, iterate only over actual devcom\npeers instead of assuming all possible ports exist. This avoids\ntouching non-existent peers and ensures cleanup is limited to\ndevices the driver is currently connected to.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 133c8a067 P4D 0\n Oops: Oops: 0002 [#1] SMP\n CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]\n Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff \u003c48\u003e 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49\n RSP: 0018:ff11000143867528 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000\n RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0\n RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002\n R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78\n R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0\n FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0\n Call Trace:\n \u003cTASK\u003e\n mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n mlx5e_flow_put+0x25/0x50 [mlx5_core]\n mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]\n tc_setup_cb_reoffload+0x20/0x80\n fl_reoffload+0x26f/0x2f0 [cls_flower]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n tcf_block_playback_offloads+0x9e/0x1c0\n tcf_block_unbind+0x7b/0xd0\n tcf_block_setup+0x186/0x1d0\n tcf_block_offload_cmd.isra.0+0xef/0x130\n tcf_block_offload_unbind+0x43/0x70\n __tcf_block_put+0x85/0x160\n ingress_destroy+0x32/0x110 [sch_ingress]\n __qdisc_destroy+0x44/0x100\n qdisc_graft+0x22b/0x610\n tc_get_qdisc+0x183/0x4d0\n rtnetlink_rcv_msg+0x2d7/0x3d0\n ? rtnl_calcit.isra.0+0x100/0x100\n netlink_rcv_skb+0x53/0x100\n netlink_unicast+0x249/0x320\n ? __alloc_skb+0x102/0x1f0\n netlink_sendmsg+0x1e3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1ef/0x230\n ? copy_msghdr_from_user+0x6c/0xa0\n ___sys_sendmsg+0x7f/0xc0\n ? ___sys_recvmsg+0x8a/0xc0\n ? __sys_sendto+0x119/0x180\n __sys_sendmsg+0x61/0xb0\n do_syscall_64+0x55/0x640\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f35238bb764\n Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55\n RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764\n RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003\n RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20\n R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790\n R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:34.842Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62e1d8920f6920543f4b095a65fb964448c9901d"
},
{
"url": "https://git.kernel.org/stable/c/2652e2f1253c53f9a3ce84cc972568b32c892734"
},
{
"url": "https://git.kernel.org/stable/c/fdf8437016f578f18b160c6e14f13ab96bfbc3ba"
},
{
"url": "https://git.kernel.org/stable/c/f67666938ae626cbda63fbf5176b3583c07e7124"
}
],
"title": "net/mlx5e: TC, delete flows only for existing peers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23173",
"datePublished": "2026-02-14T16:01:34.842Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:01:34.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23188 (GCVE-0-2026-23188)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
net: usb: r8152: fix resume reset deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: r8152: fix resume reset deadlock
rtl8152 can trigger device reset during reset which
potentially can result in a deadlock:
**** DPM device timeout after 10 seconds; 15 seconds until panic ****
Call Trace:
<TASK>
schedule+0x483/0x1370
schedule_preempt_disabled+0x15/0x30
__mutex_lock_common+0x1fd/0x470
__rtl8152_set_mac_address+0x80/0x1f0
dev_set_mac_address+0x7f/0x150
rtl8152_post_reset+0x72/0x150
usb_reset_device+0x1d0/0x220
rtl8152_resume+0x99/0xc0
usb_resume_interface+0x3e/0xc0
usb_resume_both+0x104/0x150
usb_resume+0x22/0x110
The problem is that rtl8152 resume calls reset under
tp->control mutex while reset basically re-enters rtl8152
and attempts to acquire the same tp->control lock once
again.
Reset INACCESSIBLE device outside of tp->control mutex
scope to avoid recursive mutex_lock() deadlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4933b066fefbee4f1d2d708de53c4ab7f09026ad , < 61c8091b7937f91f9bc0b7f6b578de270fe35dc7
(git)
Affected: 4933b066fefbee4f1d2d708de53c4ab7f09026ad , < 1b2efc593dca99d8e8e6f6d6c7ccd9a972679702 (git) Affected: 4933b066fefbee4f1d2d708de53c4ab7f09026ad , < 6d06bc83a5ae8777a5f7a81c32dd75b8d9b2fe04 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/r8152.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61c8091b7937f91f9bc0b7f6b578de270fe35dc7",
"status": "affected",
"version": "4933b066fefbee4f1d2d708de53c4ab7f09026ad",
"versionType": "git"
},
{
"lessThan": "1b2efc593dca99d8e8e6f6d6c7ccd9a972679702",
"status": "affected",
"version": "4933b066fefbee4f1d2d708de53c4ab7f09026ad",
"versionType": "git"
},
{
"lessThan": "6d06bc83a5ae8777a5f7a81c32dd75b8d9b2fe04",
"status": "affected",
"version": "4933b066fefbee4f1d2d708de53c4ab7f09026ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/r8152.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: r8152: fix resume reset deadlock\n\nrtl8152 can trigger device reset during reset which\npotentially can result in a deadlock:\n\n **** DPM device timeout after 10 seconds; 15 seconds until panic ****\n Call Trace:\n \u003cTASK\u003e\n schedule+0x483/0x1370\n schedule_preempt_disabled+0x15/0x30\n __mutex_lock_common+0x1fd/0x470\n __rtl8152_set_mac_address+0x80/0x1f0\n dev_set_mac_address+0x7f/0x150\n rtl8152_post_reset+0x72/0x150\n usb_reset_device+0x1d0/0x220\n rtl8152_resume+0x99/0xc0\n usb_resume_interface+0x3e/0xc0\n usb_resume_both+0x104/0x150\n usb_resume+0x22/0x110\n\nThe problem is that rtl8152 resume calls reset under\ntp-\u003econtrol mutex while reset basically re-enters rtl8152\nand attempts to acquire the same tp-\u003econtrol lock once\nagain.\n\nReset INACCESSIBLE device outside of tp-\u003econtrol mutex\nscope to avoid recursive mutex_lock() deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:16.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61c8091b7937f91f9bc0b7f6b578de270fe35dc7"
},
{
"url": "https://git.kernel.org/stable/c/1b2efc593dca99d8e8e6f6d6c7ccd9a972679702"
},
{
"url": "https://git.kernel.org/stable/c/6d06bc83a5ae8777a5f7a81c32dd75b8d9b2fe04"
}
],
"title": "net: usb: r8152: fix resume reset deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23188",
"datePublished": "2026-02-14T16:27:16.869Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23147 (GCVE-0-2026-23147)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
btrfs: zlib: fix the folio leak on S390 hardware acceleration
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zlib: fix the folio leak on S390 hardware acceleration
[BUG]
After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration
buffer preparation"), we no longer release the folio of the page cache
of folio returned by btrfs_compress_filemap_get_folio() for S390
hardware acceleration path.
[CAUSE]
Before that commit, we call kumap_local() and folio_put() after handling
each folio.
Although the timing is not ideal (it release previous folio at the
beginning of the loop, and rely on some extra cleanup out of the loop),
it at least handles the folio release correctly.
Meanwhile the refactored code is easier to read, it lacks the call to
release the filemap folio.
[FIX]
Add the missing folio_put() for copy_data_into_buffer().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zlib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e80617a5e1c246da2f112a1a072cdd535046adfe",
"status": "affected",
"version": "aa60fe12b4f49f49fc73e5023f8675e2df1f7805",
"versionType": "git"
},
{
"lessThan": "0d0f1314e8f86f5205f71f9e31e272a1d008e40b",
"status": "affected",
"version": "aa60fe12b4f49f49fc73e5023f8675e2df1f7805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zlib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zlib: fix the folio leak on S390 hardware acceleration\n\n[BUG]\nAfter commit aa60fe12b4f4 (\"btrfs: zlib: refactor S390x HW acceleration\nbuffer preparation\"), we no longer release the folio of the page cache\nof folio returned by btrfs_compress_filemap_get_folio() for S390\nhardware acceleration path.\n\n[CAUSE]\nBefore that commit, we call kumap_local() and folio_put() after handling\neach folio.\n\nAlthough the timing is not ideal (it release previous folio at the\nbeginning of the loop, and rely on some extra cleanup out of the loop),\nit at least handles the folio release correctly.\n\nMeanwhile the refactored code is easier to read, it lacks the call to\nrelease the filemap folio.\n\n[FIX]\nAdd the missing folio_put() for copy_data_into_buffer()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:16.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e80617a5e1c246da2f112a1a072cdd535046adfe"
},
{
"url": "https://git.kernel.org/stable/c/0d0f1314e8f86f5205f71f9e31e272a1d008e40b"
}
],
"title": "btrfs: zlib: fix the folio leak on S390 hardware acceleration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23147",
"datePublished": "2026-02-14T16:01:16.917Z",
"dateReserved": "2026-01-13T15:37:45.975Z",
"dateUpdated": "2026-02-14T16:01:16.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23114 (GCVE-0-2026-23114)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
arm64/fpsimd: ptrace: Fix SVE writes on !SME systems
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: ptrace: Fix SVE writes on !SME systems
When SVE is supported but SME is not supported, a ptrace write to the
NT_ARM_SVE regset can place the tracee into an invalid state where
(non-streaming) SVE register data is stored in FP_STATE_SVE format but
TIF_SVE is clear. This can result in a later warning from
fpsimd_restore_current_state(), e.g.
WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748
When this happens, fpsimd_restore_current_state() will set TIF_SVE,
placing the task into the correct state. This occurs before any other
check of TIF_SVE can possibly occur, as other checks of TIF_SVE only
happen while the FPSIMD/SVE/SME state is live. Thus, aside from the
warning, there is no functional issue.
This bug was introduced during rework to error handling in commit:
9f8bf718f2923 ("arm64/fpsimd: ptrace: Gracefully handle errors")
... where the setting of TIF_SVE was moved into a block which is only
executed when system_supports_sme() is true.
Fix this by removing the system_supports_sme() check. This ensures that
TIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of
unconditionally manipulating the tracee's saved svcr value. The
manipulation of svcr is benign and inexpensive, and we already do
similar elsewhere (e.g. during signal handling), so I don't think it's
worth guarding this with system_supports_sme() checks.
Aside from the above, there is no functional change. The 'type' argument
to sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when
system_supports_sme(), so the ARM64_VEC_SME case in the switch statement
is still unreachable when !system_supports_sme(). When
CONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(),
and the compiler can constant-fold for the case where type is
ARM64_VEC_SVE, removing the logic for other cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f39984176e7edcaba3432b6c649c6fe93bf2f80",
"status": "affected",
"version": "9f8bf718f29230e38a048d08fc3063e316cd60c1",
"versionType": "git"
},
{
"lessThan": "128a7494a9f15aad60cc6b7e3546bf481ac54a13",
"status": "affected",
"version": "9f8bf718f29230e38a048d08fc3063e316cd60c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: ptrace: Fix SVE writes on !SME systems\n\nWhen SVE is supported but SME is not supported, a ptrace write to the\nNT_ARM_SVE regset can place the tracee into an invalid state where\n(non-streaming) SVE register data is stored in FP_STATE_SVE format but\nTIF_SVE is clear. This can result in a later warning from\nfpsimd_restore_current_state(), e.g.\n\n WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748\n\nWhen this happens, fpsimd_restore_current_state() will set TIF_SVE,\nplacing the task into the correct state. This occurs before any other\ncheck of TIF_SVE can possibly occur, as other checks of TIF_SVE only\nhappen while the FPSIMD/SVE/SME state is live. Thus, aside from the\nwarning, there is no functional issue.\n\nThis bug was introduced during rework to error handling in commit:\n\n 9f8bf718f2923 (\"arm64/fpsimd: ptrace: Gracefully handle errors\")\n\n... where the setting of TIF_SVE was moved into a block which is only\nexecuted when system_supports_sme() is true.\n\nFix this by removing the system_supports_sme() check. This ensures that\nTIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of\nunconditionally manipulating the tracee\u0027s saved svcr value. The\nmanipulation of svcr is benign and inexpensive, and we already do\nsimilar elsewhere (e.g. during signal handling), so I don\u0027t think it\u0027s\nworth guarding this with system_supports_sme() checks.\n\nAside from the above, there is no functional change. The \u0027type\u0027 argument\nto sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when\nsystem_supports_sme(), so the ARM64_VEC_SME case in the switch statement\nis still unreachable when !system_supports_sme(). When\nCONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(),\nand the compiler can constant-fold for the case where type is\nARM64_VEC_SVE, removing the logic for other cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:47.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f39984176e7edcaba3432b6c649c6fe93bf2f80"
},
{
"url": "https://git.kernel.org/stable/c/128a7494a9f15aad60cc6b7e3546bf481ac54a13"
}
],
"title": "arm64/fpsimd: ptrace: Fix SVE writes on !SME systems",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23114",
"datePublished": "2026-02-14T15:09:47.048Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-02-14T15:09:47.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23171 (GCVE-0-2026-23171)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
bonding: fix use-after-free due to enslave fail after slave array update
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix use-after-free due to enslave fail after slave array update
Fix a use-after-free which happens due to enslave failure after the new
slave has been added to the array. Since the new slave can be used for Tx
immediately, we can use it after it has been freed by the enslave error
cleanup path which frees the allocated slave memory. Slave update array is
supposed to be called last when further enslave failures are not expected.
Move it after xdp setup to avoid any problems.
It is very easy to reproduce the problem with a simple xdp_pass prog:
ip l add bond1 type bond mode balance-xor
ip l set bond1 up
ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
ip l add dumdum type dummy
Then run in parallel:
while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
The crash happens almost immediately:
[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "e9acda52fd2ee0cdca332f996da7a95c5fd25294",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix use-after-free due to enslave fail after slave array update\n\nFix a use-after-free which happens due to enslave failure after the new\nslave has been added to the array. Since the new slave can be used for Tx\nimmediately, we can use it after it has been freed by the enslave error\ncleanup path which frees the allocated slave memory. Slave update array is\nsupposed to be called last when further enslave failures are not expected.\nMove it after xdp setup to avoid any problems.\n\nIt is very easy to reproduce the problem with a simple xdp_pass prog:\n ip l add bond1 type bond mode balance-xor\n ip l set bond1 up\n ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass\n ip l add dumdum type dummy\n\nThen run in parallel:\n while :; do ip l set dumdum master bond1 1\u003e/dev/null 2\u003e\u00261; done;\n mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp \"dp=1-1023, flags=syn\"\n\nThe crash happens almost immediately:\n [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI\n [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]\n [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)\n [ 605.602979] Tainted: [B]=BAD_PAGE\n [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210\n [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89\n [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213\n [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000\n [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be\n [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c\n [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000\n [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84\n [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000\n [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0\n [ 605.603373] Call Trace:\n [ 605.603392] \u003cTASK\u003e\n [ 605.603410] __dev_queue_xmit+0x448/0x32a0\n [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10\n [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603546] ? _printk+0xcb/0x100\n [ 605.603566] ? __pfx__printk+0x10/0x10\n [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603627] ? add_taint+0x5e/0x70\n [ 605.603648] ? add_taint+0x2a/0x70\n [ 605.603670] ? end_report.cold+0x51/0x75\n [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:33.489Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d"
},
{
"url": "https://git.kernel.org/stable/c/e9acda52fd2ee0cdca332f996da7a95c5fd25294"
}
],
"title": "bonding: fix use-after-free due to enslave fail after slave array update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23171",
"datePublished": "2026-02-14T16:01:33.489Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-02-14T16:01:33.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23119 (GCVE-0-2026-23119)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
bonding: provide a net pointer to __skb_flow_dissect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: provide a net pointer to __skb_flow_dissect()
After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")
we have to provide a net pointer to __skb_flow_dissect(),
either via skb->dev, skb->sk, or a user provided pointer.
In the following case, syzbot was able to cook a bare skb.
WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053
Call Trace:
<TASK>
bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]
__bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157
bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]
bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]
bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515
xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388
bpf_prog_run_xdp include/net/xdp.h:700 [inline]
bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421
bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390
bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
__sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58deb77cc52da9360d20676e68dd215742cbe473 , < 8e53780732ee881394406f79da5263b81eb48f7e
(git)
Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 3be945abdd228fd00f6afcf8d137002867a4651b (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < f4faaa1297ecf3255a8591fff2633df05bd5ec84 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 0efee0b992f28bd5ee01c7a86ef6a307c42eb907 (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < de97735a40a144974bf3896ee4cc0270db2e47db (git) Affected: 58deb77cc52da9360d20676e68dd215742cbe473 , < 5f9b329096596b7e53e07d041d7fca4cbe1be752 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e53780732ee881394406f79da5263b81eb48f7e",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "3be945abdd228fd00f6afcf8d137002867a4651b",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "f4faaa1297ecf3255a8591fff2633df05bd5ec84",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "0efee0b992f28bd5ee01c7a86ef6a307c42eb907",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "de97735a40a144974bf3896ee4cc0270db2e47db",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
},
{
"lessThan": "5f9b329096596b7e53e07d041d7fca4cbe1be752",
"status": "affected",
"version": "58deb77cc52da9360d20676e68dd215742cbe473",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: provide a net pointer to __skb_flow_dissect()\n\nAfter 3cbf4ffba5ee (\"net: plumb network namespace into __skb_flow_dissect\")\nwe have to provide a net pointer to __skb_flow_dissect(),\neither via skb-\u003edev, skb-\u003esk, or a user provided pointer.\n\nIn the following case, syzbot was able to cook a bare skb.\n\nWARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053\nCall Trace:\n \u003cTASK\u003e\n bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]\n __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157\n bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]\n bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]\n bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515\n xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388\n bpf_prog_run_xdp include/net/xdp.h:700 [inline]\n bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421\n bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390\n bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703\n __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182\n __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:50.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e53780732ee881394406f79da5263b81eb48f7e"
},
{
"url": "https://git.kernel.org/stable/c/3be945abdd228fd00f6afcf8d137002867a4651b"
},
{
"url": "https://git.kernel.org/stable/c/f4faaa1297ecf3255a8591fff2633df05bd5ec84"
},
{
"url": "https://git.kernel.org/stable/c/0efee0b992f28bd5ee01c7a86ef6a307c42eb907"
},
{
"url": "https://git.kernel.org/stable/c/bc3c8d2493c6f4d2038844dc8b7ee93de050f7fa"
},
{
"url": "https://git.kernel.org/stable/c/de97735a40a144974bf3896ee4cc0270db2e47db"
},
{
"url": "https://git.kernel.org/stable/c/5f9b329096596b7e53e07d041d7fca4cbe1be752"
}
],
"title": "bonding: provide a net pointer to __skb_flow_dissect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23119",
"datePublished": "2026-02-14T15:09:50.517Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:50.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23142 (GCVE-0-2026-23142)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-14 15:36
VLAI?
EPSS
Title
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
When a DAMOS-scheme DAMON sysfs directory setup fails after setup of
access_pattern/ directory, subdirectories of access_pattern/ directory are
not cleaned up. As a result, DAMON sysfs interface is nearly broken until
the system reboots, and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < ae8ac0066b48ed957bdcab58f0d3543549c57a29
(git)
Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < e9711bd0e64812c694a228cf58c9e6032decee54 (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 16236b0b4a08fa3e326cf1373ef789dabdc2e30d (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 725d4fdaa01bd1161782081f419e1568cc7432e0 (git) Affected: 9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 , < 392b3d9d595f34877dd745b470c711e8ebcd225c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae8ac0066b48ed957bdcab58f0d3543549c57a29",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "e9711bd0e64812c694a228cf58c9e6032decee54",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "16236b0b4a08fa3e326cf1373ef789dabdc2e30d",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "725d4fdaa01bd1161782081f419e1568cc7432e0",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
},
{
"lessThan": "392b3d9d595f34877dd745b470c711e8ebcd225c",
"status": "affected",
"version": "9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs-schemes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure\n\nWhen a DAMOS-scheme DAMON sysfs directory setup fails after setup of\naccess_pattern/ directory, subdirectories of access_pattern/ directory are\nnot cleaned up. As a result, DAMON sysfs interface is nearly broken until\nthe system reboots, and the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:08.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae8ac0066b48ed957bdcab58f0d3543549c57a29"
},
{
"url": "https://git.kernel.org/stable/c/e9711bd0e64812c694a228cf58c9e6032decee54"
},
{
"url": "https://git.kernel.org/stable/c/16236b0b4a08fa3e326cf1373ef789dabdc2e30d"
},
{
"url": "https://git.kernel.org/stable/c/725d4fdaa01bd1161782081f419e1568cc7432e0"
},
{
"url": "https://git.kernel.org/stable/c/392b3d9d595f34877dd745b470c711e8ebcd225c"
}
],
"title": "mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23142",
"datePublished": "2026-02-14T15:36:08.147Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-02-14T15:36:08.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71200 (GCVE-0-2025-71200)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode
When operating in HS200 or HS400 timing modes, reducing the clock frequency
below 52MHz will lead to link broken as the Rockchip DWC MSHC controller
requires maintaining a minimum clock of 52MHz in these modes.
Add a check to prevent illegal clock reduction through debugfs:
root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock
root@debian:/# [ 30.090146] mmc0: running CQE recovery
mmc0: cqhci: Failed to halt
mmc0: cqhci: spurious TCN for tag 0
WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24
Modules linked in:
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT
Hardware name: Rockchip RK3588 EVB1 V10 Board (DT)
Workqueue: kblockd blk_mq_run_work_fn
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : cqhci_irq+0x254/0x818
lr : cqhci_irq+0x254/0x818
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9
(git)
Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < f2677d6e2bbc5ba2030825522d2afd0542b038a3 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < de0ad7156036a50982bcb75a080e4af284502be2 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 36be050f21dea7a3a76dff5a031da6274e8ee468 (git) Affected: c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4 , < 3009738a855cf938bbfc9078bec725031ae623a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-dwcmshc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "f2677d6e2bbc5ba2030825522d2afd0542b038a3",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "de0ad7156036a50982bcb75a080e4af284502be2",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "36be050f21dea7a3a76dff5a031da6274e8ee468",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
},
{
"lessThan": "3009738a855cf938bbfc9078bec725031ae623a4",
"status": "affected",
"version": "c6f361cba51c536e7a6af31973c6a4e5d7e4e2e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sdhci-of-dwcmshc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode\n\nWhen operating in HS200 or HS400 timing modes, reducing the clock frequency\nbelow 52MHz will lead to link broken as the Rockchip DWC MSHC controller\nrequires maintaining a minimum clock of 52MHz in these modes.\n\nAdd a check to prevent illegal clock reduction through debugfs:\n\nroot@debian:/# echo 50000000 \u003e /sys/kernel/debug/mmc0/clock\nroot@debian:/# [ 30.090146] mmc0: running CQE recovery\nmmc0: cqhci: Failed to halt\nmmc0: cqhci: spurious TCN for tag 0\nWARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24\nModules linked in:\nCPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT\nHardware name: Rockchip RK3588 EVB1 V10 Board (DT)\nWorkqueue: kblockd blk_mq_run_work_fn\npstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : cqhci_irq+0x254/0x818\nlr : cqhci_irq+0x254/0x818\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:45.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/59b8a1ca6df4db2ca250e9eeab74e2b0068d69e9"
},
{
"url": "https://git.kernel.org/stable/c/f2677d6e2bbc5ba2030825522d2afd0542b038a3"
},
{
"url": "https://git.kernel.org/stable/c/de0ad7156036a50982bcb75a080e4af284502be2"
},
{
"url": "https://git.kernel.org/stable/c/36be050f21dea7a3a76dff5a031da6274e8ee468"
},
{
"url": "https://git.kernel.org/stable/c/3009738a855cf938bbfc9078bec725031ae623a4"
}
],
"title": "mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71200",
"datePublished": "2026-02-14T15:09:45.689Z",
"dateReserved": "2026-01-31T11:36:51.193Z",
"dateUpdated": "2026-02-14T15:09:45.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23138 (GCVE-0-2026-23138)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
tracing: Add recursion protection in kernel stack trace recording
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Add recursion protection in kernel stack trace recording
A bug was reported about an infinite recursion caused by tracing the rcu
events with the kernel stack trace trigger enabled. The stack trace code
called back into RCU which then called the stack trace again.
Expand the ftrace recursion protection to add a set of bits to protect
events from recursion. Each bit represents the context that the event is
in (normal, softirq, interrupt and NMI).
Have the stack trace code use the interrupt context to protect against
recursion.
Note, the bug showed an issue in both the RCU code as well as the tracing
stacktrace code. This only handles the tracing stack trace side of the
bug. The RCU fix will be handled separately.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/trace_recursion.h",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b7f91acffd2c4c000971553d22efa1e1bb4feae",
"status": "affected",
"version": "5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce",
"versionType": "git"
},
{
"lessThan": "5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb",
"status": "affected",
"version": "5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/trace_recursion.h",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add recursion protection in kernel stack trace recording\n\nA bug was reported about an infinite recursion caused by tracing the rcu\nevents with the kernel stack trace trigger enabled. The stack trace code\ncalled back into RCU which then called the stack trace again.\n\nExpand the ftrace recursion protection to add a set of bits to protect\nevents from recursion. Each bit represents the context that the event is\nin (normal, softirq, interrupt and NMI).\n\nHave the stack trace code use the interrupt context to protect against\nrecursion.\n\nNote, the bug showed an issue in both the RCU code as well as the tracing\nstacktrace code. This only handles the tracing stack trace side of the\nbug. The RCU fix will be handled separately."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:23.385Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b7f91acffd2c4c000971553d22efa1e1bb4feae"
},
{
"url": "https://git.kernel.org/stable/c/5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb"
}
],
"title": "tracing: Add recursion protection in kernel stack trace recording",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23138",
"datePublished": "2026-02-14T15:22:23.385Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-02-14T15:22:23.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23169 (GCVE-0-2026-23169)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-16 09:26
VLAI?
EPSS
Title
mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
and/or mptcp_pm_nl_is_backup()
Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
which is not RCU ready.
list_splice_init_rcu() can not be called here while holding pernet->lock
spinlock.
Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
141694df6573b49aa4143c92556544b4b0bbda72 , < 455e882192c9833f176f3fbbbb2f036b6c5bf555
(git)
Affected: 141694df6573b49aa4143c92556544b4b0bbda72 , < 51223bdd0f60b06cfc7f25885c4d4be917adba94 (git) Affected: 141694df6573b49aa4143c92556544b4b0bbda72 , < 1f1b9523527df02685dde603f20ff6e603d8e4a1 (git) Affected: 141694df6573b49aa4143c92556544b4b0bbda72 , < e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "455e882192c9833f176f3fbbbb2f036b6c5bf555",
"status": "affected",
"version": "141694df6573b49aa4143c92556544b4b0bbda72",
"versionType": "git"
},
{
"lessThan": "51223bdd0f60b06cfc7f25885c4d4be917adba94",
"status": "affected",
"version": "141694df6573b49aa4143c92556544b4b0bbda72",
"versionType": "git"
},
{
"lessThan": "1f1b9523527df02685dde603f20ff6e603d8e4a1",
"status": "affected",
"version": "141694df6573b49aa4143c92556544b4b0bbda72",
"versionType": "git"
},
{
"lessThan": "e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d",
"status": "affected",
"version": "141694df6573b49aa4143c92556544b4b0bbda72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_kernel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.125",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.72",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race in mptcp_pm_nl_flush_addrs_doit()\n\nsyzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()\nand/or mptcp_pm_nl_is_backup()\n\nRoot cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()\nwhich is not RCU ready.\n\nlist_splice_init_rcu() can not be called here while holding pernet-\u003elock\nspinlock.\n\nMany thanks to Eulgyu Kim for providing a repro and testing our patches."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T09:26:08.410Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/455e882192c9833f176f3fbbbb2f036b6c5bf555"
},
{
"url": "https://git.kernel.org/stable/c/51223bdd0f60b06cfc7f25885c4d4be917adba94"
},
{
"url": "https://git.kernel.org/stable/c/1f1b9523527df02685dde603f20ff6e603d8e4a1"
},
{
"url": "https://git.kernel.org/stable/c/e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d"
}
],
"title": "mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23169",
"datePublished": "2026-02-14T16:01:32.139Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-02-16T09:26:08.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71204 (GCVE-0-2025-71204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
smb/server: fix refcount leak in parse_durable_handle_context()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: fix refcount leak in parse_durable_handle_context()
When the command is a replay operation and -ENOEXEC is returned,
the refcount of ksmbd_file must be released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8df4bcdb0a4232192b2445256c39b787d58ef14d , < 07df5ff4f6490a5c96715b7c562e0b2908422e04
(git)
Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 8a15107c4c031fb19737bf2eb4000f847f1d5e4c (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 70dd3513ed6ac8c6cab23f72c5b19f44ca89de9d (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 3296c3012a9d9a27e81e34910384e55a6ff3cff0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07df5ff4f6490a5c96715b7c562e0b2908422e04",
"status": "affected",
"version": "8df4bcdb0a4232192b2445256c39b787d58ef14d",
"versionType": "git"
},
{
"lessThan": "8a15107c4c031fb19737bf2eb4000f847f1d5e4c",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "70dd3513ed6ac8c6cab23f72c5b19f44ca89de9d",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "3296c3012a9d9a27e81e34910384e55a6ff3cff0",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix refcount leak in parse_durable_handle_context()\n\nWhen the command is a replay operation and -ENOEXEC is returned,\nthe refcount of ksmbd_file must be released."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:41.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07df5ff4f6490a5c96715b7c562e0b2908422e04"
},
{
"url": "https://git.kernel.org/stable/c/8a15107c4c031fb19737bf2eb4000f847f1d5e4c"
},
{
"url": "https://git.kernel.org/stable/c/70dd3513ed6ac8c6cab23f72c5b19f44ca89de9d"
},
{
"url": "https://git.kernel.org/stable/c/3296c3012a9d9a27e81e34910384e55a6ff3cff0"
}
],
"title": "smb/server: fix refcount leak in parse_durable_handle_context()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71204",
"datePublished": "2026-02-14T16:27:03.252Z",
"dateReserved": "2026-01-31T11:36:51.194Z",
"dateUpdated": "2026-02-16T08:58:41.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23130 (GCVE-0-2026-23130)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
wifi: ath12k: fix dead lock while flushing management frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dead lock while flushing management frames
Commit [1] converted the management transmission work item into a
wiphy work. Since a wiphy work can only run under wiphy lock
protection, a race condition happens in below scenario:
1. a management frame is queued for transmission.
2. ath12k_mac_op_flush() gets called to flush pending frames associated
with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()
the process waits for the transmission done.
3. Since wiphy lock has been taken by the flush process, the transmission
work item has no chance to run, hence the dead lock.
>From user view, this dead lock results in below issue:
wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
wlp8s0: send auth to xxxxxx (try 1/3)
wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
wlp8s0: send auth to xxxxxx (try 1/3)
wlp8s0: authenticated
wlp8s0: associate with xxxxxx (try 1/3)
wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)
ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1
The dead lock can be avoided by invoking wiphy_work_flush() to proactively
run the queued work item. Note actually it is already present in
ath12k_mac_op_flush(), however it does not protect the case where vif
being NULL. Hence move it ahead to cover this case as well.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06ac2aa13f701a0296e92f5f54ae24224d426b28",
"status": "affected",
"version": "56dcbf0b520796e26b2bbe5686bdd305ad924954",
"versionType": "git"
},
{
"lessThan": "f88e9fc30a261d63946ddc6cc6a33405e6aa27c3",
"status": "affected",
"version": "56dcbf0b520796e26b2bbe5686bdd305ad924954",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dead lock while flushing management frames\n\nCommit [1] converted the management transmission work item into a\nwiphy work. Since a wiphy work can only run under wiphy lock\nprotection, a race condition happens in below scenario:\n\n1. a management frame is queued for transmission.\n2. ath12k_mac_op_flush() gets called to flush pending frames associated\n with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()\n the process waits for the transmission done.\n3. Since wiphy lock has been taken by the flush process, the transmission\n work item has no chance to run, hence the dead lock.\n\n\u003eFrom user view, this dead lock results in below issue:\n\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticated\n wlp8s0: associate with xxxxxx (try 1/3)\n wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)\n ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1\n\nThe dead lock can be avoided by invoking wiphy_work_flush() to proactively\nrun the queued work item. Note actually it is already present in\nath12k_mac_op_flush(), however it does not protect the case where vif\nbeing NULL. Hence move it ahead to cover this case as well.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:58.239Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06ac2aa13f701a0296e92f5f54ae24224d426b28"
},
{
"url": "https://git.kernel.org/stable/c/f88e9fc30a261d63946ddc6cc6a33405e6aa27c3"
}
],
"title": "wifi: ath12k: fix dead lock while flushing management frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23130",
"datePublished": "2026-02-14T15:09:58.239Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:09:58.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23154 (GCVE-0-2026-23154)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
net: fix segmentation of forwarding fraglist GRO
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix segmentation of forwarding fraglist GRO
This patch enhances GSO segment handling by properly checking
the SKB_GSO_DODGY flag for frag_list GSO packets, addressing
low throughput issues observed when a station accesses IPv4
servers via hotspots with an IPv6-only upstream interface.
Specifically, it fixes a bug in GSO segmentation when forwarding
GRO packets containing a frag_list. The function skb_segment_list
cannot correctly process GRO skbs that have been converted by XLAT,
since XLAT only translates the header of the head skb. Consequently,
skbs in the frag_list may remain untranslated, resulting in protocol
inconsistencies and reduced throughput.
To address this, the patch explicitly sets the SKB_GSO_DODGY flag
for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers
(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO
packets as potentially modified after protocol translation. As a
result, GSO segmentation will avoid using skb_segment_list and
instead falls back to skb_segment for packets with the SKB_GSO_DODGY
flag. This ensures that only safe and fully translated frag_list
packets are processed by skb_segment_list, resolving protocol
inconsistencies and improving throughput when forwarding GRO packets
converted by XLAT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9fd1ff5d2ac7181844735806b0a703c942365291 , < 3e62db1e3140449608975e29e0979cc5f3b1cc07
(git)
Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 3d48d59235c494d34e32052f768393111c0806ef (git) Affected: 9fd1ff5d2ac7181844735806b0a703c942365291 , < 426ca15c7f6cb6562a081341ca88893a50c59fa2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c",
"net/ipv4/tcp_offload.c",
"net/ipv4/udp_offload.c",
"net/ipv6/tcpv6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e62db1e3140449608975e29e0979cc5f3b1cc07",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "3d48d59235c494d34e32052f768393111c0806ef",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
},
{
"lessThan": "426ca15c7f6cb6562a081341ca88893a50c59fa2",
"status": "affected",
"version": "9fd1ff5d2ac7181844735806b0a703c942365291",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c",
"net/ipv4/tcp_offload.c",
"net/ipv4/udp_offload.c",
"net/ipv6/tcpv6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix segmentation of forwarding fraglist GRO\n\nThis patch enhances GSO segment handling by properly checking\nthe SKB_GSO_DODGY flag for frag_list GSO packets, addressing\nlow throughput issues observed when a station accesses IPv4\nservers via hotspots with an IPv6-only upstream interface.\n\nSpecifically, it fixes a bug in GSO segmentation when forwarding\nGRO packets containing a frag_list. The function skb_segment_list\ncannot correctly process GRO skbs that have been converted by XLAT,\nsince XLAT only translates the header of the head skb. Consequently,\nskbs in the frag_list may remain untranslated, resulting in protocol\ninconsistencies and reduced throughput.\n\nTo address this, the patch explicitly sets the SKB_GSO_DODGY flag\nfor GSO packets in XLAT\u0027s IPv4/IPv6 protocol translation helpers\n(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO\npackets as potentially modified after protocol translation. As a\nresult, GSO segmentation will avoid using skb_segment_list and\ninstead falls back to skb_segment for packets with the SKB_GSO_DODGY\nflag. This ensures that only safe and fully translated frag_list\npackets are processed by skb_segment_list, resolving protocol\ninconsistencies and improving throughput when forwarding GRO packets\nconverted by XLAT."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:21.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e62db1e3140449608975e29e0979cc5f3b1cc07"
},
{
"url": "https://git.kernel.org/stable/c/3d48d59235c494d34e32052f768393111c0806ef"
},
{
"url": "https://git.kernel.org/stable/c/426ca15c7f6cb6562a081341ca88893a50c59fa2"
}
],
"title": "net: fix segmentation of forwarding fraglist GRO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23154",
"datePublished": "2026-02-14T16:01:21.758Z",
"dateReserved": "2026-01-13T15:37:45.977Z",
"dateUpdated": "2026-02-14T16:01:21.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23168 (GCVE-0-2026-23168)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
flex_proportions: make fprop_new_period() hardirq safe
Summary
In the Linux kernel, the following vulnerability has been resolved:
flex_proportions: make fprop_new_period() hardirq safe
Bernd has reported a lockdep splat from flexible proportions code that is
essentially complaining about the following race:
<timer fires>
run_timer_softirq - we are in softirq context
call_timer_fn
writeout_period
fprop_new_period
write_seqcount_begin(&p->sequence);
<hardirq is raised>
...
blk_mq_end_request()
blk_update_request()
ext4_end_bio()
folio_end_writeback()
__wb_writeout_add()
__fprop_add_percpu_max()
if (unlikely(max_frac < FPROP_FRAC_BASE)) {
fprop_fraction_percpu()
seq = read_seqcount_begin(&p->sequence);
- sees odd sequence so loops indefinitely
Note that a deadlock like this is only possible if the bdi has configured
maximum fraction of writeout throughput which is very rare in general but
frequent for example for FUSE bdis. To fix this problem we have to make
sure write section of the sequence counter is irqsafe.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a91befde350375b1ff954635acdde14dc92cd9a8 , < 0acc9ba7a1b5ba4d998c5753e709be904e179b75
(git)
Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < 884b2590ffcc7222cbbd6298051f4c243cc36f5d (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < 78ede9ebd679dadf480dce6f7b798e3603f88348 (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < b91a84299d72ae0e05551e851e47cd3008bd025b (git) Affected: a91befde350375b1ff954635acdde14dc92cd9a8 , < dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/flex_proportions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0acc9ba7a1b5ba4d998c5753e709be904e179b75",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "884b2590ffcc7222cbbd6298051f4c243cc36f5d",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "78ede9ebd679dadf480dce6f7b798e3603f88348",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "b91a84299d72ae0e05551e851e47cd3008bd025b",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
},
{
"lessThan": "dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc",
"status": "affected",
"version": "a91befde350375b1ff954635acdde14dc92cd9a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/flex_proportions.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nflex_proportions: make fprop_new_period() hardirq safe\n\nBernd has reported a lockdep splat from flexible proportions code that is\nessentially complaining about the following race:\n\n\u003ctimer fires\u003e\nrun_timer_softirq - we are in softirq context\n call_timer_fn\n writeout_period\n fprop_new_period\n write_seqcount_begin(\u0026p-\u003esequence);\n\n \u003chardirq is raised\u003e\n ...\n blk_mq_end_request()\n\t blk_update_request()\n\t ext4_end_bio()\n\t folio_end_writeback()\n\t\t__wb_writeout_add()\n\t\t __fprop_add_percpu_max()\n\t\t if (unlikely(max_frac \u003c FPROP_FRAC_BASE)) {\n\t\t fprop_fraction_percpu()\n\t\t\tseq = read_seqcount_begin(\u0026p-\u003esequence);\n\t\t\t - sees odd sequence so loops indefinitely\n\nNote that a deadlock like this is only possible if the bdi has configured\nmaximum fraction of writeout throughput which is very rare in general but\nfrequent for example for FUSE bdis. To fix this problem we have to make\nsure write section of the sequence counter is irqsafe."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:31.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0acc9ba7a1b5ba4d998c5753e709be904e179b75"
},
{
"url": "https://git.kernel.org/stable/c/884b2590ffcc7222cbbd6298051f4c243cc36f5d"
},
{
"url": "https://git.kernel.org/stable/c/78ede9ebd679dadf480dce6f7b798e3603f88348"
},
{
"url": "https://git.kernel.org/stable/c/b91a84299d72ae0e05551e851e47cd3008bd025b"
},
{
"url": "https://git.kernel.org/stable/c/dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc"
}
],
"title": "flex_proportions: make fprop_new_period() hardirq safe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23168",
"datePublished": "2026-02-14T16:01:31.465Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-02-14T16:01:31.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23153 (GCVE-0-2026-23153)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
firewire: core: fix race condition against transaction list
Summary
In the Linux kernel, the following vulnerability has been resolved:
firewire: core: fix race condition against transaction list
The list of transaction is enumerated without acquiring card lock when
processing AR response event. This causes a race condition bug when
processing AT request completion event concurrently.
This commit fixes the bug by put timer start for split transaction
expiration into the scope of lock. The value of jiffies in card structure
is referred before acquiring the lock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b038874e31fc3caa0b0d5abd259dd54b918ad4a1",
"status": "affected",
"version": "b5725cfa4120a4d234ab112aad151d731531d093",
"versionType": "git"
},
{
"lessThan": "20e01bba2ae4898ce65cdcacd1bd6bec5111abd9",
"status": "affected",
"version": "b5725cfa4120a4d234ab112aad151d731531d093",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: core: fix race condition against transaction list\n\nThe list of transaction is enumerated without acquiring card lock when\nprocessing AR response event. This causes a race condition bug when\nprocessing AT request completion event concurrently.\n\nThis commit fixes the bug by put timer start for split transaction\nexpiration into the scope of lock. The value of jiffies in card structure\nis referred before acquiring the lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:21.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b038874e31fc3caa0b0d5abd259dd54b918ad4a1"
},
{
"url": "https://git.kernel.org/stable/c/20e01bba2ae4898ce65cdcacd1bd6bec5111abd9"
}
],
"title": "firewire: core: fix race condition against transaction list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23153",
"datePublished": "2026-02-14T16:01:21.077Z",
"dateReserved": "2026-01-13T15:37:45.977Z",
"dateUpdated": "2026-02-14T16:01:21.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23116 (GCVE-0-2026-23116)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset
and clock enable bits, but is ungated and reset together with the VPUs.
So we can't reset G1 or G2 separately, it may led to the system hang.
Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.
Let imx8mq_vpu_power_notifier() do really vpu reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
608d7c325e855cb4a853afef3cd9f0df594bd12d , < 8859e336d233e61a4c40d40dc6a9f21e8b9b719c
(git)
Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < cad7003d951e8899db58ee2fef211586af726f09 (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < 5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76 (git) Affected: 608d7c325e855cb4a853afef3cd9f0df594bd12d , < 3de49966499634454fd59e0e6fecd50baab7febd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8859e336d233e61a4c40d40dc6a9f21e8b9b719c",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "cad7003d951e8899db58ee2fef211586af726f09",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
},
{
"lessThan": "3de49966499634454fd59e0e6fecd50baab7febd",
"status": "affected",
"version": "608d7c325e855cb4a853afef3cd9f0df594bd12d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu\n\nFor i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset\nand clock enable bits, but is ungated and reset together with the VPUs.\nSo we can\u0027t reset G1 or G2 separately, it may led to the system hang.\nRemove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.\nLet imx8mq_vpu_power_notifier() do really vpu reset."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:48.511Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8859e336d233e61a4c40d40dc6a9f21e8b9b719c"
},
{
"url": "https://git.kernel.org/stable/c/cad7003d951e8899db58ee2fef211586af726f09"
},
{
"url": "https://git.kernel.org/stable/c/5c56a6f4b5a4f87c094c92a30fa17e28e37ec2ab"
},
{
"url": "https://git.kernel.org/stable/c/fd675de6bddf7e9bdf42ae3929d4c27ba6d1ef76"
},
{
"url": "https://git.kernel.org/stable/c/3de49966499634454fd59e0e6fecd50baab7febd"
}
],
"title": "pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23116",
"datePublished": "2026-02-14T15:09:48.511Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:48.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23151 (GCVE-0-2026-23151)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix memory leak in set_ssp_complete
Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.
Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.
This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.
Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d71b98f253b079cbadc83266383f26fe7e9e103b , < 1850a558d116d7e3e2ef36d06a56f59b640cc214
(git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 3b6318505378828ee415d6ef678db6a74c077504 (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 (git) Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1850a558d116d7e3e2ef36d06a56f59b640cc214",
"status": "affected",
"version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"versionType": "git"
},
{
"lessThan": "3b6318505378828ee415d6ef678db6a74c077504",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"lessThan": "1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"status": "affected",
"version": "87a1f16f07c6c43771754075e08f45b41d237421",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:19.663Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"
},
{
"url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"
},
{
"url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"
}
],
"title": "Bluetooth: MGMT: Fix memory leak in set_ssp_complete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23151",
"datePublished": "2026-02-14T16:01:19.663Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-02-14T16:01:19.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23202 (GCVE-0-2026-23202)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
88db8bb7ed1bb474618acdf05ebd4f0758d244e2 , < 9fa4262a80f751d14a6a39d2c03f57db68da2618
(git)
Affected: 83309dd551cfd60a5a1a98d9cab19f435b44d46d , < 762e2ce71c8f0238e9eaf05d14da803d9a24422f (git) Affected: c934e40246da2c5726d14e94719c514e30840df8 , < 712cde8d916889e282727cdf304a43683adf899e (git) Affected: 551060efb156c50fe33799038ba8145418cfdeef , < 6fd446178a610a48e80e5c5b487b0707cd01daac (git) Affected: 01bbf25c767219b14c3235bfa85906b8d2cb8fbc , < 3bc293d5b56502068481478842f57b3d96e432c7 (git) Affected: b4e002d8a7cee3b1d70efad0e222567f92a73000 , < bf4528ab28e2bf112c3a2cdef44fd13f007781cd (git) Affected: bb0c58be84f907285af45657c1d4847b960a12bf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fa4262a80f751d14a6a39d2c03f57db68da2618",
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"lessThan": "762e2ce71c8f0238e9eaf05d14da803d9a24422f",
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"lessThan": "712cde8d916889e282727cdf304a43683adf899e",
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"lessThan": "6fd446178a610a48e80e5c5b487b0707cd01daac",
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"lessThan": "3bc293d5b56502068481478842f57b3d96e432c7",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "bf4528ab28e2bf112c3a2cdef44fd13f007781cd",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.200",
"status": "affected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThan": "6.1.163",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:26.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fa4262a80f751d14a6a39d2c03f57db68da2618"
},
{
"url": "https://git.kernel.org/stable/c/762e2ce71c8f0238e9eaf05d14da803d9a24422f"
},
{
"url": "https://git.kernel.org/stable/c/712cde8d916889e282727cdf304a43683adf899e"
},
{
"url": "https://git.kernel.org/stable/c/6fd446178a610a48e80e5c5b487b0707cd01daac"
},
{
"url": "https://git.kernel.org/stable/c/3bc293d5b56502068481478842f57b3d96e432c7"
},
{
"url": "https://git.kernel.org/stable/c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23202",
"datePublished": "2026-02-14T16:27:26.365Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:26.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23152 (GCVE-0-2026-23152)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
wifi: mac80211: correctly decode TTLM with default link map
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: correctly decode TTLM with default link map
TID-To-Link Mapping (TTLM) elements do not contain any link mapping
presence indicator if a default mapping is used and parsing needs to be
skipped.
Note that access points should not explicitly report an advertised TTLM
with a default mapping as that is the implied mapping if the element is
not included, this is even the case when switching back to the default
mapping. However, mac80211 would incorrectly parse the frame and would
also read one byte beyond the end of the element.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aabc36857bd39da65fe2d047bfaf63a0a09917d4",
"status": "affected",
"version": "702e80470a3359ce02b3f846f48f6db4ac7fd837",
"versionType": "git"
},
{
"lessThan": "1eab33aa63c993685dd341e03bd5b267dd7403fa",
"status": "affected",
"version": "702e80470a3359ce02b3f846f48f6db4ac7fd837",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: correctly decode TTLM with default link map\n\nTID-To-Link Mapping (TTLM) elements do not contain any link mapping\npresence indicator if a default mapping is used and parsing needs to be\nskipped.\n\nNote that access points should not explicitly report an advertised TTLM\nwith a default mapping as that is the implied mapping if the element is\nnot included, this is even the case when switching back to the default\nmapping. However, mac80211 would incorrectly parse the frame and would\nalso read one byte beyond the end of the element."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:20.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aabc36857bd39da65fe2d047bfaf63a0a09917d4"
},
{
"url": "https://git.kernel.org/stable/c/1eab33aa63c993685dd341e03bd5b267dd7403fa"
}
],
"title": "wifi: mac80211: correctly decode TTLM with default link map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23152",
"datePublished": "2026-02-14T16:01:20.379Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-02-14T16:01:20.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23192 (GCVE-0-2026-23192)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
linkwatch: use __dev_put() in callers to prevent UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
linkwatch: use __dev_put() in callers to prevent UAF
After linkwatch_do_dev() calls __dev_put() to release the linkwatch
reference, the device refcount may drop to 1. At this point,
netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an
empty list and returns without blocking), wait for the refcount to
become 1 via netdev_wait_allrefs_any(), and then free the device
via kobject_put().
This creates a use-after-free when __linkwatch_run_queue() tries to
call netdev_unlock_ops() on the already-freed device.
Note that adding netdev_lock_ops()/netdev_unlock_ops() pair in
netdev_run_todo() before kobject_put() would not work, because
netdev_lock_ops() is conditional - it only locks when
netdev_need_ops_lock() returns true. If the device doesn't require
ops_lock, linkwatch won't hold any lock, and netdev_run_todo()
acquiring the lock won't provide synchronization.
Fix this by moving __dev_put() from linkwatch_do_dev() to its
callers. The device reference logically pairs with de-listing the
device, so it's reasonable for the caller that did the de-listing
to release it. This allows placing __dev_put() after all device
accesses are complete, preventing UAF.
The bug can be reproduced by adding mdelay(2000) after
linkwatch_do_dev() in __linkwatch_run_queue(), then running:
ip tuntap add mode tun name tun_test
ip link set tun_test up
ip link set tun_test carrier off
ip link set tun_test carrier on
sleep 0.5
ip tuntap del mode tun name tun_test
KASAN report:
==================================================================
BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]
BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245
Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123
CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events_unbound linkwatch_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x156/0x4c9 mm/kasan/report.c:482
kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]
netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
__linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245
linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304
process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
==================================================================
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/link_watch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb",
"status": "affected",
"version": "04efcee6ef8d0f01eef495db047e7216d6e6e38f",
"versionType": "git"
},
{
"lessThan": "83b67cc9be9223183caf91826d9c194d7fb128fa",
"status": "affected",
"version": "04efcee6ef8d0f01eef495db047e7216d6e6e38f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/link_watch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlinkwatch: use __dev_put() in callers to prevent UAF\n\nAfter linkwatch_do_dev() calls __dev_put() to release the linkwatch\nreference, the device refcount may drop to 1. At this point,\nnetdev_run_todo() can proceed (since linkwatch_sync_dev() sees an\nempty list and returns without blocking), wait for the refcount to\nbecome 1 via netdev_wait_allrefs_any(), and then free the device\nvia kobject_put().\n\nThis creates a use-after-free when __linkwatch_run_queue() tries to\ncall netdev_unlock_ops() on the already-freed device.\n\nNote that adding netdev_lock_ops()/netdev_unlock_ops() pair in\nnetdev_run_todo() before kobject_put() would not work, because\nnetdev_lock_ops() is conditional - it only locks when\nnetdev_need_ops_lock() returns true. If the device doesn\u0027t require\nops_lock, linkwatch won\u0027t hold any lock, and netdev_run_todo()\nacquiring the lock won\u0027t provide synchronization.\n\nFix this by moving __dev_put() from linkwatch_do_dev() to its\ncallers. The device reference logically pairs with de-listing the\ndevice, so it\u0027s reasonable for the caller that did the de-listing\nto release it. This allows placing __dev_put() after all device\naccesses are complete, preventing UAF.\n\nThe bug can be reproduced by adding mdelay(2000) after\nlinkwatch_do_dev() in __linkwatch_run_queue(), then running:\n\n ip tuntap add mode tun name tun_test\n ip link set tun_test up\n ip link set tun_test carrier off\n ip link set tun_test carrier on\n sleep 0.5\n ip tuntap del mode tun name tun_test\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]\n BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]\n BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245\n Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123\n\n CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: events_unbound linkwatch_event\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x156/0x4c9 mm/kasan/report.c:482\n kasan_report+0xdf/0x1a0 mm/kasan/report.c:595\n netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]\n netdev_unlock_ops include/net/netdev_lock.h:47 [inline]\n __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245\n linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304\n process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x5da/0xe40 kernel/workqueue.c:3421\n kthread+0x3b3/0x730 kernel/kthread.c:463\n ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\n =================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:19.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb"
},
{
"url": "https://git.kernel.org/stable/c/83b67cc9be9223183caf91826d9c194d7fb128fa"
}
],
"title": "linkwatch: use __dev_put() in callers to prevent UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23192",
"datePublished": "2026-02-14T16:27:19.557Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:19.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23125 (GCVE-0-2026-23125)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
initialization fails:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
Call Trace:
sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
The issue is triggered when sctp_auth_asoc_init_active_key() fails in
sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
command sequence is currently:
- SCTP_CMD_PEER_INIT
- SCTP_CMD_TIMER_STOP (T1_INIT)
- SCTP_CMD_TIMER_START (T1_COOKIE)
- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
- SCTP_CMD_ASSOC_SHKEY
- SCTP_CMD_GEN_COOKIE_ECHO
If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
to be queued by sctp_datamsg_from_user().
Since command interpretation stops on failure, no COOKIE_ECHO should been
sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
in sctp_outq_flush_data(), leading to the observed issue.
Similar to the other places where it calls sctp_auth_asoc_init_active_key()
right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
T1_COOKIE. This ensures that if shared key generation fails, authenticated
DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
giving the client another chance to process INIT_ACK and retry key setup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 5a309bedf02ee08b0653215f06c94d61ec7a214a
(git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 784428ab1889eb185a1459e9d6bc52df33d572ef (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e94294798548e8cfbd80869e1d2f97efce92582c (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e7e81abbcc5620c9532080538f9709a6ea382855 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65 (git) Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < a80c9d945aef55b23b54838334345f20251dad83 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a309bedf02ee08b0653215f06c94d61ec7a214a",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "784428ab1889eb185a1459e9d6bc52df33d572ef",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e94294798548e8cfbd80869e1d2f97efce92582c",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "e7e81abbcc5620c9532080538f9709a6ea382855",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
},
{
"lessThan": "a80c9d945aef55b23b54838334345f20251dad83",
"status": "affected",
"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc-\u003eshkey remains NULL, while\nasoc-\u003epeer.auth_capable and asoc-\u003epeer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:54.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"
},
{
"url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"
},
{
"url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"
},
{
"url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"
},
{
"url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"
},
{
"url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"
},
{
"url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"
}
],
"title": "sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23125",
"datePublished": "2026-02-14T15:09:54.756Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:54.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23149 (GCVE-0-2026-23149)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()
Since GEM bo handles are u32 in the uapi and the internal implementation
uses idr_alloc() which uses int ranges, passing a new handle larger than
INT_MAX trivially triggers a kernel warning:
idr_alloc():
...
if (WARN_ON_ONCE(start < 0))
return -EINVAL;
...
Fix it by rejecting new handles above INT_MAX and at the same time make
the end limit calculation more obvious by moving into int domain.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae8831ee0fb2f5f41f39722e7b3749d65bb78d08",
"status": "affected",
"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9",
"versionType": "git"
},
{
"lessThan": "12f15d52d38ac53f7c70ea3d4b3d76afed04e064",
"status": "affected",
"version": "53096728b8910c6916ecc6c46a5abc5c678b58d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()\n\nSince GEM bo handles are u32 in the uapi and the internal implementation\nuses idr_alloc() which uses int ranges, passing a new handle larger than\nINT_MAX trivially triggers a kernel warning:\n\nidr_alloc():\n...\n\tif (WARN_ON_ONCE(start \u003c 0))\n\t\treturn -EINVAL;\n...\n\nFix it by rejecting new handles above INT_MAX and at the same time make\nthe end limit calculation more obvious by moving into int domain."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:18.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae8831ee0fb2f5f41f39722e7b3749d65bb78d08"
},
{
"url": "https://git.kernel.org/stable/c/12f15d52d38ac53f7c70ea3d4b3d76afed04e064"
}
],
"title": "drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23149",
"datePublished": "2026-02-14T16:01:18.281Z",
"dateReserved": "2026-01-13T15:37:45.975Z",
"dateUpdated": "2026-02-14T16:01:18.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23159 (GCVE-0-2026-23159)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
perf: sched: Fix perf crash with new is_user_task() helper
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: sched: Fix perf crash with new is_user_task() helper
In order to do a user space stacktrace the current task needs to be a user
task that has executed in user space. It use to be possible to test if a
task is a user task or not by simply checking the task_struct mm field. If
it was non NULL, it was a user task and if not it was a kernel task.
But things have changed over time, and some kernel tasks now have their
own mm field.
An idea was made to instead test PF_KTHREAD and two functions were used to
wrap this check in case it became more complex to test if a task was a
user task or not[1]. But this was rejected and the C code simply checked
the PF_KTHREAD directly.
It was later found that not all kernel threads set PF_KTHREAD. The io-uring
helpers instead set PF_USER_WORKER and this needed to be added as well.
But checking the flags is still not enough. There's a very small window
when a task exits that it frees its mm field and it is set back to NULL.
If perf were to trigger at this moment, the flags test would say its a
user space task but when perf would read the mm field it would crash with
at NULL pointer dereference.
Now there are flags that can be used to test if a task is exiting, but
they are set in areas that perf may still want to profile the user space
task (to see where it exited). The only real test is to check both the
flags and the mm field.
Instead of making this modification in every location, create a new
is_user_task() helper function that does all the tests needed to know if
it is safe to read the user space memory or not.
[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
34b5aba8511a12fb2e9bd3124835cb4087187dac , < d84a4836dc246b7dc244e46a08ff992956b68db0
(git)
Affected: 8d79f96e477c4b8e3fca2efb36b269d8960a2285 , < 5aac392fcd3d981d7997f1a0766829e1afdeac2e (git) Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c (git) Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < 76ed27608f7dd235b727ebbb12163438c2fbb617 (git) Affected: 5050083e1a2f3e5e29cee0205c40e5864b52601d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/events/callchain.c",
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d84a4836dc246b7dc244e46a08ff992956b68db0",
"status": "affected",
"version": "34b5aba8511a12fb2e9bd3124835cb4087187dac",
"versionType": "git"
},
{
"lessThan": "5aac392fcd3d981d7997f1a0766829e1afdeac2e",
"status": "affected",
"version": "8d79f96e477c4b8e3fca2efb36b269d8960a2285",
"versionType": "git"
},
{
"lessThan": "a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c",
"status": "affected",
"version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
"versionType": "git"
},
{
"lessThan": "76ed27608f7dd235b727ebbb12163438c2fbb617",
"status": "affected",
"version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
"versionType": "git"
},
{
"status": "affected",
"version": "5050083e1a2f3e5e29cee0205c40e5864b52601d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/events/callchain.c",
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.116",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There\u0027s a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:25.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0"
},
{
"url": "https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e"
},
{
"url": "https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c"
},
{
"url": "https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617"
}
],
"title": "perf: sched: Fix perf crash with new is_user_task() helper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23159",
"datePublished": "2026-02-14T16:01:25.229Z",
"dateReserved": "2026-01-13T15:37:45.979Z",
"dateUpdated": "2026-02-14T16:01:25.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23148 (GCVE-0-2026-23148)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
There is a race condition in nvmet_bio_done() that can cause a NULL
pointer dereference in blk_cgroup_bio_start():
1. nvmet_bio_done() is called when a bio completes
2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
3. The queue_response callback can re-queue and re-submit the same request
4. The re-submission reuses the same inline_bio from nvmet_req
5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)
invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
6. The re-submitted bio enters submit_bio_noacct_nocheck()
7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
RIP: 0010:blk_cgroup_bio_start+0x10/0xd0
Call Trace:
submit_bio_noacct_nocheck+0x44/0x250
nvmet_bdev_execute_rw+0x254/0x370 [nvmet]
process_one_work+0x193/0x3c0
worker_thread+0x281/0x3a0
Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()
BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before
the request can be re-submitted, preventing the race condition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
431e58d56fcb5ff1f9eb630724a922e0d2a941df , < ee10b06980acca1d46e0fa36d6fb4a9578eab6e4
(git)
Affected: 190f4c2c863af7cc5bb354b70e0805f06419c038 , < 68207ceefd71cc74ce4e983fa9bd10c3122e349b (git) Affected: 190f4c2c863af7cc5bb354b70e0805f06419c038 , < 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e (git) Affected: 2e2028fcf924d1c6df017033c8d6e28b735a0508 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/io-cmd-bdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee10b06980acca1d46e0fa36d6fb4a9578eab6e4",
"status": "affected",
"version": "431e58d56fcb5ff1f9eb630724a922e0d2a941df",
"versionType": "git"
},
{
"lessThan": "68207ceefd71cc74ce4e983fa9bd10c3122e349b",
"status": "affected",
"version": "190f4c2c863af7cc5bb354b70e0805f06419c038",
"versionType": "git"
},
{
"lessThan": "0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e",
"status": "affected",
"version": "190f4c2c863af7cc5bb354b70e0805f06419c038",
"versionType": "git"
},
{
"status": "affected",
"version": "2e2028fcf924d1c6df017033c8d6e28b735a0508",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/io-cmd-bdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req-\u003eops-\u003equeue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio-\u003ebi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio-\u003ebi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:17.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"
},
{
"url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"
},
{
"url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"
}
],
"title": "nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23148",
"datePublished": "2026-02-14T16:01:17.575Z",
"dateReserved": "2026-01-13T15:37:45.975Z",
"dateUpdated": "2026-02-14T16:01:17.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23141 (GCVE-0-2026-23141)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-14 15:36
VLAI?
EPSS
Title
btrfs: send: check for inline extents in range_is_hole_in_parent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: send: check for inline extents in range_is_hole_in_parent()
Before accessing the disk_bytenr field of a file extent item we need
to check if we are dealing with an inline extent.
This is because for inline extents their data starts at the offset of
the disk_bytenr field. So accessing the disk_bytenr
means we are accessing inline data or in case the inline data is less
than 8 bytes we can actually cause an invalid
memory access if this inline extent item is the first item in the leaf
or access metadata from other items.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9
(git)
Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < db00636643e66898d79f2530ac9c56ebd5eca369 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 39f83f10772310ba4a77f2b5256aaf36994ef7e8 (git) Affected: 82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f , < 08b096c1372cd69627f4f559fb47c9fb67a52b39 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "db00636643e66898d79f2530ac9c56ebd5eca369",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "39f83f10772310ba4a77f2b5256aaf36994ef7e8",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
},
{
"lessThan": "08b096c1372cd69627f4f559fb47c9fb67a52b39",
"status": "affected",
"version": "82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/send.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:07.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9"
},
{
"url": "https://git.kernel.org/stable/c/db00636643e66898d79f2530ac9c56ebd5eca369"
},
{
"url": "https://git.kernel.org/stable/c/39f83f10772310ba4a77f2b5256aaf36994ef7e8"
},
{
"url": "https://git.kernel.org/stable/c/08b096c1372cd69627f4f559fb47c9fb67a52b39"
}
],
"title": "btrfs: send: check for inline extents in range_is_hole_in_parent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23141",
"datePublished": "2026-02-14T15:36:07.417Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-02-14T15:36:07.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23120 (GCVE-0-2026-23120)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
l2tp: avoid one data-race in l2tp_tunnel_del_work()
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: avoid one data-race in l2tp_tunnel_del_work()
We should read sk->sk_socket only when dealing with kernel sockets.
syzbot reported the following data-race:
BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
sk_set_socket include/net/sock.h:2092 [inline]
sock_orphan include/net/sock.h:2118 [inline]
sk_common_release+0xae/0x230 net/core/sock.c:4003
udp_lib_close+0x15/0x20 include/net/udp.h:325
inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:662 [inline]
sock_close+0x6b/0x150 net/socket.c:1455
__fput+0x29b/0x650 fs/file_table.c:468
____fput+0x1c/0x30 fs/file_table.c:496
task_work_run+0x131/0x1a0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
worker_thread+0x582/0x770 kernel/workqueue.c:3421
kthread+0x489/0x510 kernel/kthread.c:463
ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
value changed: 0xffff88811b818000 -> 0x0000000000000000
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4
(git)
Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 36c40a80109f1771d59558050b1a71e13c60c759 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < eae074dab764ea181bbed5e88626889319177498 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 68e92085427c84e7679ddb53c0d68836d220b6e7 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 3d6d414b214ce31659bded2f8df50c93a3769474 (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 32d417497b79efb403d75f4c185fe6fd9d64b94f (git) Affected: d00fa9adc528c1b0e64d532556764852df8bd7b9 , < 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf (git) Affected: 15df699fdc5af46a9fb15ae2d9326294852de5b5 (git) Affected: 18bdaefc715b4530b4b2fe670506bb47713664cc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "36c40a80109f1771d59558050b1a71e13c60c759",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "eae074dab764ea181bbed5e88626889319177498",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "68e92085427c84e7679ddb53c0d68836d220b6e7",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "3d6d414b214ce31659bded2f8df50c93a3769474",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "32d417497b79efb403d75f4c185fe6fd9d64b94f",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"lessThan": "7a29f6bf60f2590fe5e9c4decb451e19afad2bcf",
"status": "affected",
"version": "d00fa9adc528c1b0e64d532556764852df8bd7b9",
"versionType": "git"
},
{
"status": "affected",
"version": "15df699fdc5af46a9fb15ae2d9326294852de5b5",
"versionType": "git"
},
{
"status": "affected",
"version": "18bdaefc715b4530b4b2fe670506bb47713664cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk-\u003esk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -\u003e 0x0000000000000000"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:51.223Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f63ca44b4f419a1663d94d1bb0b4e2beb73fdb4"
},
{
"url": "https://git.kernel.org/stable/c/36c40a80109f1771d59558050b1a71e13c60c759"
},
{
"url": "https://git.kernel.org/stable/c/eae074dab764ea181bbed5e88626889319177498"
},
{
"url": "https://git.kernel.org/stable/c/68e92085427c84e7679ddb53c0d68836d220b6e7"
},
{
"url": "https://git.kernel.org/stable/c/3d6d414b214ce31659bded2f8df50c93a3769474"
},
{
"url": "https://git.kernel.org/stable/c/32d417497b79efb403d75f4c185fe6fd9d64b94f"
},
{
"url": "https://git.kernel.org/stable/c/7a29f6bf60f2590fe5e9c4decb451e19afad2bcf"
}
],
"title": "l2tp: avoid one data-race in l2tp_tunnel_del_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23120",
"datePublished": "2026-02-14T15:09:51.223Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:51.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23135 (GCVE-0-2026-23135)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-02-14 15:14
VLAI?
EPSS
Title
wifi: ath12k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36e0bc5e8b282564906fca636c4ebc99814de4e7
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 24585a13c41ea7253ee59aac74441fb570f5824a (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 4846b32be324f4dd3653f38a3f69c049543d52ae (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < bb97131fbf9b708dd9616ac2bdc793ad102b5c48 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36e0bc5e8b282564906fca636c4ebc99814de4e7",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "24585a13c41ea7253ee59aac74441fb570f5824a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "4846b32be324f4dd3653f38a3f69c049543d52ae",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "bb97131fbf9b708dd9616ac2bdc793ad102b5c48",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:14:34.473Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36e0bc5e8b282564906fca636c4ebc99814de4e7"
},
{
"url": "https://git.kernel.org/stable/c/24585a13c41ea7253ee59aac74441fb570f5824a"
},
{
"url": "https://git.kernel.org/stable/c/4846b32be324f4dd3653f38a3f69c049543d52ae"
},
{
"url": "https://git.kernel.org/stable/c/bb97131fbf9b708dd9616ac2bdc793ad102b5c48"
}
],
"title": "wifi: ath12k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23135",
"datePublished": "2026-02-14T15:14:34.473Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:14:34.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23190 (GCVE-0-2026-23190)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
ASoC: amd: fix memory leak in acp3x pdm dma ops
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: amd: fix memory leak in acp3x pdm dma ops
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4a767b1d039a855c491c4853013804323c06f728 , < 9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc
(git)
Affected: 4a767b1d039a855c491c4853013804323c06f728 , < d7ead6512650447a4cd6db774a2379acb259650c (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 6d33640404968fe9f14a1252b337362b62fff490 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 0e0120214b5dcb0bf6b2171bb4e68e38968b2861 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 279cb9180510f7e13c3a4dfde8c16a8fbc7c5709 (git) Affected: 4a767b1d039a855c491c4853013804323c06f728 , < 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/renoir/acp3x-pdm-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "d7ead6512650447a4cd6db774a2379acb259650c",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "6d33640404968fe9f14a1252b337362b62fff490",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "0e0120214b5dcb0bf6b2171bb4e68e38968b2861",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "279cb9180510f7e13c3a4dfde8c16a8fbc7c5709",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
},
{
"lessThan": "7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6",
"status": "affected",
"version": "4a767b1d039a855c491c4853013804323c06f728",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/renoir/acp3x-pdm-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: fix memory leak in acp3x pdm dma ops"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:18.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f23800c7eed06cb8ccae8a225f5e3d421b0d4cc"
},
{
"url": "https://git.kernel.org/stable/c/d7ead6512650447a4cd6db774a2379acb259650c"
},
{
"url": "https://git.kernel.org/stable/c/6d33640404968fe9f14a1252b337362b62fff490"
},
{
"url": "https://git.kernel.org/stable/c/0e0120214b5dcb0bf6b2171bb4e68e38968b2861"
},
{
"url": "https://git.kernel.org/stable/c/c9c14d2abe4c5546fcd3a7347fadc4aad2b308d8"
},
{
"url": "https://git.kernel.org/stable/c/279cb9180510f7e13c3a4dfde8c16a8fbc7c5709"
},
{
"url": "https://git.kernel.org/stable/c/7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6"
}
],
"title": "ASoC: amd: fix memory leak in acp3x pdm dma ops",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23190",
"datePublished": "2026-02-14T16:27:18.203Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:18.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23185 (GCVE-0-2026-23185)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
wifi: iwlwifi: mld: cancel mlo_scan_start_wk
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mld: cancel mlo_scan_start_wk
mlo_scan_start_wk is not canceled on disconnection. In fact, it is not
canceled anywhere except in the restart cleanup, where we don't really
have to.
This can cause an init-after-queue issue: if, for example, the work was
queued and then drv_change_interface got executed.
This can also cause use-after-free: if the work is executed after the
vif is freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mld/iface.c",
"drivers/net/wireless/intel/iwlwifi/mld/mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9b9f52f052f4953fecd2190ae2dde3aa76d10962",
"status": "affected",
"version": "9748ad82a9d92b036ff3115207e36e2b9932e354",
"versionType": "git"
},
{
"lessThan": "5ff641011ab7fb63ea101251087745d9826e8ef5",
"status": "affected",
"version": "9748ad82a9d92b036ff3115207e36e2b9932e354",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/mld/iface.c",
"drivers/net/wireless/intel/iwlwifi/mld/mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: cancel mlo_scan_start_wk\n\nmlo_scan_start_wk is not canceled on disconnection. In fact, it is not\ncanceled anywhere except in the restart cleanup, where we don\u0027t really\nhave to.\n\nThis can cause an init-after-queue issue: if, for example, the work was\nqueued and then drv_change_interface got executed.\n\nThis can also cause use-after-free: if the work is executed after the\nvif is freed."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:14.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9b9f52f052f4953fecd2190ae2dde3aa76d10962"
},
{
"url": "https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5"
}
],
"title": "wifi: iwlwifi: mld: cancel mlo_scan_start_wk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23185",
"datePublished": "2026-02-14T16:27:14.815Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-14T16:27:14.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23177 (GCVE-0-2026-23177)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
mm, shmem: prevent infinite loop on truncate race
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm, shmem: prevent infinite loop on truncate race
When truncating a large swap entry, shmem_free_swap() returns 0 when the
entry's index doesn't match the given index due to lookup alignment. The
failure fallback path checks if the entry crosses the end border and
aborts when it happens, so truncate won't erase an unexpected entry or
range. But one scenario was ignored.
When `index` points to the middle of a large swap entry, and the large
swap entry doesn't go across the end border, find_get_entries() will
return that large swap entry as the first item in the batch with
`indices[0]` equal to `index`. The entry's base index will be smaller
than `indices[0]`, so shmem_free_swap() will fail and return 0 due to the
"base < index" check. The code will then call shmem_confirm_swap(), get
the order, check if it crosses the END boundary (which it doesn't), and
retry with the same index.
The next iteration will find the same entry again at the same index with
same indices, leading to an infinite loop.
Fix this by retrying with a round-down index, and abort if the index is
smaller than the truncate range.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
809bc86517cc408b5b8cb8e08e69096639432bc8 , < dfc3ab6bd64860f8022d69903be299d09be86e11
(git)
Affected: 809bc86517cc408b5b8cb8e08e69096639432bc8 , < 7b6a0f121d50234aab3e7ab9a62ebe826d40a32a (git) Affected: 809bc86517cc408b5b8cb8e08e69096639432bc8 , < 2030dddf95451b4e7a389f052091e7c4b7b274c6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfc3ab6bd64860f8022d69903be299d09be86e11",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
},
{
"lessThan": "7b6a0f121d50234aab3e7ab9a62ebe826d40a32a",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
},
{
"lessThan": "2030dddf95451b4e7a389f052091e7c4b7b274c6",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, shmem: prevent infinite loop on truncate race\n\nWhen truncating a large swap entry, shmem_free_swap() returns 0 when the\nentry\u0027s index doesn\u0027t match the given index due to lookup alignment. The\nfailure fallback path checks if the entry crosses the end border and\naborts when it happens, so truncate won\u0027t erase an unexpected entry or\nrange. But one scenario was ignored.\n\nWhen `index` points to the middle of a large swap entry, and the large\nswap entry doesn\u0027t go across the end border, find_get_entries() will\nreturn that large swap entry as the first item in the batch with\n`indices[0]` equal to `index`. The entry\u0027s base index will be smaller\nthan `indices[0]`, so shmem_free_swap() will fail and return 0 due to the\n\"base \u003c index\" check. The code will then call shmem_confirm_swap(), get\nthe order, check if it crosses the END boundary (which it doesn\u0027t), and\nretry with the same index.\n\nThe next iteration will find the same entry again at the same index with\nsame indices, leading to an infinite loop.\n\nFix this by retrying with a round-down index, and abort if the index is\nsmaller than the truncate range."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:09.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfc3ab6bd64860f8022d69903be299d09be86e11"
},
{
"url": "https://git.kernel.org/stable/c/7b6a0f121d50234aab3e7ab9a62ebe826d40a32a"
},
{
"url": "https://git.kernel.org/stable/c/2030dddf95451b4e7a389f052091e7c4b7b274c6"
}
],
"title": "mm, shmem: prevent infinite loop on truncate race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23177",
"datePublished": "2026-02-14T16:27:09.429Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:27:09.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23187 (GCVE-0-2026-23187)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 7842b5dfcac888ece025a2321257d74b2264b099
(git)
Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 071159ff5c0bf2e5efff79501e23faf3775cbcd1 (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 4390dcdabb5fca4647bf56a5a6b050bbdfa5760f (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < eb54ce033b344b531b374496e68a2554b2b56b5a (git) Affected: 2684ac05a8c4d2d5c49e6c11eb6206b30a284813 , < 6bd8b4a92a901fae1a422e6f914801063c345e8d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7842b5dfcac888ece025a2321257d74b2264b099",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "071159ff5c0bf2e5efff79501e23faf3775cbcd1",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "4390dcdabb5fca4647bf56a5a6b050bbdfa5760f",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "eb54ce033b344b531b374496e68a2554b2b56b5a",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
},
{
"lessThan": "6bd8b4a92a901fae1a422e6f914801063c345e8d",
"status": "affected",
"version": "2684ac05a8c4d2d5c49e6c11eb6206b30a284813",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/imx/imx8m-blk-ctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: fix out-of-range access of bc-\u003edomains\n\nFix out-of-range access of bc-\u003edomains in imx8m_blk_ctrl_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:16.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7842b5dfcac888ece025a2321257d74b2264b099"
},
{
"url": "https://git.kernel.org/stable/c/071159ff5c0bf2e5efff79501e23faf3775cbcd1"
},
{
"url": "https://git.kernel.org/stable/c/4390dcdabb5fca4647bf56a5a6b050bbdfa5760f"
},
{
"url": "https://git.kernel.org/stable/c/eb54ce033b344b531b374496e68a2554b2b56b5a"
},
{
"url": "https://git.kernel.org/stable/c/6bd8b4a92a901fae1a422e6f914801063c345e8d"
}
],
"title": "pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc-\u003edomains",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23187",
"datePublished": "2026-02-14T16:27:16.200Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:16.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23157 (GCVE-0-2026-23157)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
btrfs: do not strictly require dirty metadata threshold for metadata writepages
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not strictly require dirty metadata threshold for metadata writepages
[BUG]
There is an internal report that over 1000 processes are
waiting at the io_schedule_timeout() of balance_dirty_pages(), causing
a system hang and trigger a kernel coredump.
The kernel is v6.4 kernel based, but the root problem still applies to
any upstream kernel before v6.18.
[CAUSE]
From Jan Kara for his wisdom on the dirty page balance behavior first.
This cgroup dirty limit was what was actually playing the role here
because the cgroup had only a small amount of memory and so the dirty
limit for it was something like 16MB.
Dirty throttling is responsible for enforcing that nobody can dirty
(significantly) more dirty memory than there's dirty limit. Thus when
a task is dirtying pages it periodically enters into balance_dirty_pages()
and we let it sleep there to slow down the dirtying.
When the system is over dirty limit already (either globally or within
a cgroup of the running task), we will not let the task exit from
balance_dirty_pages() until the number of dirty pages drops below the
limit.
So in this particular case, as I already mentioned, there was a cgroup
with relatively small amount of memory and as a result with dirty limit
set at 16MB. A task from that cgroup has dirtied about 28MB worth of
pages in btrfs btree inode and these were practically the only dirty
pages in that cgroup.
So that means the only way to reduce the dirty pages of that cgroup is
to writeback the dirty pages of btrfs btree inode, and only after that
those processes can exit balance_dirty_pages().
Now back to the btrfs part, btree_writepages() is responsible for
writing back dirty btree inode pages.
The problem here is, there is a btrfs internal threshold that if the
btree inode's dirty bytes are below the 32M threshold, it will not
do any writeback.
This behavior is to batch as much metadata as possible so we won't write
back those tree blocks and then later re-COW them again for another
modification.
This internal 32MiB is higher than the existing dirty page size (28MiB),
meaning no writeback will happen, causing a deadlock between btrfs and
cgroup:
- Btrfs doesn't want to write back btree inode until more dirty pages
- Cgroup/MM doesn't want more dirty pages for btrfs btree inode
Thus any process touching that btree inode is put into sleep until
the number of dirty pages is reduced.
Thanks Jan Kara a lot for the analysis of the root cause.
[ENHANCEMENT]
Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on the
btree_inode"), btrfs btree inode pages will only be charged to the root
cgroup which should have a much larger limit than btrfs' 32MiB
threshold.
So it should not affect newer kernels.
But for all current LTS kernels, they are all affected by this problem,
and backporting the whole AS_KERNEL_FILE may not be a good idea.
Even for newer kernels I still think it's a good idea to get
rid of the internal threshold at btree_writepages(), since for most cases
cgroup/MM has a better view of full system memory usage than btrfs' fixed
threshold.
For internal callers using btrfs_btree_balance_dirty() since that
function is already doing internal threshold check, we don't need to
bother them.
But for external callers of btree_writepages(), just respect their
requests and write back whatever they want, ignoring the internal
btrfs threshold to avoid such deadlock on btree inode dirty page
balancing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/extent_io.c",
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "629666d20c7dcd740e193ec0631fdff035b1f7d6",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
},
{
"lessThan": "4e159150a9a56d66d247f4b5510bed46fe58aa1c",
"status": "affected",
"version": "793955bca66c99defdffc857ae6eb7e8431d6bbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c",
"fs/btrfs/extent_io.c",
"fs/btrfs/extent_io.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not strictly require dirty metadata threshold for metadata writepages\n\n[BUG]\nThere is an internal report that over 1000 processes are\nwaiting at the io_schedule_timeout() of balance_dirty_pages(), causing\na system hang and trigger a kernel coredump.\n\nThe kernel is v6.4 kernel based, but the root problem still applies to\nany upstream kernel before v6.18.\n\n[CAUSE]\nFrom Jan Kara for his wisdom on the dirty page balance behavior first.\n\n This cgroup dirty limit was what was actually playing the role here\n because the cgroup had only a small amount of memory and so the dirty\n limit for it was something like 16MB.\n\n Dirty throttling is responsible for enforcing that nobody can dirty\n (significantly) more dirty memory than there\u0027s dirty limit. Thus when\n a task is dirtying pages it periodically enters into balance_dirty_pages()\n and we let it sleep there to slow down the dirtying.\n\n When the system is over dirty limit already (either globally or within\n a cgroup of the running task), we will not let the task exit from\n balance_dirty_pages() until the number of dirty pages drops below the\n limit.\n\n So in this particular case, as I already mentioned, there was a cgroup\n with relatively small amount of memory and as a result with dirty limit\n set at 16MB. A task from that cgroup has dirtied about 28MB worth of\n pages in btrfs btree inode and these were practically the only dirty\n pages in that cgroup.\n\nSo that means the only way to reduce the dirty pages of that cgroup is\nto writeback the dirty pages of btrfs btree inode, and only after that\nthose processes can exit balance_dirty_pages().\n\nNow back to the btrfs part, btree_writepages() is responsible for\nwriting back dirty btree inode pages.\n\nThe problem here is, there is a btrfs internal threshold that if the\nbtree inode\u0027s dirty bytes are below the 32M threshold, it will not\ndo any writeback.\n\nThis behavior is to batch as much metadata as possible so we won\u0027t write\nback those tree blocks and then later re-COW them again for another\nmodification.\n\nThis internal 32MiB is higher than the existing dirty page size (28MiB),\nmeaning no writeback will happen, causing a deadlock between btrfs and\ncgroup:\n\n- Btrfs doesn\u0027t want to write back btree inode until more dirty pages\n\n- Cgroup/MM doesn\u0027t want more dirty pages for btrfs btree inode\n Thus any process touching that btree inode is put into sleep until\n the number of dirty pages is reduced.\n\nThanks Jan Kara a lot for the analysis of the root cause.\n\n[ENHANCEMENT]\nSince kernel commit b55102826d7d (\"btrfs: set AS_KERNEL_FILE on the\nbtree_inode\"), btrfs btree inode pages will only be charged to the root\ncgroup which should have a much larger limit than btrfs\u0027 32MiB\nthreshold.\nSo it should not affect newer kernels.\n\nBut for all current LTS kernels, they are all affected by this problem,\nand backporting the whole AS_KERNEL_FILE may not be a good idea.\n\nEven for newer kernels I still think it\u0027s a good idea to get\nrid of the internal threshold at btree_writepages(), since for most cases\ncgroup/MM has a better view of full system memory usage than btrfs\u0027 fixed\nthreshold.\n\nFor internal callers using btrfs_btree_balance_dirty() since that\nfunction is already doing internal threshold check, we don\u0027t need to\nbother them.\n\nBut for external callers of btree_writepages(), just respect their\nrequests and write back whatever they want, ignoring the internal\nbtrfs threshold to avoid such deadlock on btree inode dirty page\nbalancing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:50.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/629666d20c7dcd740e193ec0631fdff035b1f7d6"
},
{
"url": "https://git.kernel.org/stable/c/4e159150a9a56d66d247f4b5510bed46fe58aa1c"
}
],
"title": "btrfs: do not strictly require dirty metadata threshold for metadata writepages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23157",
"datePublished": "2026-02-14T16:01:23.874Z",
"dateReserved": "2026-01-13T15:37:45.978Z",
"dateUpdated": "2026-02-16T08:58:50.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23191 (GCVE-0-2026-23191)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
ALSA: aloop: Fix racy access at PCM trigger
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b1c73fc8e697eb73e23603e465e9af2711ed4183 , < bad15420050db1803767e58756114800cce91ea4
(git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 5727ccf9d19ca414cb76d9b647883822e2789c2e (git) Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 826af7fa62e347464b1b4e0ba2fe19a92438084f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bad15420050db1803767e58756114800cce91ea4",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable-\u003elock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:55.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
},
{
"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
},
{
"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
}
],
"title": "ALSA: aloop: Fix racy access at PCM trigger",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23191",
"datePublished": "2026-02-14T16:27:18.882Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-16T08:58:55.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23203 (GCVE-0-2026-23203)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue
Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for
IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for
IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this
change triggered the following call trace on my BeagleBone Black board:
WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496
RTNL: assertion failed at net/8021q/vlan_core.c (236)
Modules linked in:
CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT
Hardware name: Generic AM33XX (Flattened Device Tree)
Call trace:
unwind_backtrace from show_stack+0x28/0x2c
show_stack from dump_stack_lvl+0x30/0x38
dump_stack_lvl from __warn+0xb8/0x11c
__warn from warn_slowpath_fmt+0x130/0x194
warn_slowpath_fmt from vlan_for_each+0x120/0x124
vlan_for_each from cpsw_add_mc_addr+0x54/0xd8
cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec
__hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88
__dev_mc_add from igmp6_group_added+0x84/0xec
igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0
__ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4
__ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168
do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8
ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c
do_sock_setsockopt from __sys_setsockopt+0x84/0xac
__sys_setsockopt from ret_fast_syscall+0x0/0x5
This trace occurs because vlan_for_each() is called within
cpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.
Since modifying vlan_for_each() to operate without the RTNL lock is not
straightforward, and because ndo_set_rx_mode() is invoked both with and
without the RTNL lock across different code paths, simply adding
rtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.
To resolve this issue, we opt to execute the actual processing within
a work queue, following the approach used by the icssg-prueth driver.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_new.c",
"drivers/net/ethernet/ti/cpsw_priv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5b3a669866977dc87fd56fcf00a70df1536d258",
"status": "affected",
"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69",
"versionType": "git"
},
{
"lessThan": "c0b5dc73a38f954e780f93a549b8fe225235c07a",
"status": "affected",
"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw_new.c",
"drivers/net/ethernet/ti/cpsw_priv.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don\u0027t hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0xd8\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x5\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:27.048Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258"
},
{
"url": "https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a"
}
],
"title": "net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23203",
"datePublished": "2026-02-14T16:27:27.048Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:27.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23196 (GCVE-0-2026-23196)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer
Add DMA buffer readiness check before reading DMA buffer to avoid
unexpected NULL pointer accessing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e84a807c98a71f767fd1f609637bc5944f916cb",
"status": "affected",
"version": "4138f21115aec3ebae7805ec3407c72d93558023",
"versionType": "git"
},
{
"lessThan": "a9a917998d172ec117f9e9de1919174153c0ace4",
"status": "affected",
"version": "4138f21115aec3ebae7805ec3407c72d93558023",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer\n\nAdd DMA buffer readiness check before reading DMA buffer to avoid\nunexpected NULL pointer accessing."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:57.510Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e84a807c98a71f767fd1f609637bc5944f916cb"
},
{
"url": "https://git.kernel.org/stable/c/a9a917998d172ec117f9e9de1919174153c0ace4"
}
],
"title": "HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23196",
"datePublished": "2026-02-14T16:27:22.264Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-16T08:58:57.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23170 (GCVE-0-2026-23170)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
drm/imx/tve: fix probe device leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/imx/tve: fix probe device leak
Make sure to drop the reference taken to the DDC device during probe on
probe failure (e.g. probe deferral) and on driver unbind.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fcbc51e54d2aa9d402206601f4894251049e5d77 , < f212652982c6725986cfa42fbf10d1dfa92c010e
(git)
Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 52755c5680ce333b33d0750a200fbc99420ed2b2 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 9a15d3fdc22d48f597792aee0cf1bf0947fc62e6 (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < 77365382585b40559d63538d09e26e4b2af28fbc (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < ca68745e820ecd210e3ab018497c9e6b69025c4b (git) Affected: fcbc51e54d2aa9d402206601f4894251049e5d77 , < e535c23513c63f02f67e3e09e0787907029efeaf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f212652982c6725986cfa42fbf10d1dfa92c010e",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "52755c5680ce333b33d0750a200fbc99420ed2b2",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "9a15d3fdc22d48f597792aee0cf1bf0947fc62e6",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "77365382585b40559d63538d09e26e4b2af28fbc",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "ca68745e820ecd210e3ab018497c9e6b69025c4b",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
},
{
"lessThan": "e535c23513c63f02f67e3e09e0787907029efeaf",
"status": "affected",
"version": "fcbc51e54d2aa9d402206601f4894251049e5d77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/imx/ipuv3/imx-tve.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx/tve: fix probe device leak\n\nMake sure to drop the reference taken to the DDC device during probe on\nprobe failure (e.g. probe deferral) and on driver unbind."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:32.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f212652982c6725986cfa42fbf10d1dfa92c010e"
},
{
"url": "https://git.kernel.org/stable/c/52755c5680ce333b33d0750a200fbc99420ed2b2"
},
{
"url": "https://git.kernel.org/stable/c/4aaff8f6ab38f81e00ab8aa1fcfb7eb20cd87ba1"
},
{
"url": "https://git.kernel.org/stable/c/9a15d3fdc22d48f597792aee0cf1bf0947fc62e6"
},
{
"url": "https://git.kernel.org/stable/c/77365382585b40559d63538d09e26e4b2af28fbc"
},
{
"url": "https://git.kernel.org/stable/c/ca68745e820ecd210e3ab018497c9e6b69025c4b"
},
{
"url": "https://git.kernel.org/stable/c/e535c23513c63f02f67e3e09e0787907029efeaf"
}
],
"title": "drm/imx/tve: fix probe device leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23170",
"datePublished": "2026-02-14T16:01:32.833Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-02-14T16:01:32.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23199 (GCVE-0-2026-23199)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
procfs: avoid fetching build ID while holding VMA lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
procfs: avoid fetching build ID while holding VMA lock
Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock
or per-VMA lock, whichever was used to lock VMA under question, to avoid
deadlock reported by syzbot:
-> #1 (&mm->mmap_lock){++++}-{4:4}:
__might_fault+0xed/0x170
_copy_to_iter+0x118/0x1720
copy_page_to_iter+0x12d/0x1e0
filemap_read+0x720/0x10a0
blkdev_read_iter+0x2b5/0x4e0
vfs_read+0x7f4/0xae0
ksys_read+0x12a/0x250
do_syscall_64+0xcb/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}:
__lock_acquire+0x1509/0x26d0
lock_acquire+0x185/0x340
down_read+0x98/0x490
blkdev_read_iter+0x2a7/0x4e0
__kernel_read+0x39a/0xa90
freader_fetch+0x1d5/0xa80
__build_id_parse.isra.0+0xea/0x6a0
do_procmap_query+0xd75/0x1050
procfs_procmap_ioctl+0x7a/0xb0
__x64_sys_ioctl+0x18e/0x210
do_syscall_64+0xcb/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(&mm->mmap_lock);
lock(&sb->s_type->i_mutex_key#8);
lock(&mm->mmap_lock);
rlock(&sb->s_type->i_mutex_key#8);
*** DEADLOCK ***
This seems to be exacerbated (as we haven't seen these syzbot reports
before that) by the recent:
777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context")
To make this safe, we need to grab file refcount while VMA is still locked, but
other than that everything is pretty straightforward. Internal build_id_parse()
API assumes VMA is passed, but it only needs the underlying file reference, so
just add another variant build_id_parse_file() that expects file passed
directly.
[akpm@linux-foundation.org: fix up kerneldoc]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ed5d583a88a9207b866c14ba834984c6f3c51d23 , < b9b97e6aeb534315f9646b2090d1a5024c6a4e82
(git)
Affected: ed5d583a88a9207b866c14ba834984c6f3c51d23 , < cbc03ce3e6ce7e21214c3f02218213574c1a2d08 (git) Affected: ed5d583a88a9207b866c14ba834984c6f3c51d23 , < b5cbacd7f86f4f62b8813688c8e73be94e8e1951 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c",
"include/linux/buildid.h",
"lib/buildid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9b97e6aeb534315f9646b2090d1a5024c6a4e82",
"status": "affected",
"version": "ed5d583a88a9207b866c14ba834984c6f3c51d23",
"versionType": "git"
},
{
"lessThan": "cbc03ce3e6ce7e21214c3f02218213574c1a2d08",
"status": "affected",
"version": "ed5d583a88a9207b866c14ba834984c6f3c51d23",
"versionType": "git"
},
{
"lessThan": "b5cbacd7f86f4f62b8813688c8e73be94e8e1951",
"status": "affected",
"version": "ed5d583a88a9207b866c14ba834984c6f3c51d23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/task_mmu.c",
"include/linux/buildid.h",
"lib/buildid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprocfs: avoid fetching build ID while holding VMA lock\n\nFix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock\nor per-VMA lock, whichever was used to lock VMA under question, to avoid\ndeadlock reported by syzbot:\n\n -\u003e #1 (\u0026mm-\u003emmap_lock){++++}-{4:4}:\n __might_fault+0xed/0x170\n _copy_to_iter+0x118/0x1720\n copy_page_to_iter+0x12d/0x1e0\n filemap_read+0x720/0x10a0\n blkdev_read_iter+0x2b5/0x4e0\n vfs_read+0x7f4/0xae0\n ksys_read+0x12a/0x250\n do_syscall_64+0xcb/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n -\u003e #0 (\u0026sb-\u003es_type-\u003ei_mutex_key#8){++++}-{4:4}:\n __lock_acquire+0x1509/0x26d0\n lock_acquire+0x185/0x340\n down_read+0x98/0x490\n blkdev_read_iter+0x2a7/0x4e0\n __kernel_read+0x39a/0xa90\n freader_fetch+0x1d5/0xa80\n __build_id_parse.isra.0+0xea/0x6a0\n do_procmap_query+0xd75/0x1050\n procfs_procmap_ioctl+0x7a/0xb0\n __x64_sys_ioctl+0x18e/0x210\n do_syscall_64+0xcb/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n other info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(\u0026mm-\u003emmap_lock);\n lock(\u0026sb-\u003es_type-\u003ei_mutex_key#8);\n lock(\u0026mm-\u003emmap_lock);\n rlock(\u0026sb-\u003es_type-\u003ei_mutex_key#8);\n\n *** DEADLOCK ***\n\nThis seems to be exacerbated (as we haven\u0027t seen these syzbot reports\nbefore that) by the recent:\n\n\t777a8560fd29 (\"lib/buildid: use __kernel_read() for sleepable context\")\n\nTo make this safe, we need to grab file refcount while VMA is still locked, but\nother than that everything is pretty straightforward. Internal build_id_parse()\nAPI assumes VMA is passed, but it only needs the underlying file reference, so\njust add another variant build_id_parse_file() that expects file passed\ndirectly.\n\n[akpm@linux-foundation.org: fix up kerneldoc]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:24.326Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9b97e6aeb534315f9646b2090d1a5024c6a4e82"
},
{
"url": "https://git.kernel.org/stable/c/cbc03ce3e6ce7e21214c3f02218213574c1a2d08"
},
{
"url": "https://git.kernel.org/stable/c/b5cbacd7f86f4f62b8813688c8e73be94e8e1951"
}
],
"title": "procfs: avoid fetching build ID while holding VMA lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23199",
"datePublished": "2026-02-14T16:27:24.326Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:24.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23133 (GCVE-0-2026-23133)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-02-14 15:14
VLAI?
EPSS
Title
wifi: ath10k: fix dma_free_coherent() pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: fix dma_free_coherent() pointer
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < e2dda298ef809aa201ea7c0904c4d064f6c497cb
(git)
Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < fc8da65f9fe1bc6802f8240b342cfff4f5c7e841 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < b0ad924332a96550a84b8c0ae5483e7042d65fa9 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 1928851334ecfd6e0d663121ab69ac639d4217a6 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 5d6fa4d2c9799c09389588da5118a72d97d87e92 (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 07f363f305793baecad41816f73056252f3df61e (git) Affected: 2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1 , < 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2dda298ef809aa201ea7c0904c4d064f6c497cb",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "fc8da65f9fe1bc6802f8240b342cfff4f5c7e841",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "b0ad924332a96550a84b8c0ae5483e7042d65fa9",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "1928851334ecfd6e0d663121ab69ac639d4217a6",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "5d6fa4d2c9799c09389588da5118a72d97d87e92",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "07f363f305793baecad41816f73056252f3df61e",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
},
{
"lessThan": "9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f",
"status": "affected",
"version": "2a1e1ad3fd37a632b61f50e73dafddb4b0fa57f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/ce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:14:33.102Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2dda298ef809aa201ea7c0904c4d064f6c497cb"
},
{
"url": "https://git.kernel.org/stable/c/fc8da65f9fe1bc6802f8240b342cfff4f5c7e841"
},
{
"url": "https://git.kernel.org/stable/c/b0ad924332a96550a84b8c0ae5483e7042d65fa9"
},
{
"url": "https://git.kernel.org/stable/c/1928851334ecfd6e0d663121ab69ac639d4217a6"
},
{
"url": "https://git.kernel.org/stable/c/5d6fa4d2c9799c09389588da5118a72d97d87e92"
},
{
"url": "https://git.kernel.org/stable/c/07f363f305793baecad41816f73056252f3df61e"
},
{
"url": "https://git.kernel.org/stable/c/9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f"
}
],
"title": "wifi: ath10k: fix dma_free_coherent() pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23133",
"datePublished": "2026-02-14T15:14:33.102Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:14:33.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23136 (GCVE-0-2026-23136)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
libceph: reset sparse-read state in osd_fault()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: reset sparse-read state in osd_fault()
When a fault occurs, the connection is abandoned, reestablished, and any
pending operations are retried. The OSD client tracks the progress of a
sparse-read reply using a separate state machine, largely independent of
the messenger's state.
If a connection is lost mid-payload or the sparse-read state machine
returns an error, the sparse-read state is not reset. The OSD client
will then interpret the beginning of a new reply as the continuation of
the old one. If this makes the sparse-read machinery enter a failure
state, it may never recover, producing loops like:
libceph: [0] got 0 extents
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
Therefore, reset the sparse-read state in osd_fault(), ensuring retries
start from a clean state.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f628d799972799023d32c2542bb2639eb8c4f84e , < 90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff
(git)
Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < e94075e950a6598e710b9f7dffea5aa388f40313 (git) Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 10b7c72810364226f7b27916ea3e2a4f870bc04b (git) Affected: f628d799972799023d32c2542bb2639eb8c4f84e , < 11194b416ef95012c2cfe5f546d71af07b639e93 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "e94075e950a6598e710b9f7dffea5aa388f40313",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "10b7c72810364226f7b27916ea3e2a4f870bc04b",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
},
{
"lessThan": "11194b416ef95012c2cfe5f546d71af07b639e93",
"status": "affected",
"version": "f628d799972799023d32c2542bb2639eb8c4f84e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osd_client.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: reset sparse-read state in osd_fault()\n\nWhen a fault occurs, the connection is abandoned, reestablished, and any\npending operations are retried. The OSD client tracks the progress of a\nsparse-read reply using a separate state machine, largely independent of\nthe messenger\u0027s state.\n\nIf a connection is lost mid-payload or the sparse-read state machine\nreturns an error, the sparse-read state is not reset. The OSD client\nwill then interpret the beginning of a new reply as the continuation of\nthe old one. If this makes the sparse-read machinery enter a failure\nstate, it may never recover, producing loops like:\n\n libceph: [0] got 0 extents\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\nstart from a clean state."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:21.952Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff"
},
{
"url": "https://git.kernel.org/stable/c/e94075e950a6598e710b9f7dffea5aa388f40313"
},
{
"url": "https://git.kernel.org/stable/c/10b7c72810364226f7b27916ea3e2a4f870bc04b"
},
{
"url": "https://git.kernel.org/stable/c/11194b416ef95012c2cfe5f546d71af07b639e93"
}
],
"title": "libceph: reset sparse-read state in osd_fault()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23136",
"datePublished": "2026-02-14T15:22:21.952Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:22:21.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23131 (GCVE-0-2026-23131)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
The hp-bioscfg driver attempts to register kobjects with empty names when
the HP BIOS returns attributes with empty name strings. This causes
multiple kernel warnings:
kobject: (00000000135fb5e6): attempted to be registered with empty name!
WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310
Add validation in hp_init_bios_buffer_attribute() to check if the
attribute name is empty after parsing it from the WMI buffer. If empty,
log a debug message and skip registration of that attribute, allowing the
module to continue processing other valid attributes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a34fc329b1895fc8a6eb12099adc47009421ba6a , < 29917c80aa96a25cbcf5876fd774a1cfd72b01a9
(git)
Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < 6476be59b7162b891b7bddbd0c2924d87379ef6c (git) Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < 800b2767905d6b409b8bbe357121970f0b489a89 (git) Affected: a34fc329b1895fc8a6eb12099adc47009421ba6a , < fdee1b09721605f532352628d0a24623e7062efb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29917c80aa96a25cbcf5876fd774a1cfd72b01a9",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "6476be59b7162b891b7bddbd0c2924d87379ef6c",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "800b2767905d6b409b8bbe357121970f0b489a89",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
},
{
"lessThan": "fdee1b09721605f532352628d0a24623e7062efb",
"status": "affected",
"version": "a34fc329b1895fc8a6eb12099adc47009421ba6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/bioscfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names\n\nThe hp-bioscfg driver attempts to register kobjects with empty names when\nthe HP BIOS returns attributes with empty name strings. This causes\nmultiple kernel warnings:\n\n kobject: (00000000135fb5e6): attempted to be registered with empty name!\n WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310\n\nAdd validation in hp_init_bios_buffer_attribute() to check if the\nattribute name is empty after parsing it from the WMI buffer. If empty,\nlog a debug message and skip registration of that attribute, allowing the\nmodule to continue processing other valid attributes."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:58.916Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29917c80aa96a25cbcf5876fd774a1cfd72b01a9"
},
{
"url": "https://git.kernel.org/stable/c/6476be59b7162b891b7bddbd0c2924d87379ef6c"
},
{
"url": "https://git.kernel.org/stable/c/800b2767905d6b409b8bbe357121970f0b489a89"
},
{
"url": "https://git.kernel.org/stable/c/fdee1b09721605f532352628d0a24623e7062efb"
}
],
"title": "platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23131",
"datePublished": "2026-02-14T15:09:58.916Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:09:58.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23134 (GCVE-0-2026-23134)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-02-14 15:14
VLAI?
EPSS
Title
slab: fix kmalloc_nolock() context check for PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
slab: fix kmalloc_nolock() context check for PREEMPT_RT
On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current
check in kmalloc_nolock() only verifies we're not in NMI or hard IRQ
context, but misses the case where preemption is disabled.
When a BPF program runs from a tracepoint with preemption disabled
(preempt_count > 0), kmalloc_nolock() proceeds to call
local_lock_irqsave() which attempts to acquire a sleeping lock,
triggering:
BUG: sleeping function called from invalid context
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6128
preempt_count: 2, expected: 0
Fix this by checking !preemptible() on PREEMPT_RT, which directly
expresses the constraint that we cannot take a sleeping lock when
preemption is disabled. This encompasses the previous checks for NMI
and hard IRQ contexts while also catching cases where preemption is
disabled.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f60ba4a97ae3f94e4818722ed2e4d260bbb17b44",
"status": "affected",
"version": "af92793e52c3a99b828ed4bdd277fd3e11c18d08",
"versionType": "git"
},
{
"lessThan": "99a3e3a1cfc93b8fe318c0a3a5cfb01f1d4ad53c",
"status": "affected",
"version": "af92793e52c3a99b828ed4bdd277fd3e11c18d08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: fix kmalloc_nolock() context check for PREEMPT_RT\n\nOn PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current\ncheck in kmalloc_nolock() only verifies we\u0027re not in NMI or hard IRQ\ncontext, but misses the case where preemption is disabled.\n\nWhen a BPF program runs from a tracepoint with preemption disabled\n(preempt_count \u003e 0), kmalloc_nolock() proceeds to call\nlocal_lock_irqsave() which attempts to acquire a sleeping lock,\ntriggering:\n\n BUG: sleeping function called from invalid context\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6128\n preempt_count: 2, expected: 0\n\nFix this by checking !preemptible() on PREEMPT_RT, which directly\nexpresses the constraint that we cannot take a sleeping lock when\npreemption is disabled. This encompasses the previous checks for NMI\nand hard IRQ contexts while also catching cases where preemption is\ndisabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:14:33.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f60ba4a97ae3f94e4818722ed2e4d260bbb17b44"
},
{
"url": "https://git.kernel.org/stable/c/99a3e3a1cfc93b8fe318c0a3a5cfb01f1d4ad53c"
}
],
"title": "slab: fix kmalloc_nolock() context check for PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23134",
"datePublished": "2026-02-14T15:14:33.806Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:14:33.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23198 (GCVE-0-2026-23198)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
KVM: Don't clobber irqfd routing type when deassigning irqfd
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't clobber irqfd routing type when deassigning irqfd
When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's
routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86
and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to
handle a concurrent routing update, verify that the irqfd is still active
before consuming the routing information. As evidenced by the x86 and
arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),
clobbering the entry type without notifying arch code is surprising and
error prone.
As a bonus, checking that the irqfd is active provides a convenient
location for documenting _why_ KVM must not consume the routing entry for
an irqfd that is in the process of being deassigned: once the irqfd is
deleted from the list (which happens *before* the eventfd is detached), it
will no longer receive updates via kvm_irq_routing_update(), and so KVM
could deliver an event using stale routing information (relative to
KVM_SET_GSI_ROUTING returning to userspace).
As an even better bonus, explicitly checking for the irqfd being active
fixes a similar bug to the one the clobbering is trying to prevent: if an
irqfd is deactivated, and then its routing is changed,
kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing()
(because the irqfd isn't in the list). And so if the irqfd is in bypass
mode, IRQs will continue to be posted using the old routing information.
As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type
results in KVM incorrectly keeping the IRQ in bypass mode, which is
especially problematic on AMD as KVM tracks IRQs that are being posted to
a vCPU in a list whose lifetime is tied to the irqfd.
Without the help of KASAN to detect use-after-free, the most common
sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to
the memory for irqfd structure being re-allocated and zeroed, resulting
in irqfd->irq_bypass_data being NULL when read by
avic_update_iommu_vcpu_affinity():
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test
Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE
Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025
RIP: 0010:amd_iommu_update_ga+0x19/0xe0
Call Trace:
<TASK>
avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]
__avic_vcpu_load+0xf4/0x130 [kvm_amd]
kvm_arch_vcpu_load+0x89/0x210 [kvm]
vcpu_load+0x30/0x40 [kvm]
kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]
kvm_vcpu_ioctl+0x571/0x6a0 [kvm]
__se_sys_ioctl+0x6d/0xb0
do_syscall_64+0x6f/0x9d0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x46893b
</TASK>
---[ end trace 0000000000000000 ]---
If AVIC is inhibited when the irfd is deassigned, the bug will manifest as
list corruption, e.g. on the next irqfd assignment.
list_add corruption. next->prev should be prev (ffff8d474d5cd588),
but was 0000000000000000. (next=ffff8d8658f86530).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:31!
Oops: invalid opcode: 0000 [#1] SMP
CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test
Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE
Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025
RIP: 0010:__list_add_valid_or_report+0x97/0xc0
Call Trace:
<TASK>
avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]
kvm_pi_update_irte+0xbf/0x190 [kvm]
kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]
irq_bypass_register_consumer+0xcd/0x170 [irqbypa
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f70c20aaf141adb715a2d750c55154073b02a9c3 , < 959a063e7f12524bc1871ad1f519787967bbcd45
(git)
Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 2284bc168b148a17b5ca3b37b3d95c411f18a08d (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 6d14ba1e144e796b5fc81044f08cfba9024ca195 (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < b61f9b2fcf181451d0a319889478cc53c001123e (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < ff48c9312d042bfbe826ca675e98acc6c623211c (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < 4385b2f2843549bfb932e0dcf76bf4b065543a3c (git) Affected: f70c20aaf141adb715a2d750c55154073b02a9c3 , < b4d37cdb77a0015f51fee083598fa227cc07aaf1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/eventfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "959a063e7f12524bc1871ad1f519787967bbcd45",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "2284bc168b148a17b5ca3b37b3d95c411f18a08d",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "6d14ba1e144e796b5fc81044f08cfba9024ca195",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "b61f9b2fcf181451d0a319889478cc53c001123e",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "ff48c9312d042bfbe826ca675e98acc6c623211c",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "4385b2f2843549bfb932e0dcf76bf4b065543a3c",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
},
{
"lessThan": "b4d37cdb77a0015f51fee083598fa227cc07aaf1",
"status": "affected",
"version": "f70c20aaf141adb715a2d750c55154073b02a9c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/eventfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t clobber irqfd routing type when deassigning irqfd\n\nWhen deassigning a KVM_IRQFD, don\u0027t clobber the irqfd\u0027s copy of the IRQ\u0027s\nrouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86\nand arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to\nhandle a concurrent routing update, verify that the irqfd is still active\nbefore consuming the routing information. As evidenced by the x86 and\narm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),\nclobbering the entry type without notifying arch code is surprising and\nerror prone.\n\nAs a bonus, checking that the irqfd is active provides a convenient\nlocation for documenting _why_ KVM must not consume the routing entry for\nan irqfd that is in the process of being deassigned: once the irqfd is\ndeleted from the list (which happens *before* the eventfd is detached), it\nwill no longer receive updates via kvm_irq_routing_update(), and so KVM\ncould deliver an event using stale routing information (relative to\nKVM_SET_GSI_ROUTING returning to userspace).\n\nAs an even better bonus, explicitly checking for the irqfd being active\nfixes a similar bug to the one the clobbering is trying to prevent: if an\nirqfd is deactivated, and then its routing is changed,\nkvm_irq_routing_update() won\u0027t invoke kvm_arch_update_irqfd_routing()\n(because the irqfd isn\u0027t in the list). And so if the irqfd is in bypass\nmode, IRQs will continue to be posted using the old routing information.\n\nAs for kvm_arch_irq_bypass_del_producer(), clobbering the routing type\nresults in KVM incorrectly keeping the IRQ in bypass mode, which is\nespecially problematic on AMD as KVM tracks IRQs that are being posted to\na vCPU in a list whose lifetime is tied to the irqfd.\n\nWithout the help of KASAN to detect use-after-free, the most common\nsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to\nthe memory for irqfd structure being re-allocated and zeroed, resulting\nin irqfd-\u003eirq_bypass_data being NULL when read by\navic_update_iommu_vcpu_affinity():\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:amd_iommu_update_ga+0x19/0xe0\n Call Trace:\n \u003cTASK\u003e\n avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]\n __avic_vcpu_load+0xf4/0x130 [kvm_amd]\n kvm_arch_vcpu_load+0x89/0x210 [kvm]\n vcpu_load+0x30/0x40 [kvm]\n kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]\n kvm_vcpu_ioctl+0x571/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x6f/0x9d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x46893b\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nIf AVIC is inhibited when the irfd is deassigned, the bug will manifest as\nlist corruption, e.g. on the next irqfd assignment.\n\n list_add corruption. next-\u003eprev should be prev (ffff8d474d5cd588),\n but was 0000000000000000. (next=ffff8d8658f86530).\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:31!\n Oops: invalid opcode: 0000 [#1] SMP\n CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:__list_add_valid_or_report+0x97/0xc0\n Call Trace:\n \u003cTASK\u003e\n avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]\n kvm_pi_update_irte+0xbf/0x190 [kvm]\n kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]\n irq_bypass_register_consumer+0xcd/0x170 [irqbypa\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:23.621Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/959a063e7f12524bc1871ad1f519787967bbcd45"
},
{
"url": "https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d"
},
{
"url": "https://git.kernel.org/stable/c/6d14ba1e144e796b5fc81044f08cfba9024ca195"
},
{
"url": "https://git.kernel.org/stable/c/b61f9b2fcf181451d0a319889478cc53c001123e"
},
{
"url": "https://git.kernel.org/stable/c/ff48c9312d042bfbe826ca675e98acc6c623211c"
},
{
"url": "https://git.kernel.org/stable/c/4385b2f2843549bfb932e0dcf76bf4b065543a3c"
},
{
"url": "https://git.kernel.org/stable/c/b4d37cdb77a0015f51fee083598fa227cc07aaf1"
}
],
"title": "KVM: Don\u0027t clobber irqfd routing type when deassigning irqfd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23198",
"datePublished": "2026-02-14T16:27:23.621Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:23.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23208 (GCVE-0-2026-23208)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
ALSA: usb-audio: Prevent excessive number of frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Prevent excessive number of frames
In this case, the user constructed the parameters with maxpacksize 40
for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer
size for each data URB is maxpacksize * packets, which in this example
is 40 * 6 = 240; When the user performs a write operation to send audio
data into the ALSA PCM playback stream, the calculated number of frames
is packsize[0] * packets = 264, which exceeds the allocated URB buffer
size, triggering the out-of-bounds (OOB) issue reported by syzbot [1].
Added a check for the number of single data URB frames when calculating
the number of frames to prevent [1].
[1]
BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487
Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506
Call Trace:
copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487
prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611
prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02c56650f3c118d3752122996d96173d26bb13aa , < 480a1490c595a242f27493a4544b3efb21b29f6a
(git)
Affected: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b , < ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41 (git) Affected: 99703c921864a318e3e8aae74fde071b1ff35bea , < 282aba56713bbc58155716b55ca7222b2d9cf3c8 (git) Affected: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf , < c4dc012b027c9eb101583011089dea14d744e314 (git) Affected: aba41867dd66939d336fdf604e4d73b805d8039f , < e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360 (git) Affected: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 , < d67dde02049e632ba58d3c44a164a74b6a737154 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ef5749ef8b307bf8717945701b1b79d036af0a15 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
"status": "affected",
"version": "02c56650f3c118d3752122996d96173d26bb13aa",
"versionType": "git"
},
{
"lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
"status": "affected",
"version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
"versionType": "git"
},
{
"lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
"status": "affected",
"version": "99703c921864a318e3e8aae74fde071b1ff35bea",
"versionType": "git"
},
{
"lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
"status": "affected",
"version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
"versionType": "git"
},
{
"lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
"status": "affected",
"version": "aba41867dd66939d336fdf604e4d73b805d8039f",
"versionType": "git"
},
{
"lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
"status": "affected",
"version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
"versionType": "git"
},
{
"lessThan": "62932d9ed639a9fa71b4ac1a56766a4b43abb7e4",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ef5749ef8b307bf8717945701b1b79d036af0a15",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.7.*",
"status": "unaffected",
"version": "5.7.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.230",
"versionStartIncluding": "4.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.230",
"versionStartIncluding": "4.9.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.188",
"versionStartIncluding": "4.14.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.132",
"versionStartIncluding": "4.19.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.51",
"versionStartIncluding": "5.4.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.8",
"versionStartIncluding": "5.7.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Prevent excessive number of frames\n\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\n\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\n copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\n prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\n prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:58.667Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
},
{
"url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
},
{
"url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
},
{
"url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
},
{
"url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
},
{
"url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
},
{
"url": "https://git.kernel.org/stable/c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4"
},
{
"url": "https://git.kernel.org/stable/c/ef5749ef8b307bf8717945701b1b79d036af0a15"
}
],
"title": "ALSA: usb-audio: Prevent excessive number of frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23208",
"datePublished": "2026-02-14T16:27:30.441Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-16T08:58:58.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23115 (GCVE-0-2026-23115)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
serial: Fix not set tty->port race condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: Fix not set tty->port race condition
Revert commit bfc467db60b7 ("serial: remove redundant
tty_port_link_device()") because the tty_port_link_device() is not
redundant: the tty->port has to be confured before we call
uart_configure_port(), otherwise user-space can open console without TTY
linked to the driver.
This tty_port_link_device() was added explicitly to avoid this exact
issue in commit fb2b90014d78 ("tty: link tty and port before configuring
it as console"), so offending commit basically reverted the fix saying
it is redundant without addressing the actual race condition presented
there.
Reproducible always as tty->port warning on Qualcomm SoC with most of
devices disabled, so with very fast boot, and one serial device being
the console:
printk: legacy console [ttyMSM0] enabled
printk: legacy console [ttyMSM0] enabled
printk: legacy bootconsole [qcom_geni0] disabled
printk: legacy bootconsole [qcom_geni0] disabled
------------[ cut here ]------------
tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver!
WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1
Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6
CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT
Tainted: [S]=CPU_OUT_OF_SPEC
Hardware name: Qualcomm Technologies, Inc. Eliza (DT)
...
tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)
tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))
chrdev_open (fs/char_dev.c:411)
do_dentry_open (fs/open.c:962)
vfs_open (fs/open.c:1094)
do_open (fs/namei.c:4634)
path_openat (fs/namei.c:4793)
do_filp_open (fs/namei.c:4820)
do_sys_openat2 (fs/open.c:1391 (discriminator 3))
...
Starting Network Name Resolution...
Apparently the flow with this small Yocto-based ramdisk user-space is:
driver (qcom_geni_serial.c): user-space:
============================ ===========
qcom_geni_serial_probe()
uart_add_one_port()
serial_core_register_port()
serial_core_add_one_port()
uart_configure_port()
register_console()
|
| open console
| ...
| tty_init_dev()
| driver->ports[idx] is NULL
|
tty_port_register_device_attr_serdev()
tty_port_link_device() <- set driver->ports[idx]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2501c49306238b54a2de0f93de43d50ab6e76c84",
"status": "affected",
"version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c",
"versionType": "git"
},
{
"lessThan": "32f37e57583f869140cff445feedeea8a5fea986",
"status": "affected",
"version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/serial_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty-\u003eport race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty-\u003eport has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty-\u003eport warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n printk: legacy console [ttyMSM0] enabled\n printk: legacy console [ttyMSM0] enabled\n printk: legacy bootconsole [qcom_geni0] disabled\n printk: legacy bootconsole [qcom_geni0] disabled\n ------------[ cut here ]------------\n tty_init_dev: ttyMSM driver does not set tty-\u003eport. This would crash the kernel. Fix the driver!\n WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n ...\n Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c): user-space:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | open console\n | ...\n | tty_init_dev()\n | driver-\u003eports[idx] is NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() \u003c- set driver-\u003eports[idx]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:47.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84"
},
{
"url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986"
}
],
"title": "serial: Fix not set tty-\u003eport race condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23115",
"datePublished": "2026-02-14T15:09:47.826Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:47.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23182 (GCVE-0-2026-23182)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
spi: tegra: Fix a memory leak in tegra_slink_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra: Fix a memory leak in tegra_slink_probe()
In tegra_slink_probe(), when platform_get_irq() fails, it directly
returns from the function with an error code, which causes a memory leak.
Replace it with a goto label to ensure proper cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b64683f5d7282f7b160e9867e33cdac00b5c792b , < 6a04dc650cef8d52a1ccb4ae245dbe318ffff32e
(git)
Affected: 5c25f89c00b97844d0427f0f96818a15714bd609 , < 327b71326cc1834bc031e8f52a470a18dfd9caa6 (git) Affected: 46ee23101f32a1ced5335d5407d5ecffd160ccdf , < 126a09f4fcd2b895a818ca43fde078d907c1ac9a (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < 075415ae18b5b3e4d0187962d538653154216fe7 (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < b8eec12aa666c11f8a6ad1488c568f85c58875fa (git) Affected: eb9913b511f10968a02cfa5329a896855dd152a3 , < 41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc (git) Affected: 4eb8065494ca19caba3f45fc83941fd568a8c3cd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra20-slink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a04dc650cef8d52a1ccb4ae245dbe318ffff32e",
"status": "affected",
"version": "b64683f5d7282f7b160e9867e33cdac00b5c792b",
"versionType": "git"
},
{
"lessThan": "327b71326cc1834bc031e8f52a470a18dfd9caa6",
"status": "affected",
"version": "5c25f89c00b97844d0427f0f96818a15714bd609",
"versionType": "git"
},
{
"lessThan": "126a09f4fcd2b895a818ca43fde078d907c1ac9a",
"status": "affected",
"version": "46ee23101f32a1ced5335d5407d5ecffd160ccdf",
"versionType": "git"
},
{
"lessThan": "075415ae18b5b3e4d0187962d538653154216fe7",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"lessThan": "b8eec12aa666c11f8a6ad1488c568f85c58875fa",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"lessThan": "41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc",
"status": "affected",
"version": "eb9913b511f10968a02cfa5329a896855dd152a3",
"versionType": "git"
},
{
"status": "affected",
"version": "4eb8065494ca19caba3f45fc83941fd568a8c3cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra20-slink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra: Fix a memory leak in tegra_slink_probe()\n\nIn tegra_slink_probe(), when platform_get_irq() fails, it directly\nreturns from the function with an error code, which causes a memory leak.\n\nReplace it with a goto label to ensure proper cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:12.806Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a04dc650cef8d52a1ccb4ae245dbe318ffff32e"
},
{
"url": "https://git.kernel.org/stable/c/327b71326cc1834bc031e8f52a470a18dfd9caa6"
},
{
"url": "https://git.kernel.org/stable/c/126a09f4fcd2b895a818ca43fde078d907c1ac9a"
},
{
"url": "https://git.kernel.org/stable/c/075415ae18b5b3e4d0187962d538653154216fe7"
},
{
"url": "https://git.kernel.org/stable/c/b8eec12aa666c11f8a6ad1488c568f85c58875fa"
},
{
"url": "https://git.kernel.org/stable/c/41d9a6795b95d6ea28439ac1e9ce8c95bbca20fc"
}
],
"title": "spi: tegra: Fix a memory leak in tegra_slink_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23182",
"datePublished": "2026-02-14T16:27:12.806Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-14T16:27:12.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23166 (GCVE-0-2026-23166)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
during resume from suspend when rings[q_idx]->q_vector is NULL.
Tested adaptor:
60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
SR-IOV state: both disabled and enabled can reproduce this issue.
kernel version: v6.18
Reproduce steps:
Boot up and execute suspend like systemctl suspend or rtcwake.
Log:
<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
<1>[ 231.444052] #PF: supervisor read access in kernel mode
<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
<6>[ 231.444913] PGD 0 P4D 0
<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
<4>[ 231.451629] PKRU: 55555554
<4>[ 231.452076] Call Trace:
<4>[ 231.452549] <TASK>
<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.454425] pci_pm_resume+0x8c/0x140
<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.455347] dpm_run_callback+0x5f/0x160
<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
<4>[ 231.456244] device_resume+0x177/0x270
<4>[ 231.456708] dpm_resume+0x209/0x2f0
<4>[ 231.457151] dpm_resume_end+0x15/0x30
<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
<4>[ 231.458054] enter_state+0x10e/0x570
Add defensive checks for both the ring pointer and its q_vector
before dereferencing, allowing the system to resume successfully even when
q_vectors are unmapped.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a5dc090b92cfa5270e20056074241c6db5c9cdd , < d75c7b7c3c2b8e3569043099e6bdcefc983856c5
(git)
Affected: 2a5dc090b92cfa5270e20056074241c6db5c9cdd , < 36126ddbe924727add05a594dedf230d3b575e4d (git) Affected: 2a5dc090b92cfa5270e20056074241c6db5c9cdd , < 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 (git) Affected: 2285c2faef19ee08a6bd6754f4c3ec07dceb2889 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d75c7b7c3c2b8e3569043099e6bdcefc983856c5",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"lessThan": "36126ddbe924727add05a594dedf230d3b575e4d",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"lessThan": "9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85",
"status": "affected",
"version": "2a5dc090b92cfa5270e20056074241c6db5c9cdd",
"versionType": "git"
},
{
"status": "affected",
"version": "2285c2faef19ee08a6bd6754f4c3ec07dceb2889",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix NULL pointer dereference in ice_vsi_set_napi_queues\n\nAdd NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes\nduring resume from suspend when rings[q_idx]-\u003eq_vector is NULL.\n\nTested adaptor:\n60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)\n Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]\n\nSR-IOV state: both disabled and enabled can reproduce this issue.\n\nkernel version: v6.18\n\nReproduce steps:\nBoot up and execute suspend like systemctl suspend or rtcwake.\n\nLog:\n\u003c1\u003e[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040\n\u003c1\u003e[ 231.444052] #PF: supervisor read access in kernel mode\n\u003c1\u003e[ 231.444484] #PF: error_code(0x0000) - not-present page\n\u003c6\u003e[ 231.444913] PGD 0 P4D 0\n\u003c4\u003e[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003c4\u003e[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170\n\u003c4\u003e[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b \u003c48\u003e 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89\n\u003c4\u003e[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202\n\u003c4\u003e[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010\n\u003c4\u003e[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000\n\u003c4\u003e[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000\n\u003c4\u003e[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n\u003c4\u003e[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000\n\u003c4\u003e[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000\n\u003c4\u003e[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003c4\u003e[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0\n\u003c4\u003e[ 231.451629] PKRU: 55555554\n\u003c4\u003e[ 231.452076] Call Trace:\n\u003c4\u003e[ 231.452549] \u003cTASK\u003e\n\u003c4\u003e[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]\n\u003c4\u003e[ 231.453482] ice_resume+0xfd/0x220 [ice]\n\u003c4\u003e[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10\n\u003c4\u003e[ 231.454425] pci_pm_resume+0x8c/0x140\n\u003c4\u003e[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10\n\u003c4\u003e[ 231.455347] dpm_run_callback+0x5f/0x160\n\u003c4\u003e[ 231.455796] ? dpm_wait_for_superior+0x107/0x170\n\u003c4\u003e[ 231.456244] device_resume+0x177/0x270\n\u003c4\u003e[ 231.456708] dpm_resume+0x209/0x2f0\n\u003c4\u003e[ 231.457151] dpm_resume_end+0x15/0x30\n\u003c4\u003e[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0\n\u003c4\u003e[ 231.458054] enter_state+0x10e/0x570\n\nAdd defensive checks for both the ring pointer and its q_vector\nbefore dereferencing, allowing the system to resume successfully even when\nq_vectors are unmapped."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:30.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d75c7b7c3c2b8e3569043099e6bdcefc983856c5"
},
{
"url": "https://git.kernel.org/stable/c/36126ddbe924727add05a594dedf230d3b575e4d"
},
{
"url": "https://git.kernel.org/stable/c/9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85"
}
],
"title": "ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23166",
"datePublished": "2026-02-14T16:01:30.059Z",
"dateReserved": "2026-01-13T15:37:45.981Z",
"dateUpdated": "2026-02-14T16:01:30.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23160 (GCVE-0-2026-23160)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
octeon_ep: Fix memory leak in octep_device_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: Fix memory leak in octep_device_setup()
In octep_device_setup(), if octep_ctrl_net_init() fails, the function
returns directly without unmapping the mapped resources and freeing the
allocated configuration memory.
Fix this by jumping to the unsupported_dev label, which performs the
necessary cleanup. This aligns with the error handling logic of other
paths in this function.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
577f0d1b1c5f3282fa2011177b0af692a7c21aee , < 5058d3f8f17202e673f90af1446252322bd0850f
(git)
Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < fdfd28e13c244d7c3345e74f339fd1b67605b694 (git) Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < d753f3c3f9d7a6e6dbb4d3a97b73007d71624551 (git) Affected: 577f0d1b1c5f3282fa2011177b0af692a7c21aee , < 8016dc5ee19a77678c264f8ba368b1e873fa705b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5058d3f8f17202e673f90af1446252322bd0850f",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "fdfd28e13c244d7c3345e74f339fd1b67605b694",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "d753f3c3f9d7a6e6dbb4d3a97b73007d71624551",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
},
{
"lessThan": "8016dc5ee19a77678c264f8ba368b1e873fa705b",
"status": "affected",
"version": "577f0d1b1c5f3282fa2011177b0af692a7c21aee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeon_ep/octep_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix memory leak in octep_device_setup()\n\nIn octep_device_setup(), if octep_ctrl_net_init() fails, the function\nreturns directly without unmapping the mapped resources and freeing the\nallocated configuration memory.\n\nFix this by jumping to the unsupported_dev label, which performs the\nnecessary cleanup. This aligns with the error handling logic of other\npaths in this function.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:25.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5058d3f8f17202e673f90af1446252322bd0850f"
},
{
"url": "https://git.kernel.org/stable/c/fdfd28e13c244d7c3345e74f339fd1b67605b694"
},
{
"url": "https://git.kernel.org/stable/c/d753f3c3f9d7a6e6dbb4d3a97b73007d71624551"
},
{
"url": "https://git.kernel.org/stable/c/8016dc5ee19a77678c264f8ba368b1e873fa705b"
}
],
"title": "octeon_ep: Fix memory leak in octep_device_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23160",
"datePublished": "2026-02-14T16:01:25.900Z",
"dateReserved": "2026-01-13T15:37:45.979Z",
"dateUpdated": "2026-02-14T16:01:25.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23194 (GCVE-0-2026-23194)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
rust_binder: correctly handle FDA objects of length zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
rust_binder: correctly handle FDA objects of length zero
Fix a bug where an empty FDA (fd array) object with 0 fds would cause an
out-of-bounds error. The previous implementation used `skip == 0` to
mean "this is a pointer fixup", but 0 is also the correct skip length
for an empty FDA. If the FDA is at the end of the buffer, then this
results in an attempt to write 8-bytes out of bounds. This is caught and
results in an EINVAL error being returned to userspace.
The pattern of using `skip == 0` as a special value originates from the
C-implementation of Binder. As part of fixing this bug, this pattern is
replaced with a Rust enum.
I considered the alternate option of not pushing a fixup when the length
is zero, but I think it's cleaner to just get rid of the zero-is-special
stuff.
The root cause of this bug was diagnosed by Gemini CLI on first try. I
used the following prompt:
> There appears to be a bug in @drivers/android/binder/thread.rs where
> the Fixups oob bug is triggered with 316 304 316 324. This implies
> that we somehow ended up with a fixup where buffer A has a pointer to
> buffer B, but the pointer is located at an index in buffer A that is
> out of bounds. Please investigate the code to find the bug. You may
> compare with @drivers/android/binder.c that implements this correctly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/thread.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "598fe3ff32e43918ed8a062f55432b3d23e6340c",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
},
{
"lessThan": "8f589c9c3be539d6c2b393c82940c3783831082f",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/thread.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it\u0027s cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n\u003e There appears to be a bug in @drivers/android/binder/thread.rs where\n\u003e the Fixups oob bug is triggered with 316 304 316 324. This implies\n\u003e that we somehow ended up with a fixup where buffer A has a pointer to\n\u003e buffer B, but the pointer is located at an index in buffer A that is\n\u003e out of bounds. Please investigate the code to find the bug. You may\n\u003e compare with @drivers/android/binder.c that implements this correctly."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:20.944Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/598fe3ff32e43918ed8a062f55432b3d23e6340c"
},
{
"url": "https://git.kernel.org/stable/c/8f589c9c3be539d6c2b393c82940c3783831082f"
}
],
"title": "rust_binder: correctly handle FDA objects of length zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23194",
"datePublished": "2026-02-14T16:27:20.944Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:20.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23184 (GCVE-0-2026-23184)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
binder: fix UAF in binder_netlink_report()
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix UAF in binder_netlink_report()
Oneway transactions sent to frozen targets via binder_proc_transaction()
return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated
as successful since the target is expected to thaw at some point. It is
then not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors
as the transaction could have been consumed by the now thawed target.
This is the case for binder_netlink_report() which derreferences 't'
after a pending frozen error, as pointed out by the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8
Read of size 8 at addr ffff00000f98ba38 by task binder-util/522
CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT
Hardware name: linux,dummy-virt (DT)
Call trace:
binder_netlink_report.isra.0+0x694/0x6c8
binder_transaction+0x66e4/0x79b8
binder_thread_write+0xab4/0x4440
binder_ioctl+0x1fd4/0x2940
[...]
Allocated by task 522:
__kmalloc_cache_noprof+0x17c/0x50c
binder_transaction+0x584/0x79b8
binder_thread_write+0xab4/0x4440
binder_ioctl+0x1fd4/0x2940
[...]
Freed by task 488:
kfree+0x1d0/0x420
binder_free_transaction+0x150/0x234
binder_thread_read+0x2d08/0x3ce4
binder_ioctl+0x488/0x2940
[...]
==================================================================
Instead, make a transaction copy so the data can be safely accessed by
binder_netlink_report() after a pending frozen error. While here, add a
comment about not using t->buffer in binder_netlink_report().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6050dedb6f1cc23e518e3a132ab74a0aad6df90",
"status": "affected",
"version": "63740349eba78f242bcbf60d5244d7f2b2600853",
"versionType": "git"
},
{
"lessThan": "5e8a3d01544282e50d887d76f30d1496a0a53562",
"status": "affected",
"version": "63740349eba78f242bcbf60d5244d7f2b2600853",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF in binder_netlink_report()\n\nOneway transactions sent to frozen targets via binder_proc_transaction()\nreturn a BR_TRANSACTION_PENDING_FROZEN error but they are still treated\nas successful since the target is expected to thaw at some point. It is\nthen not safe to access \u0027t\u0027 after BR_TRANSACTION_PENDING_FROZEN errors\nas the transaction could have been consumed by the now thawed target.\n\nThis is the case for binder_netlink_report() which derreferences \u0027t\u0027\nafter a pending frozen error, as pointed out by the following KASAN\nreport:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8\n Read of size 8 at addr ffff00000f98ba38 by task binder-util/522\n\n CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n binder_netlink_report.isra.0+0x694/0x6c8\n binder_transaction+0x66e4/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Allocated by task 522:\n __kmalloc_cache_noprof+0x17c/0x50c\n binder_transaction+0x584/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Freed by task 488:\n kfree+0x1d0/0x420\n binder_free_transaction+0x150/0x234\n binder_thread_read+0x2d08/0x3ce4\n binder_ioctl+0x488/0x2940\n [...]\n ==================================================================\n\nInstead, make a transaction copy so the data can be safely accessed by\nbinder_netlink_report() after a pending frozen error. While here, add a\ncomment about not using t-\u003ebuffer in binder_netlink_report()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:14.167Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6050dedb6f1cc23e518e3a132ab74a0aad6df90"
},
{
"url": "https://git.kernel.org/stable/c/5e8a3d01544282e50d887d76f30d1496a0a53562"
}
],
"title": "binder: fix UAF in binder_netlink_report()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23184",
"datePublished": "2026-02-14T16:27:14.167Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-14T16:27:14.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23132 (GCVE-0-2026-23132)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:14 – Updated: 2026-02-14 15:14
VLAI?
EPSS
Title
drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind
Fix several issues in dw_dp_bind() error handling:
1. Missing return after drm_bridge_attach() failure - the function
continued execution instead of returning an error.
2. Resource leak: drm_dp_aux_register() is not a devm function, so
drm_dp_aux_unregister() must be called on all error paths after
aux registration succeeds. This affects errors from:
- drm_bridge_attach()
- phy_init()
- devm_add_action_or_reset()
- platform_get_irq()
- devm_request_threaded_irq()
3. Bug fix: platform_get_irq() returns the IRQ number or a negative
error code, but the error path was returning ERR_PTR(ret) instead
of ERR_PTR(dp->irq).
Use a goto label for cleanup to ensure consistent error handling.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "569ed6a73e927a34cae4ae6de1464c0737a5ec44",
"status": "affected",
"version": "86eecc3a9c2e06462f6a273fcd24150b6da787de",
"versionType": "git"
},
{
"lessThan": "1a0f69e3c28477b97d3609569b7e8feb4b6162e8",
"status": "affected",
"version": "86eecc3a9c2e06462f6a273fcd24150b6da787de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind\n\nFix several issues in dw_dp_bind() error handling:\n\n1. Missing return after drm_bridge_attach() failure - the function\n continued execution instead of returning an error.\n\n2. Resource leak: drm_dp_aux_register() is not a devm function, so\n drm_dp_aux_unregister() must be called on all error paths after\n aux registration succeeds. This affects errors from:\n - drm_bridge_attach()\n - phy_init()\n - devm_add_action_or_reset()\n - platform_get_irq()\n - devm_request_threaded_irq()\n\n3. Bug fix: platform_get_irq() returns the IRQ number or a negative\n error code, but the error path was returning ERR_PTR(ret) instead\n of ERR_PTR(dp-\u003eirq).\n\nUse a goto label for cleanup to ensure consistent error handling."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:14:32.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/569ed6a73e927a34cae4ae6de1464c0737a5ec44"
},
{
"url": "https://git.kernel.org/stable/c/1a0f69e3c28477b97d3609569b7e8feb4b6162e8"
}
],
"title": "drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23132",
"datePublished": "2026-02-14T15:14:32.334Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:14:32.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23186 (GCVE-0-2026-23186)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()
The acpi_power_meter driver's .notify() callback function,
acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock
that is also acquired by callbacks in sysfs attributes of the device
being unregistered which is prone to deadlocks between sysfs access and
device removal.
Address this by moving the hwmon device removal in
acpi_power_meter_notify() outside the lock in question, but notice
that doing it alone is not sufficient because two concurrent
METER_NOTIFY_CONFIG notifications may be attempting to remove the
same device at the same time. To prevent that from happening, add a
new lock serializing the execution of the switch () statement in
acpi_power_meter_notify(). For simplicity, it is a static mutex
which should not be a problem from the performance perspective.
The new lock also allows the hwmon_device_register_with_info()
in acpi_power_meter_notify() to be called outside the inner lock
because it prevents the other notifications handled by that function
from manipulating the "resource" object while the hwmon device based
on it is being registered. The sending of ACPI netlink messages from
acpi_power_meter_notify() is serialized by the new lock too which
generally helps to ensure that the order of handling firmware
notifications is the same as the order of sending netlink messages
related to them.
In addition, notice that hwmon_device_register_with_info() may fail
in which case resource->hwmon_dev will become an error pointer,
so add checks to avoid attempting to unregister the hwmon device
pointer to by it in that case to acpi_power_meter_notify() and
acpi_power_meter_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/acpi_power_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8860ddf0e07be37169d4ef9f2618e39fca934a66",
"status": "affected",
"version": "16746ce8adfe04f9ff8df75c1133286ba93c0e17",
"versionType": "git"
},
{
"lessThan": "615901b57b7ef8eb655f71358f7e956e42bcd16b",
"status": "affected",
"version": "16746ce8adfe04f9ff8df75c1133286ba93c0e17",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/acpi_power_meter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()\n\nThe acpi_power_meter driver\u0027s .notify() callback function,\nacpi_power_meter_notify(), calls hwmon_device_unregister() under a lock\nthat is also acquired by callbacks in sysfs attributes of the device\nbeing unregistered which is prone to deadlocks between sysfs access and\ndevice removal.\n\nAddress this by moving the hwmon device removal in\nacpi_power_meter_notify() outside the lock in question, but notice\nthat doing it alone is not sufficient because two concurrent\nMETER_NOTIFY_CONFIG notifications may be attempting to remove the\nsame device at the same time. To prevent that from happening, add a\nnew lock serializing the execution of the switch () statement in\nacpi_power_meter_notify(). For simplicity, it is a static mutex\nwhich should not be a problem from the performance perspective.\n\nThe new lock also allows the hwmon_device_register_with_info()\nin acpi_power_meter_notify() to be called outside the inner lock\nbecause it prevents the other notifications handled by that function\nfrom manipulating the \"resource\" object while the hwmon device based\non it is being registered. The sending of ACPI netlink messages from\nacpi_power_meter_notify() is serialized by the new lock too which\ngenerally helps to ensure that the order of handling firmware\nnotifications is the same as the order of sending netlink messages\nrelated to them.\n\nIn addition, notice that hwmon_device_register_with_info() may fail\nin which case resource-\u003ehwmon_dev will become an error pointer,\nso add checks to avoid attempting to unregister the hwmon device\npointer to by it in that case to acpi_power_meter_notify() and\nacpi_power_meter_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:15.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8860ddf0e07be37169d4ef9f2618e39fca934a66"
},
{
"url": "https://git.kernel.org/stable/c/615901b57b7ef8eb655f71358f7e956e42bcd16b"
}
],
"title": "hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23186",
"datePublished": "2026-02-14T16:27:15.505Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:15.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23158 (GCVE-0-2026-23158)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
gpio: virtuser: fix UAF in configfs release path
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: virtuser: fix UAF in configfs release path
The gpio-virtuser configfs release path uses guard(mutex) to protect
the device structure. However, the device is freed before the guard
cleanup runs, causing mutex_unlock() to operate on freed memory.
Specifically, gpio_virtuser_device_config_group_release() destroys
the mutex and frees the device while still inside the guard(mutex)
scope. When the function returns, the guard cleanup invokes
mutex_unlock(&dev->lock), resulting in a slab use-after-free.
Limit the mutex lifetime by using a scoped_guard() only around the
activation check, so that the lock is released before mutex_destroy()
and kfree() are called.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
91581c4b3f29e2e22aeb1a62e842d529ca638b2d , < 815a8e3bf72811d402b30bd4a53cde5e9df7a563
(git)
Affected: 91581c4b3f29e2e22aeb1a62e842d529ca638b2d , < 7bec90f605cfb138006f5ba575f2310593347110 (git) Affected: 91581c4b3f29e2e22aeb1a62e842d529ca638b2d , < 53ad4a948a4586359b841d607c08fb16c5503230 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-virtuser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "815a8e3bf72811d402b30bd4a53cde5e9df7a563",
"status": "affected",
"version": "91581c4b3f29e2e22aeb1a62e842d529ca638b2d",
"versionType": "git"
},
{
"lessThan": "7bec90f605cfb138006f5ba575f2310593347110",
"status": "affected",
"version": "91581c4b3f29e2e22aeb1a62e842d529ca638b2d",
"versionType": "git"
},
{
"lessThan": "53ad4a948a4586359b841d607c08fb16c5503230",
"status": "affected",
"version": "91581c4b3f29e2e22aeb1a62e842d529ca638b2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpio-virtuser.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix UAF in configfs release path\n\nThe gpio-virtuser configfs release path uses guard(mutex) to protect\nthe device structure. However, the device is freed before the guard\ncleanup runs, causing mutex_unlock() to operate on freed memory.\n\nSpecifically, gpio_virtuser_device_config_group_release() destroys\nthe mutex and frees the device while still inside the guard(mutex)\nscope. When the function returns, the guard cleanup invokes\nmutex_unlock(\u0026dev-\u003elock), resulting in a slab use-after-free.\n\nLimit the mutex lifetime by using a scoped_guard() only around the\nactivation check, so that the lock is released before mutex_destroy()\nand kfree() are called."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:24.568Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/815a8e3bf72811d402b30bd4a53cde5e9df7a563"
},
{
"url": "https://git.kernel.org/stable/c/7bec90f605cfb138006f5ba575f2310593347110"
},
{
"url": "https://git.kernel.org/stable/c/53ad4a948a4586359b841d607c08fb16c5503230"
}
],
"title": "gpio: virtuser: fix UAF in configfs release path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23158",
"datePublished": "2026-02-14T16:01:24.568Z",
"dateReserved": "2026-01-13T15:37:45.978Z",
"dateUpdated": "2026-02-14T16:01:24.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23210 (GCVE-0-2026-23210)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
ice: Fix PTP NULL pointer dereference during VSI rebuild
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix PTP NULL pointer dereference during VSI rebuild
Fix race condition where PTP periodic work runs while VSI is being
rebuilt, accessing NULL vsi->rx_rings.
The sequence was:
1. ice_ptp_prepare_for_reset() cancels PTP work
2. ice_ptp_rebuild() immediately queues PTP work
3. VSI rebuild happens AFTER ice_ptp_rebuild()
4. PTP work runs and accesses NULL vsi->rx_rings
Fix: Keep PTP work cancelled during rebuild, only queue it after
VSI rebuild completes in ice_rebuild().
Added ice_ptp_queue_work() helper function to encapsulate the logic
for queuing PTP work, ensuring it's only queued when PTP is supported
and the state is ICE_PTP_READY.
Error log:
[ 121.392544] ice 0000:60:00.1: PTP reset successful
[ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 121.392712] #PF: supervisor read access in kernel mode
[ 121.392720] #PF: error_code(0x0000) - not-present page
[ 121.392727] PGD 0
[ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI
[ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)
[ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC
[ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]
[ 121.393042] Call Trace:
[ 121.393047] <TASK>
[ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]
[ 121.393202] kthread_worker_fn+0xa2/0x260
[ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]
[ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10
[ 121.393371] kthread+0x10d/0x230
[ 121.393382] ? __pfx_kthread+0x10/0x10
[ 121.393393] ret_from_fork+0x273/0x2b0
[ 121.393407] ? __pfx_kthread+0x10/0x10
[ 121.393417] ret_from_fork_asm+0x1a/0x30
[ 121.393432] </TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c",
"drivers/net/ethernet/intel/ice/ice_ptp.c",
"drivers/net/ethernet/intel/ice/ice_ptp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7565d4df66b6619b50dc36618d8b8f1787d77e19",
"status": "affected",
"version": "803bef817807d2d36c930dada20c96fffae0dd19",
"versionType": "git"
},
{
"lessThan": "fc6f36eaaedcf4b81af6fe1a568f018ffd530660",
"status": "affected",
"version": "803bef817807d2d36c930dada20c96fffae0dd19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_main.c",
"drivers/net/ethernet/intel/ice/ice_ptp.c",
"drivers/net/ethernet/intel/ice/ice_ptp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix PTP NULL pointer dereference during VSI rebuild\n\nFix race condition where PTP periodic work runs while VSI is being\nrebuilt, accessing NULL vsi-\u003erx_rings.\n\nThe sequence was:\n1. ice_ptp_prepare_for_reset() cancels PTP work\n2. ice_ptp_rebuild() immediately queues PTP work\n3. VSI rebuild happens AFTER ice_ptp_rebuild()\n4. PTP work runs and accesses NULL vsi-\u003erx_rings\n\nFix: Keep PTP work cancelled during rebuild, only queue it after\nVSI rebuild completes in ice_rebuild().\n\nAdded ice_ptp_queue_work() helper function to encapsulate the logic\nfor queuing PTP work, ensuring it\u0027s only queued when PTP is supported\nand the state is ICE_PTP_READY.\n\nError log:\n[ 121.392544] ice 0000:60:00.1: PTP reset successful\n[ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 121.392712] #PF: supervisor read access in kernel mode\n[ 121.392720] #PF: error_code(0x0000) - not-present page\n[ 121.392727] PGD 0\n[ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)\n[ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]\n[ 121.393042] Call Trace:\n[ 121.393047] \u003cTASK\u003e\n[ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]\n[ 121.393202] kthread_worker_fn+0xa2/0x260\n[ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]\n[ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10\n[ 121.393371] kthread+0x10d/0x230\n[ 121.393382] ? __pfx_kthread+0x10/0x10\n[ 121.393393] ret_from_fork+0x273/0x2b0\n[ 121.393407] ? __pfx_kthread+0x10/0x10\n[ 121.393417] ret_from_fork_asm+0x1a/0x30\n[ 121.393432] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:31.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7565d4df66b6619b50dc36618d8b8f1787d77e19"
},
{
"url": "https://git.kernel.org/stable/c/fc6f36eaaedcf4b81af6fe1a568f018ffd530660"
}
],
"title": "ice: Fix PTP NULL pointer dereference during VSI rebuild",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23210",
"datePublished": "2026-02-14T16:27:31.892Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:31.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23127 (GCVE-0-2026-23127)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
perf: Fix refcount warning on event->mmap_count increment
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix refcount warning on event->mmap_count increment
When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the
following warning is triggered:
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25
PoC:
struct perf_event_attr attr = {0};
int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);
mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,
PERF_FLAG_FD_OUTPUT);
mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);
This occurs when creating a group member event with the flag
PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing
the event triggers the warning.
Since the event has copied the output_event in perf_event_set_output(),
event->rb is set. As a result, perf_mmap_rb() calls
refcount_inc(&event->mmap_count) when event->mmap_count = 0.
Disallow the case when event->mmap_count = 0. This also prevents two
events from updating the same user_page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23c0e4bd93d0b250775162faf456470485ac9fc7",
"status": "affected",
"version": "448f97fba9013ffa13f5dd82febd18836b189499",
"versionType": "git"
},
{
"lessThan": "d06bf78e55d5159c1b00072e606ab924ffbbad35",
"status": "affected",
"version": "448f97fba9013ffa13f5dd82febd18836b189499",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix refcount warning on event-\u003emmap_count increment\n\nWhen calling refcount_inc(\u0026event-\u003emmap_count) inside perf_mmap_rb(), the\nfollowing warning is triggered:\n\n refcount_t: addition on 0; use-after-free.\n WARNING: lib/refcount.c:25\n\nPoC:\n\n struct perf_event_attr attr = {0};\n int fd = syscall(__NR_perf_event_open, \u0026attr, 0, -1, -1, 0);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n int victim = syscall(__NR_perf_event_open, \u0026attr, 0, -1, fd,\n PERF_FLAG_FD_OUTPUT);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nThis occurs when creating a group member event with the flag\nPERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing\nthe event triggers the warning.\n\nSince the event has copied the output_event in perf_event_set_output(),\nevent-\u003erb is set. As a result, perf_mmap_rb() calls\nrefcount_inc(\u0026event-\u003emmap_count) when event-\u003emmap_count = 0.\n\nDisallow the case when event-\u003emmap_count = 0. This also prevents two\nevents from updating the same user_page."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:56.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23c0e4bd93d0b250775162faf456470485ac9fc7"
},
{
"url": "https://git.kernel.org/stable/c/d06bf78e55d5159c1b00072e606ab924ffbbad35"
}
],
"title": "perf: Fix refcount warning on event-\u003emmap_count increment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23127",
"datePublished": "2026-02-14T15:09:56.237Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:56.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23161 (GCVE-0-2026-23161)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
mm/shmem, swap: fix race of truncate and swap entry split
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/shmem, swap: fix race of truncate and swap entry split
The helper for shmem swap freeing is not handling the order of swap
entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it
gets the entry order before that using xa_get_order without lock
protection, and it may get an outdated order value if the entry is split
or changed in other ways after the xa_get_order and before the
xa_cmpxchg_irq.
And besides, the order could grow and be larger than expected, and cause
truncation to erase data beyond the end border. For example, if the
target entry and following entries are swapped in or freed, then a large
folio was added in place and swapped out, using the same entry, the
xa_cmpxchg_irq will still succeed, it's very unlikely to happen though.
To fix that, open code the Xarray cmpxchg and put the order retrieval and
value checking in the same critical section. Also, ensure the order won't
exceed the end border, skip it if the entry goes across the border.
Skipping large swap entries crosses the end border is safe here. Shmem
truncate iterates the range twice, in the first iteration,
find_lock_entries already filtered such entries, and shmem will swapin the
entries that cross the end border and partially truncate the folio (split
the folio or at least zero part of it). So in the second loop here, if we
see a swap entry that crosses the end order, it must at least have its
content erased already.
I observed random swapoff hangs and kernel panics when stress testing
ZSWAP with shmem. After applying this patch, all problems are gone.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
809bc86517cc408b5b8cb8e08e69096639432bc8 , < a99f9a4669a04662c8f9efe0e62cafc598153139
(git)
Affected: 809bc86517cc408b5b8cb8e08e69096639432bc8 , < b23bee8cdb7aabce5701a7f57414db5a354ae8ed (git) Affected: 809bc86517cc408b5b8cb8e08e69096639432bc8 , < 8a1968bd997f45a9b11aefeabdd1232e1b6c7184 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a99f9a4669a04662c8f9efe0e62cafc598153139",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
},
{
"lessThan": "b23bee8cdb7aabce5701a7f57414db5a354ae8ed",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
},
{
"lessThan": "8a1968bd997f45a9b11aefeabdd1232e1b6c7184",
"status": "affected",
"version": "809bc86517cc408b5b8cb8e08e69096639432bc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem, swap: fix race of truncate and swap entry split\n\nThe helper for shmem swap freeing is not handling the order of swap\nentries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it\ngets the entry order before that using xa_get_order without lock\nprotection, and it may get an outdated order value if the entry is split\nor changed in other ways after the xa_get_order and before the\nxa_cmpxchg_irq.\n\nAnd besides, the order could grow and be larger than expected, and cause\ntruncation to erase data beyond the end border. For example, if the\ntarget entry and following entries are swapped in or freed, then a large\nfolio was added in place and swapped out, using the same entry, the\nxa_cmpxchg_irq will still succeed, it\u0027s very unlikely to happen though.\n\nTo fix that, open code the Xarray cmpxchg and put the order retrieval and\nvalue checking in the same critical section. Also, ensure the order won\u0027t\nexceed the end border, skip it if the entry goes across the border.\n\nSkipping large swap entries crosses the end border is safe here. Shmem\ntruncate iterates the range twice, in the first iteration,\nfind_lock_entries already filtered such entries, and shmem will swapin the\nentries that cross the end border and partially truncate the folio (split\nthe folio or at least zero part of it). So in the second loop here, if we\nsee a swap entry that crosses the end order, it must at least have its\ncontent erased already.\n\nI observed random swapoff hangs and kernel panics when stress testing\nZSWAP with shmem. After applying this patch, all problems are gone."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:26.569Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a99f9a4669a04662c8f9efe0e62cafc598153139"
},
{
"url": "https://git.kernel.org/stable/c/b23bee8cdb7aabce5701a7f57414db5a354ae8ed"
},
{
"url": "https://git.kernel.org/stable/c/8a1968bd997f45a9b11aefeabdd1232e1b6c7184"
}
],
"title": "mm/shmem, swap: fix race of truncate and swap entry split",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23161",
"datePublished": "2026-02-14T16:01:26.569Z",
"dateReserved": "2026-01-13T15:37:45.979Z",
"dateUpdated": "2026-02-14T16:01:26.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23172 (GCVE-0-2026-23172)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
net: wwan: t7xx: fix potential skb->frags overflow in RX path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: fix potential skb->frags overflow in RX path
When receiving data in the DPMAIF RX path,
the t7xx_dpmaif_set_frag_to_skb() function adds
page fragments to an skb without checking if the number of
fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.
This issue was identified through static code analysis by comparing with a
similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
fix array overflow on receiving too many fragments for a packet").
The vulnerability could be triggered if the modem firmware sends packets
with excessive fragments. While under normal protocol conditions (MTU 3080
bytes, BAT buffer 3584 bytes),
a single packet should not require additional
fragments, the kernel should not blindly trust firmware behavior.
Malicious, buggy, or compromised firmware could potentially craft packets
with more fragments than the kernel expects.
Fix this by adding a bounds check before calling skb_add_rx_frag() to
ensure nr_frags does not exceed MAX_SKB_FRAGS.
The check must be performed before unmapping to avoid a page leak
and double DMA unmap during device teardown.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d642b012df70a76dd5723f2d426b40bffe83ac49 , < f9747a7521a48afded5bff2faf1f2dcfff48c577
(git)
Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < 2a0522f564acd34442652ea083091c329fa7c5d5 (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276 (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < 2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba (git) Affected: d642b012df70a76dd5723f2d426b40bffe83ac49 , < f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9747a7521a48afded5bff2faf1f2dcfff48c577",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "2a0522f564acd34442652ea083091c329fa7c5d5",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
},
{
"lessThan": "f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6",
"status": "affected",
"version": "d642b012df70a76dd5723f2d426b40bffe83ac49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: fix potential skb-\u003efrags overflow in RX path\n\nWhen receiving data in the DPMAIF RX path,\nthe t7xx_dpmaif_set_frag_to_skb() function adds\npage fragments to an skb without checking if the number of\nfragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow\nin skb_shinfo(skb)-\u003efrags[] array, corrupting adjacent memory and\npotentially causing kernel crashes or other undefined behavior.\n\nThis issue was identified through static code analysis by comparing with a\nsimilar vulnerability fixed in the mt76 driver commit b102f0c522cf (\"mt76:\nfix array overflow on receiving too many fragments for a packet\").\n\nThe vulnerability could be triggered if the modem firmware sends packets\nwith excessive fragments. While under normal protocol conditions (MTU 3080\nbytes, BAT buffer 3584 bytes),\na single packet should not require additional\nfragments, the kernel should not blindly trust firmware behavior.\nMalicious, buggy, or compromised firmware could potentially craft packets\nwith more fragments than the kernel expects.\n\nFix this by adding a bounds check before calling skb_add_rx_frag() to\nensure nr_frags does not exceed MAX_SKB_FRAGS.\n\nThe check must be performed before unmapping to avoid a page leak\nand double DMA unmap during device teardown."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:34.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9747a7521a48afded5bff2faf1f2dcfff48c577"
},
{
"url": "https://git.kernel.org/stable/c/2a0522f564acd34442652ea083091c329fa7c5d5"
},
{
"url": "https://git.kernel.org/stable/c/af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276"
},
{
"url": "https://git.kernel.org/stable/c/2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba"
},
{
"url": "https://git.kernel.org/stable/c/f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6"
}
],
"title": "net: wwan: t7xx: fix potential skb-\u003efrags overflow in RX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23172",
"datePublished": "2026-02-14T16:01:34.165Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:01:34.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23163 (GCVE-0-2026-23163)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and
ih2 interrupt ring buffers are not initialized. This is by design, as
these secondary IH rings are only available on discrete GPUs. See
vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when
AMD_IS_APU is set.
However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to
get the timestamp of the last interrupt entry. When retry faults are
enabled on APUs (noretry=0), this function is called from the SVM page
fault recovery path, resulting in a NULL pointer dereference when
amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].
The crash manifests as:
BUG: kernel NULL pointer dereference, address: 0000000000000004
RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]
Call Trace:
amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]
svm_range_restore_pages+0xae5/0x11c0 [amdgpu]
amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]
gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]
amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]
amdgpu_ih_process+0x84/0x100 [amdgpu]
This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW
IP 9.3.0 from noretry=1") which changed the default for Renoir APU from
noretry=1 to noretry=0, enabling retry fault handling and thus
exercising the buggy code path.
Fix this by adding a check for ih1.ring_size before attempting to use
it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu:
Rework retry fault removal"). This is needed if the hardware doesn't
support secondary HW IH rings.
v2: additional updates (Alex)
(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd299441654fd8209056c7985ddf2373ebaba6ed , < c74e2dbb5316898fb2113a8ea3a93b27698dbf68
(git)
Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 7611d7faccc1218be477671f892a89b25c0cb352 (git) Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < ac251d17d8af58ddc3daba65eaf0a99e63dc4284 (git) Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 8b1ecc9377bc641533cd9e76dfa3aee3cd04a007 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c74e2dbb5316898fb2113a8ea3a93b27698dbf68",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "7611d7faccc1218be477671f892a89b25c0cb352",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "ac251d17d8af58ddc3daba65eaf0a99e63dc4284",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
},
{
"lessThan": "8b1ecc9377bc641533cd9e76dfa3aee3cd04a007",
"status": "affected",
"version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove\n\nOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and\nih2 interrupt ring buffers are not initialized. This is by design, as\nthese secondary IH rings are only available on discrete GPUs. See\nvega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when\nAMD_IS_APU is set.\n\nHowever, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to\nget the timestamp of the last interrupt entry. When retry faults are\nenabled on APUs (noretry=0), this function is called from the SVM page\nfault recovery path, resulting in a NULL pointer dereference when\namdgpu_ih_decode_iv_ts_helper() attempts to access ih-\u003ering[].\n\nThe crash manifests as:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000004\n RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]\n Call Trace:\n amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]\n svm_range_restore_pages+0xae5/0x11c0 [amdgpu]\n amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]\n gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]\n amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]\n amdgpu_ih_process+0x84/0x100 [amdgpu]\n\nThis issue was exposed by commit 1446226d32a4 (\"drm/amdgpu: Remove GC HW\nIP 9.3.0 from noretry=1\") which changed the default for Renoir APU from\nnoretry=1 to noretry=0, enabling retry fault handling and thus\nexercising the buggy code path.\n\nFix this by adding a check for ih1.ring_size before attempting to use\nit. Also restore the soft_ih support from commit dd299441654f (\"drm/amdgpu:\nRework retry fault removal\"). This is needed if the hardware doesn\u0027t\nsupport secondary HW IH rings.\n\nv2: additional updates (Alex)\n\n(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:27.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c74e2dbb5316898fb2113a8ea3a93b27698dbf68"
},
{
"url": "https://git.kernel.org/stable/c/7611d7faccc1218be477671f892a89b25c0cb352"
},
{
"url": "https://git.kernel.org/stable/c/ac251d17d8af58ddc3daba65eaf0a99e63dc4284"
},
{
"url": "https://git.kernel.org/stable/c/8b1ecc9377bc641533cd9e76dfa3aee3cd04a007"
}
],
"title": "drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23163",
"datePublished": "2026-02-14T16:01:27.912Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-02-14T16:01:27.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23183 (GCVE-0-2026-23183)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
cgroup/dmem: fix NULL pointer dereference when setting max
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup/dmem: fix NULL pointer dereference when setting max
An issue was triggered:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
RIP: 0010:strcmp+0x10/0x30
RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358
RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000
RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714
R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff
R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0
Call Trace:
<TASK>
dmemcg_limit_write.constprop.0+0x16d/0x390
? __pfx_set_resource_max+0x10/0x10
kernfs_fop_write_iter+0x14e/0x200
vfs_write+0x367/0x510
ksys_write+0x66/0xe0
do_syscall_64+0x6b/0x390
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f42697e1887
It was trriggered setting max without limitation, the command is like:
"echo test/region0 > dmem.max". To fix this issue, add check whether
options is valid after parsing the region_name.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/dmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c13816e8fa23deec6a8d7465d9e637fd02683b5c",
"status": "affected",
"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
"versionType": "git"
},
{
"lessThan": "43151f812886be1855d2cba059f9c93e4729460b",
"status": "affected",
"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/dmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: fix NULL pointer dereference when setting max\n\nAn issue was triggered:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:strcmp+0x10/0x30\n RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\n RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\n RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\n R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\n R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n dmemcg_limit_write.constprop.0+0x16d/0x390\n ? __pfx_set_resource_max+0x10/0x10\n kernfs_fop_write_iter+0x14e/0x200\n vfs_write+0x367/0x510\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f42697e1887\n\nIt was trriggered setting max without limitation, the command is like:\n\"echo test/region0 \u003e dmem.max\". To fix this issue, add check whether\noptions is valid after parsing the region_name."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:13.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c13816e8fa23deec6a8d7465d9e637fd02683b5c"
},
{
"url": "https://git.kernel.org/stable/c/43151f812886be1855d2cba059f9c93e4729460b"
}
],
"title": "cgroup/dmem: fix NULL pointer dereference when setting max",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23183",
"datePublished": "2026-02-14T16:27:13.482Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-14T16:27:13.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23209 (GCVE-0-2026-23209)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
macvlan: fix error recovery in macvlan_common_newlink()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
aa5fd0fb77486b8a6764ead8627baa14790e4280 , < da5c6b8ae47e414be47e5e04def15b25d5c962dc
(git)
Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < c43d0e787cbba569ec9d11579ed370b50fab6c9c (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 11ba9f0dc865136174cb98834280fb21bbc950c7 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 986967a162142710076782d5b93daab93a892980 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < f8db6475a83649689c087a8f52486fcc53e627e9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "986967a162142710076782d5b93daab93a892980",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "f8db6475a83649689c087a8f52486fcc53e627e9",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:31.175Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc"
},
{
"url": "https://git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a"
},
{
"url": "https://git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c"
},
{
"url": "https://git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7"
},
{
"url": "https://git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980"
},
{
"url": "https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66"
},
{
"url": "https://git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9"
}
],
"title": "macvlan: fix error recovery in macvlan_common_newlink()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23209",
"datePublished": "2026-02-14T16:27:31.175Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:31.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23175 (GCVE-0-2026-23175)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
net: cpsw: Execute ndo_set_rx_mode callback in a work queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cpsw: Execute ndo_set_rx_mode callback in a work queue
Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for
IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for
IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this
change triggered the following call trace on my BeagleBone Black board:
WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/481
RTNL: assertion failed at net/8021q/vlan_core.c (236)
Modules linked in:
CPU: 0 UID: 997 PID: 481 Comm: rpcbind Not tainted 6.19.0-rc7-next-20260130-yocto-standard+ #35 PREEMPT
Hardware name: Generic AM33XX (Flattened Device Tree)
Call trace:
unwind_backtrace from show_stack+0x28/0x2c
show_stack from dump_stack_lvl+0x30/0x38
dump_stack_lvl from __warn+0xb8/0x11c
__warn from warn_slowpath_fmt+0x130/0x194
warn_slowpath_fmt from vlan_for_each+0x120/0x124
vlan_for_each from cpsw_add_mc_addr+0x54/0x98
cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec
__hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88
__dev_mc_add from igmp6_group_added+0x84/0xec
igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0
__ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4
__ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168
do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8
ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c
do_sock_setsockopt from __sys_setsockopt+0x84/0xac
__sys_setsockopt from ret_fast_syscall+0x0/0x54
This trace occurs because vlan_for_each() is called within
cpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.
Since modifying vlan_for_each() to operate without the RTNL lock is not
straightforward, and because ndo_set_rx_mode() is invoked both with and
without the RTNL lock across different code paths, simply adding
rtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.
To resolve this issue, we opt to execute the actual processing within
a work queue, following the approach used by the icssg-prueth driver.
Please note: To reproduce this issue, I manually reverted the changes to
am335x-bone-common.dtsi from commit c477358e66a3 ("ARM: dts: am335x-bone:
switch to new cpsw switch drv") in order to revert to the legacy cpsw
driver.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "488009aa62bb1217ea0624fd5108b79adef4e148",
"status": "affected",
"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69",
"versionType": "git"
},
{
"lessThan": "0b8c878d117319f2be34c8391a77e0f4d5c94d79",
"status": "affected",
"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/cpsw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don\u0027t hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/481\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 481 Comm: rpcbind Not tainted 6.19.0-rc7-next-20260130-yocto-standard+ #35 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0x98\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x54\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver.\n\nPlease note: To reproduce this issue, I manually reverted the changes to\nam335x-bone-common.dtsi from commit c477358e66a3 (\"ARM: dts: am335x-bone:\nswitch to new cpsw switch drv\") in order to revert to the legacy cpsw\ndriver."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:08.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/488009aa62bb1217ea0624fd5108b79adef4e148"
},
{
"url": "https://git.kernel.org/stable/c/0b8c878d117319f2be34c8391a77e0f4d5c94d79"
}
],
"title": "net: cpsw: Execute ndo_set_rx_mode callback in a work queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23175",
"datePublished": "2026-02-14T16:27:08.104Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:27:08.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23113 (GCVE-0-2026-23113)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Currently this is checked before running the pending work. Normally this
is quite fine, as work items either end up blocking (which will create a
new worker for other items), or they complete fairly quickly. But syzbot
reports an issue where io-wq takes seemingly forever to exit, and with a
bit of debugging, this turns out to be because it queues a bunch of big
(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't
support ->read_iter(), loop_rw_iter() ends up handling them. Each read
returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of
these pending, processing the whole chain can take a long time. Easily
longer than the syzbot uninterruptible sleep timeout of 140 seconds.
This then triggers a complaint off the io-wq exit path:
INFO: task syz.4.135:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1328 [inline]
io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa02738f749
RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098
RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98
There's really nothing wrong here, outside of processing these reads
will take a LONG time. However, we can speed up the exit by checking the
IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will
exit the ring after queueing up all of these reads. Then once the first
item is processed, io-wq will simply cancel the rest. That should avoid
syzbot running into this complaint again.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 85eb83694a91c89d9abe615d717c0053c3efa714
(git)
Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 2e8ca1078b14142db2ce51cbd18ff9971560046b (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < bdf0bf73006ea8af9327cdb85cfdff4c23a5f966 (git) Affected: c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 , < 10dc959398175736e495f71c771f8641e1ca1907 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "85eb83694a91c89d9abe615d717c0053c3efa714",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "2e8ca1078b14142db2ce51cbd18ff9971560046b",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "bdf0bf73006ea8af9327cdb85cfdff4c23a5f966",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
},
{
"lessThan": "10dc959398175736e495f71c771f8641e1ca1907",
"status": "affected",
"version": "c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io-wq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop\n\nCurrently this is checked before running the pending work. Normally this\nis quite fine, as work items either end up blocking (which will create a\nnew worker for other items), or they complete fairly quickly. But syzbot\nreports an issue where io-wq takes seemingly forever to exit, and with a\nbit of debugging, this turns out to be because it queues a bunch of big\n(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn\u0027t\nsupport -\u003eread_iter(), loop_rw_iter() ends up handling them. Each read\nreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch of\nthese pending, processing the whole chain can take a long time. Easily\nlonger than the syzbot uninterruptible sleep timeout of 140 seconds.\nThis then triggers a complaint off the io-wq exit path:\n\nINFO: task syz.4.135:6326 blocked for more than 143 seconds.\n Not tainted syzkaller #0\n Blocked by coredump.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5256 [inline]\n __schedule+0x1139/0x6150 kernel/sched/core.c:6863\n __schedule_loop kernel/sched/core.c:6945 [inline]\n schedule+0xe7/0x3a0 kernel/sched/core.c:6960\n schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75\n do_wait_for_common kernel/sched/completion.c:100 [inline]\n __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121\n io_wq_exit_workers io_uring/io-wq.c:1328 [inline]\n io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356\n io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203\n io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651\n io_uring_files_cancel include/linux/io_uring.h:19 [inline]\n do_exit+0x2ce/0x2bd0 kernel/exit.c:911\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1112\n get_signal+0x2671/0x26d0 kernel/signal.c:3034\n arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337\n __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]\n exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa02738f749\nRSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca\nRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749\nRDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098\nRBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98\n\nThere\u0027s really nothing wrong here, outside of processing these reads\nwill take a LONG time. However, we can speed up the exit by checking the\nIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will\nexit the ring after queueing up all of these reads. Then once the first\nitem is processed, io-wq will simply cancel the rest. That should avoid\nsyzbot running into this complaint again."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:48.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/85eb83694a91c89d9abe615d717c0053c3efa714"
},
{
"url": "https://git.kernel.org/stable/c/2e8ca1078b14142db2ce51cbd18ff9971560046b"
},
{
"url": "https://git.kernel.org/stable/c/bdf0bf73006ea8af9327cdb85cfdff4c23a5f966"
},
{
"url": "https://git.kernel.org/stable/c/10dc959398175736e495f71c771f8641e1ca1907"
}
],
"title": "io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23113",
"datePublished": "2026-02-14T15:09:46.379Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-02-16T08:58:48.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23162 (GCVE-0-2026-23162)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
drm/xe/nvm: Fix double-free on aux add failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/nvm: Fix double-free on aux add failure
After a successful auxiliary_device_init(), aux_dev->dev.release
(xe_nvm_release_dev()) is responsible for the kfree(nvm). When
there is failure with auxiliary_device_add(), driver will call
auxiliary_device_uninit(), which call put_device(). So that the
.release callback will be triggered to free the memory associated
with the auxiliary_device.
Move the kfree(nvm) into the auxiliary_device_init() failure path
and remove the err goto path to fix below error.
"
[ 13.232905] ==================================================================
[ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe]
[ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273
[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary)
...
[ 13.233125] Call Trace:
[ 13.233126] <TASK>
[ 13.233127] dump_stack_lvl+0x7f/0xc0
[ 13.233132] print_report+0xce/0x610
[ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0
[ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe]
...
"
v2: drop err goto path. (Alexander)
(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32887d8e4bc0696b3cb6c5915a42b39cfd3434f4",
"status": "affected",
"version": "7926ba2143d8fef40bb940232818c7363e33598c",
"versionType": "git"
},
{
"lessThan": "8a44241b0b83a6047c5448da1fff03fcc29496b5",
"status": "affected",
"version": "7926ba2143d8fef40bb940232818c7363e33598c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_nvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/nvm: Fix double-free on aux add failure\n\nAfter a successful auxiliary_device_init(), aux_dev-\u003edev.release\n(xe_nvm_release_dev()) is responsible for the kfree(nvm). When\nthere is failure with auxiliary_device_add(), driver will call\nauxiliary_device_uninit(), which call put_device(). So that the\n.release callback will be triggered to free the memory associated\nwith the auxiliary_device.\n\nMove the kfree(nvm) into the auxiliary_device_init() failure path\nand remove the err goto path to fix below error.\n\n\"\n[ 13.232905] ==================================================================\n[ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe]\n[ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273\n\n[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary)\n...\n[ 13.233125] Call Trace:\n[ 13.233126] \u003cTASK\u003e\n[ 13.233127] dump_stack_lvl+0x7f/0xc0\n[ 13.233132] print_report+0xce/0x610\n[ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0\n[ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe]\n...\n\"\n\nv2: drop err goto path. (Alexander)\n\n(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:27.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32887d8e4bc0696b3cb6c5915a42b39cfd3434f4"
},
{
"url": "https://git.kernel.org/stable/c/8a44241b0b83a6047c5448da1fff03fcc29496b5"
}
],
"title": "drm/xe/nvm: Fix double-free on aux add failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23162",
"datePublished": "2026-02-14T16:01:27.243Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-02-14T16:01:27.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23204 (GCVE-0-2026-23204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
net/sched: cls_u32: use skb_header_pointer_careful()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5
(git)
Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < e41a23e61259f5526af875c3b86b3d42a9bae0e5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 8a672f177ebe19c93d795fbe967846084fbc7943 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cabd1a976375780dabab888784e356f574bbaed8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:27.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
],
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23204",
"datePublished": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:27.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23180 (GCVE-0-2026-23180)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
dpaa2-switch: add bounds check for if_id in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: add bounds check for if_id in IRQ handler
The IRQ handler extracts if_id from the upper 16 bits of the hardware
status register and uses it to index into ethsw->ports[] without
validation. Since if_id can be any 16-bit value (0-65535) but the ports
array is only allocated with sw_attr.num_ifs elements, this can lead to
an out-of-bounds read potentially.
Add a bounds check before accessing the array, consistent with the
existing validation in dpaa2_switch_rx().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 77611cab5bdfff7a070ae574bbfba20a1de99d1b
(git)
Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 34b56c16efd61325d80bf1d780d0e176be662f59 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < f89e33c9c37f0001b730e23b3b05ab7b1ecface2 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 2447edc367800ba914acf7ddd5d250416b45fb31 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 1b381a638e1851d8cfdfe08ed9cdbec5295b18c9 (git) Affected: 24ab724f8a4661b2dc8e696b41df93bdc108f7a1 , < 31a7a0bbeb006bac2d9c81a2874825025214b6d8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77611cab5bdfff7a070ae574bbfba20a1de99d1b",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "34b56c16efd61325d80bf1d780d0e176be662f59",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "f89e33c9c37f0001b730e23b3b05ab7b1ecface2",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "2447edc367800ba914acf7ddd5d250416b45fb31",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "1b381a638e1851d8cfdfe08ed9cdbec5295b18c9",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
},
{
"lessThan": "31a7a0bbeb006bac2d9c81a2874825025214b6d8",
"status": "affected",
"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: add bounds check for if_id in IRQ handler\n\nThe IRQ handler extracts if_id from the upper 16 bits of the hardware\nstatus register and uses it to index into ethsw-\u003eports[] without\nvalidation. Since if_id can be any 16-bit value (0-65535) but the ports\narray is only allocated with sw_attr.num_ifs elements, this can lead to\nan out-of-bounds read potentially.\n\nAdd a bounds check before accessing the array, consistent with the\nexisting validation in dpaa2_switch_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:11.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b"
},
{
"url": "https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59"
},
{
"url": "https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2"
},
{
"url": "https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31"
},
{
"url": "https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9"
},
{
"url": "https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8"
}
],
"title": "dpaa2-switch: add bounds check for if_id in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23180",
"datePublished": "2026-02-14T16:27:11.463Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-14T16:27:11.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71223 (GCVE-0-2025-71223)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
smb/server: fix refcount leak in smb2_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: fix refcount leak in smb2_open()
When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file
must be released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8df4bcdb0a4232192b2445256c39b787d58ef14d , < 2456fde2b137703328f1695f60c68fe488d17e36
(git)
Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 39ca11ff158c98fb092176f06047628c54bcf7a1 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < 4665e52bde3b1f8f442895ce7d88fa62a43e48c4 (git) Affected: c8efcc786146a951091588e5fa7e3c754850cb3c , < f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2456fde2b137703328f1695f60c68fe488d17e36",
"status": "affected",
"version": "8df4bcdb0a4232192b2445256c39b787d58ef14d",
"versionType": "git"
},
{
"lessThan": "39ca11ff158c98fb092176f06047628c54bcf7a1",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "4665e52bde3b1f8f442895ce7d88fa62a43e48c4",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
},
{
"lessThan": "f416c556997aa56ec4384c6b6efd6a0e6ac70aa7",
"status": "affected",
"version": "c8efcc786146a951091588e5fa7e3c754850cb3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix refcount leak in smb2_open()\n\nWhen ksmbd_vfs_getattr() fails, the reference count of ksmbd_file\nmust be released."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:45.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2456fde2b137703328f1695f60c68fe488d17e36"
},
{
"url": "https://git.kernel.org/stable/c/39ca11ff158c98fb092176f06047628c54bcf7a1"
},
{
"url": "https://git.kernel.org/stable/c/4665e52bde3b1f8f442895ce7d88fa62a43e48c4"
},
{
"url": "https://git.kernel.org/stable/c/f416c556997aa56ec4384c6b6efd6a0e6ac70aa7"
}
],
"title": "smb/server: fix refcount leak in smb2_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71223",
"datePublished": "2026-02-14T16:27:06.060Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-02-16T08:58:45.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71222 (GCVE-0-2025-71222)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
wifi: wlcore: ensure skb headroom before skb_push
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: ensure skb headroom before skb_push
This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is
less than needed (typically 110 - 94 = 16 bytes).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5fc0f86b02afef1119b523623b4cde41475bc8c , < 88295a55fefe5414e64293638b6f7549646e58ed
(git)
Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < cd89a4656c03f8db0c57350aaec69cd3cfaa3522 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 745a0810dbc96a0471e5f5e627ba1e978c3116d4 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < b167312390fdd461c81ead516f2b0b44e83a9edb (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 71de0b6e04bbee5575caf9a1e4d424e7dcc50018 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < 689a7980e4788e13e766763d53569fb78dea2513 (git) Affected: f5fc0f86b02afef1119b523623b4cde41475bc8c , < e75665dd096819b1184087ba5718bd93beafff51 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88295a55fefe5414e64293638b6f7549646e58ed",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "cd89a4656c03f8db0c57350aaec69cd3cfaa3522",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "745a0810dbc96a0471e5f5e627ba1e978c3116d4",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "b167312390fdd461c81ead516f2b0b44e83a9edb",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "71de0b6e04bbee5575caf9a1e4d424e7dcc50018",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "689a7980e4788e13e766763d53569fb78dea2513",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
},
{
"lessThan": "e75665dd096819b1184087ba5718bd93beafff51",
"status": "affected",
"version": "f5fc0f86b02afef1119b523623b4cde41475bc8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ti/wlcore/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: ensure skb headroom before skb_push\n\nThis avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is\nless than needed (typically 110 - 94 = 16 bytes)."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:44.728Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88295a55fefe5414e64293638b6f7549646e58ed"
},
{
"url": "https://git.kernel.org/stable/c/cd89a4656c03f8db0c57350aaec69cd3cfaa3522"
},
{
"url": "https://git.kernel.org/stable/c/745a0810dbc96a0471e5f5e627ba1e978c3116d4"
},
{
"url": "https://git.kernel.org/stable/c/b167312390fdd461c81ead516f2b0b44e83a9edb"
},
{
"url": "https://git.kernel.org/stable/c/71de0b6e04bbee5575caf9a1e4d424e7dcc50018"
},
{
"url": "https://git.kernel.org/stable/c/689a7980e4788e13e766763d53569fb78dea2513"
},
{
"url": "https://git.kernel.org/stable/c/e75665dd096819b1184087ba5718bd93beafff51"
}
],
"title": "wifi: wlcore: ensure skb headroom before skb_push",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71222",
"datePublished": "2026-02-14T16:27:05.363Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-02-16T08:58:44.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23145 (GCVE-0-2026-23145)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-14 15:36
VLAI?
EPSS
Title
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
The error branch for ext4_xattr_inode_update_ref forget to release the
refcount for iloc.bh. Find this when review code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 , < 7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f
(git)
Affected: 505e69f76ac497e788f4ea0267826ec7266b40c8 , < 6241cd1d0acc2363016ac55b8773ba1332dd59d7 (git) Affected: 3d6269028246f4484bfed403c947a114bb583631 , < 3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626 (git) Affected: 79ea7f3e11effe1bd9e753172981d9029133a278 , < 0b06cde92f2f960f4ebe3c988c69f2711f2a24dc (git) Affected: 6b879c4c6bbaab03c0ad2a983953bd1410bb165e , < 8e8542c539927ae3898a4d02941f84e252e2dea1 (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < 06e26287f2e349a28ad363941ffd9076bfed8b2e (git) Affected: 57295e835408d8d425bef58da5253465db3d6888 , < d250bdf531d9cd4096fedbb9f172bb2ca660c868 (git) Affected: ea39e712c2f5ae148ee5515798ae03523673e002 (git) Affected: 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f",
"status": "affected",
"version": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"versionType": "git"
},
{
"lessThan": "6241cd1d0acc2363016ac55b8773ba1332dd59d7",
"status": "affected",
"version": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"versionType": "git"
},
{
"lessThan": "3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626",
"status": "affected",
"version": "3d6269028246f4484bfed403c947a114bb583631",
"versionType": "git"
},
{
"lessThan": "0b06cde92f2f960f4ebe3c988c69f2711f2a24dc",
"status": "affected",
"version": "79ea7f3e11effe1bd9e753172981d9029133a278",
"versionType": "git"
},
{
"lessThan": "8e8542c539927ae3898a4d02941f84e252e2dea1",
"status": "affected",
"version": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"versionType": "git"
},
{
"lessThan": "06e26287f2e349a28ad363941ffd9076bfed8b2e",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"lessThan": "d250bdf531d9cd4096fedbb9f172bb2ca660c868",
"status": "affected",
"version": "57295e835408d8d425bef58da5253465db3d6888",
"versionType": "git"
},
{
"status": "affected",
"version": "ea39e712c2f5ae148ee5515798ae03523673e002",
"versionType": "git"
},
{
"status": "affected",
"version": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_xattr_inode_update_ref\n\nThe error branch for ext4_xattr_inode_update_ref forget to release the\nrefcount for iloc.bh. Find this when review code."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:10.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c9f059c3d531a12d7ad96cd34a44b8af7c00d5f"
},
{
"url": "https://git.kernel.org/stable/c/6241cd1d0acc2363016ac55b8773ba1332dd59d7"
},
{
"url": "https://git.kernel.org/stable/c/3b00c16e42428a1ecd3a5eb9cc37f8ad9bd47626"
},
{
"url": "https://git.kernel.org/stable/c/0b06cde92f2f960f4ebe3c988c69f2711f2a24dc"
},
{
"url": "https://git.kernel.org/stable/c/8e8542c539927ae3898a4d02941f84e252e2dea1"
},
{
"url": "https://git.kernel.org/stable/c/06e26287f2e349a28ad363941ffd9076bfed8b2e"
},
{
"url": "https://git.kernel.org/stable/c/d250bdf531d9cd4096fedbb9f172bb2ca660c868"
}
],
"title": "ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23145",
"datePublished": "2026-02-14T15:36:10.207Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-02-14T15:36:10.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23140 (GCVE-0-2026-23140)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).
If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.
The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b6f1f780b3932ae497ed85e79bc8a1e513883624 , < e7440935063949d6f2c10f7328d960d0ff4bce90
(git)
Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 7c81ad5e580bd8441f8a521a8d34824ce6582ae5 (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 6447e697cfa8a43a8e491cb81bcc390d0f28f8ba (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < 31e37f44b60679d90b9f999c91371b15291be8e0 (git) Affected: b6f1f780b3932ae497ed85e79bc8a1e513883624 , < e558cca217790286e799a8baacd1610bda31b261 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7440935063949d6f2c10f7328d960d0ff4bce90",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "7c81ad5e580bd8441f8a521a8d34824ce6582ae5",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "6447e697cfa8a43a8e491cb81bcc390d0f28f8ba",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "31e37f44b60679d90b9f999c91371b15291be8e0",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
},
{
"lessThan": "e558cca217790286e799a8baacd1610bda31b261",
"status": "affected",
"version": "b6f1f780b3932ae497ed85e79bc8a1e513883624",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Subtract size of xdp_frame from allowed metadata size\n\nThe xdp_frame structure takes up part of the XDP frame headroom,\nlimiting the size of the metadata. However, in bpf_test_run, we don\u0027t\ntake this into account, which makes it possible for userspace to supply\na metadata size that is too large (taking up the entire headroom).\n\nIf userspace supplies such a large metadata size in live packet mode,\nthe xdp_update_frame_from_buff() call in xdp_test_run_init_page() call\nwill fail, after which packet transmission proceeds with an\nuninitialised frame structure, leading to the usual Bad Stuff.\n\nThe commit in the Fixes tag fixed a related bug where the second check\nin xdp_update_frame_from_buff() could fail, but did not add any\nadditional constraints on the metadata size. Complete the fix by adding\nan additional check on the metadata size. Reorder the checks slightly to\nmake the logic clearer and add a comment."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:24.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7440935063949d6f2c10f7328d960d0ff4bce90"
},
{
"url": "https://git.kernel.org/stable/c/7c81ad5e580bd8441f8a521a8d34824ce6582ae5"
},
{
"url": "https://git.kernel.org/stable/c/6447e697cfa8a43a8e491cb81bcc390d0f28f8ba"
},
{
"url": "https://git.kernel.org/stable/c/31e37f44b60679d90b9f999c91371b15291be8e0"
},
{
"url": "https://git.kernel.org/stable/c/e558cca217790286e799a8baacd1610bda31b261"
}
],
"title": "bpf, test_run: Subtract size of xdp_frame from allowed metadata size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23140",
"datePublished": "2026-02-14T15:22:24.727Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-02-14T15:22:24.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23164 (GCVE-0-2026-23164)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
rocker: fix memory leak in rocker_world_port_post_fini()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rocker: fix memory leak in rocker_world_port_post_fini()
In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
rocker_world_port_post_fini(), the memory is only freed when
wops->port_post_fini callback is set:
if (!wops->port_post_fini)
return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);
Since rocker_ofdpa_ops does not implement port_post_fini callback
(it is NULL), the wpriv memory allocated for each port is never freed
when ports are removed. This leads to a memory leak of
sizeof(struct ofdpa_port) bytes per port on every device removal.
Fix this by always calling kfree(rocker_port->wpriv) regardless of
whether the port_post_fini callback exists.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e420114eef4a3a5025a243b89b0dc343101e3d3c , < 2a3a64d75d2d0727da285749476761ebcad557a3
(git)
Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < b11e6f926480ab0939fec44781f28558c54be4e7 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < 8ce2e85889939c02740b4245301aa5c35fc94887 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < d448bf96889f1905e740c554780f5c9fa0440566 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < d8723917efda3b4f4c3de78d1ec1e1af015c0be1 (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < dce375f4afc348c310d171abcde7ec1499a4c26a (git) Affected: e420114eef4a3a5025a243b89b0dc343101e3d3c , < 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a3a64d75d2d0727da285749476761ebcad557a3",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "b11e6f926480ab0939fec44781f28558c54be4e7",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8ce2e85889939c02740b4245301aa5c35fc94887",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d448bf96889f1905e740c554780f5c9fa0440566",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "d8723917efda3b4f4c3de78d1ec1e1af015c0be1",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "dce375f4afc348c310d171abcde7ec1499a4c26a",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
},
{
"lessThan": "8d7ba71e46216b8657a82ca2ec118bc93812a4d0",
"status": "affected",
"version": "e420114eef4a3a5025a243b89b0dc343101e3d3c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/rocker/rocker_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrocker: fix memory leak in rocker_world_port_post_fini()\n\nIn rocker_world_port_pre_init(), rocker_port-\u003ewpriv is allocated with\nkzalloc(wops-\u003eport_priv_size, GFP_KERNEL). However, in\nrocker_world_port_post_fini(), the memory is only freed when\nwops-\u003eport_post_fini callback is set:\n\n if (!wops-\u003eport_post_fini)\n return;\n wops-\u003eport_post_fini(rocker_port);\n kfree(rocker_port-\u003ewpriv);\n\nSince rocker_ofdpa_ops does not implement port_post_fini callback\n(it is NULL), the wpriv memory allocated for each port is never freed\nwhen ports are removed. This leads to a memory leak of\nsizeof(struct ofdpa_port) bytes per port on every device removal.\n\nFix this by always calling kfree(rocker_port-\u003ewpriv) regardless of\nwhether the port_post_fini callback exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:28.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a3a64d75d2d0727da285749476761ebcad557a3"
},
{
"url": "https://git.kernel.org/stable/c/b11e6f926480ab0939fec44781f28558c54be4e7"
},
{
"url": "https://git.kernel.org/stable/c/8ce2e85889939c02740b4245301aa5c35fc94887"
},
{
"url": "https://git.kernel.org/stable/c/d448bf96889f1905e740c554780f5c9fa0440566"
},
{
"url": "https://git.kernel.org/stable/c/d8723917efda3b4f4c3de78d1ec1e1af015c0be1"
},
{
"url": "https://git.kernel.org/stable/c/dce375f4afc348c310d171abcde7ec1499a4c26a"
},
{
"url": "https://git.kernel.org/stable/c/8d7ba71e46216b8657a82ca2ec118bc93812a4d0"
}
],
"title": "rocker: fix memory leak in rocker_world_port_post_fini()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23164",
"datePublished": "2026-02-14T16:01:28.624Z",
"dateReserved": "2026-01-13T15:37:45.980Z",
"dateUpdated": "2026-02-14T16:01:28.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23117 (GCVE-0-2026-23117)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
ice: add missing ice_deinit_hw() in devlink reinit path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: add missing ice_deinit_hw() in devlink reinit path
devlink-reload results in ice_init_hw failed error, and then removing
the ice driver causes a NULL pointer dereference.
[ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16
...
[ +0.000001] Call Trace:
[ +0.000003] <TASK>
[ +0.000006] ice_unload+0x8f/0x100 [ice]
[ +0.000081] ice_remove+0xba/0x300 [ice]
Commit 1390b8b3d2be ("ice: remove duplicate call to ice_deinit_hw() on
error paths") removed ice_deinit_hw() from ice_deinit_dev(). As a result
ice_devlink_reinit_down() no longer calls ice_deinit_hw(), but
ice_devlink_reinit_up() still calls ice_init_hw(). Since the control
queues are not uninitialized, ice_init_hw() fails with -EBUSY.
Add ice_deinit_hw() to ice_devlink_reinit_down() to correspond with
ice_init_hw() in ice_devlink_reinit_up().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/devlink/devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3d99e2fbf01446d31a0d0dfc46444e915a1f6d4",
"status": "affected",
"version": "c91eee346089e4d287d5a111719e57cac605275e",
"versionType": "git"
},
{
"lessThan": "42fb5f3deb582cb96440e4683745017dbabb83d6",
"status": "affected",
"version": "1390b8b3d2bef9bfbb852fc735430798bfca36e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/devlink/devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.8",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: add missing ice_deinit_hw() in devlink reinit path\n\ndevlink-reload results in ice_init_hw failed error, and then removing\nthe ice driver causes a NULL pointer dereference.\n\n[ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16\n...\n[ +0.000001] Call Trace:\n[ +0.000003] \u003cTASK\u003e\n[ +0.000006] ice_unload+0x8f/0x100 [ice]\n[ +0.000081] ice_remove+0xba/0x300 [ice]\n\nCommit 1390b8b3d2be (\"ice: remove duplicate call to ice_deinit_hw() on\nerror paths\") removed ice_deinit_hw() from ice_deinit_dev(). As a result\nice_devlink_reinit_down() no longer calls ice_deinit_hw(), but\nice_devlink_reinit_up() still calls ice_init_hw(). Since the control\nqueues are not uninitialized, ice_init_hw() fails with -EBUSY.\n\nAdd ice_deinit_hw() to ice_devlink_reinit_down() to correspond with\nice_init_hw() in ice_devlink_reinit_up()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:49.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3d99e2fbf01446d31a0d0dfc46444e915a1f6d4"
},
{
"url": "https://git.kernel.org/stable/c/42fb5f3deb582cb96440e4683745017dbabb83d6"
}
],
"title": "ice: add missing ice_deinit_hw() in devlink reinit path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23117",
"datePublished": "2026-02-14T15:09:49.188Z",
"dateReserved": "2026-01-13T15:37:45.969Z",
"dateUpdated": "2026-02-14T15:09:49.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23121 (GCVE-0-2026-23121)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
mISDN: annotate data-race around dev->work
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: annotate data-race around dev->work
dev->work can re read locklessly in mISDN_read()
and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.
BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read
write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:
misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]
mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xce/0x140 fs/ioctl.c:583
__x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:
mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112
do_loop_readv_writev fs/read_write.c:847 [inline]
vfs_readv+0x3fb/0x690 fs/read_write.c:1020
do_readv+0xe7/0x210 fs/read_write.c:1080
__do_sys_readv fs/read_write.c:1165 [inline]
__se_sys_readv fs/read_write.c:1162 [inline]
__x64_sys_readv+0x45/0x50 fs/read_write.c:1162
x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x00000000 -> 0x00000001
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b2b03f8e514e4f68e293846ba511a948b80243c , < d5d99cb9e0839093cd53aa3b28176fce2f820ca0
(git)
Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 13f3b3b87068898056db4c79ee67052fbde11d43 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < accc3f8266d2a49881dbcf78c459477f4efa0ff3 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < aa6e33cd74ca4965f2bbcb025e0b672fb0168a69 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 7ac345a93af31358e18e9606eb7b354691bf6757 (git) Affected: 1b2b03f8e514e4f68e293846ba511a948b80243c , < 8175dbf174d487afab81e936a862a8d9b8a1ccb6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5d99cb9e0839093cd53aa3b28176fce2f820ca0",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "13f3b3b87068898056db4c79ee67052fbde11d43",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "accc3f8266d2a49881dbcf78c459477f4efa0ff3",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "aa6e33cd74ca4965f2bbcb025e0b672fb0168a69",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "7ac345a93af31358e18e9606eb7b354691bf6757",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
},
{
"lessThan": "8175dbf174d487afab81e936a862a8d9b8a1ccb6",
"status": "affected",
"version": "1b2b03f8e514e4f68e293846ba511a948b80243c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/mISDN/timerdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: annotate data-race around dev-\u003ework\n\ndev-\u003ework can re read locklessly in mISDN_read()\nand mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.\n\nBUG: KCSAN: data-race in mISDN_ioctl / mISDN_read\n\nwrite to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:\n misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]\n mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583\n __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583\n x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:\n mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112\n do_loop_readv_writev fs/read_write.c:847 [inline]\n vfs_readv+0x3fb/0x690 fs/read_write.c:1020\n do_readv+0xe7/0x210 fs/read_write.c:1080\n __do_sys_readv fs/read_write.c:1165 [inline]\n __se_sys_readv fs/read_write.c:1162 [inline]\n __x64_sys_readv+0x45/0x50 fs/read_write.c:1162\n x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000 -\u003e 0x00000001"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:51.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5d99cb9e0839093cd53aa3b28176fce2f820ca0"
},
{
"url": "https://git.kernel.org/stable/c/13f3b3b87068898056db4c79ee67052fbde11d43"
},
{
"url": "https://git.kernel.org/stable/c/accc3f8266d2a49881dbcf78c459477f4efa0ff3"
},
{
"url": "https://git.kernel.org/stable/c/fc8ba17fd3337bd8b1913c30b95df0fee00d8fb7"
},
{
"url": "https://git.kernel.org/stable/c/aa6e33cd74ca4965f2bbcb025e0b672fb0168a69"
},
{
"url": "https://git.kernel.org/stable/c/7ac345a93af31358e18e9606eb7b354691bf6757"
},
{
"url": "https://git.kernel.org/stable/c/8175dbf174d487afab81e936a862a8d9b8a1ccb6"
}
],
"title": "mISDN: annotate data-race around dev-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23121",
"datePublished": "2026-02-14T15:09:51.912Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:51.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23129 (GCVE-0-2026-23129)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
dpll: Prevent duplicate registrations
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpll: Prevent duplicate registrations
Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()
to reject duplicate registration attempts.
Previously, if a caller attempted to register the same pin multiple
times (with the same ops, priv, and cookie) on the same device, the core
silently increments the reference count and return success. This behavior
is incorrect because if the caller makes these duplicate registrations
then for the first one dpll_pin_registration is allocated and for others
the associated dpll_pin_ref.refcount is incremented. During the first
unregistration the associated dpll_pin_registration is freed and for
others WARN is fired.
Fix this by updating the logic to return `-EEXIST` if a matching
registration is found to enforce a strict "register once" policy.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9431063ad323ac864750aeba4d304389bc42ca4e , < dfec0501dba8f4711ef142a6a890e4812b7af88c
(git)
Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < 236a657422a564859dcd0db7bdb486abb21a721a (git) Affected: 9431063ad323ac864750aeba4d304389bc42ca4e , < f3ddbaaaaf4d0633b40482f471753f9c71294a4a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfec0501dba8f4711ef142a6a890e4812b7af88c",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "236a657422a564859dcd0db7bdb486abb21a721a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
},
{
"lessThan": "f3ddbaaaaf4d0633b40482f471753f9c71294a4a",
"status": "affected",
"version": "9431063ad323ac864750aeba4d304389bc42ca4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dpll/dpll_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: Prevent duplicate registrations\n\nModify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()\nto reject duplicate registration attempts.\n\nPreviously, if a caller attempted to register the same pin multiple\ntimes (with the same ops, priv, and cookie) on the same device, the core\nsilently increments the reference count and return success. This behavior\nis incorrect because if the caller makes these duplicate registrations\nthen for the first one dpll_pin_registration is allocated and for others\nthe associated dpll_pin_ref.refcount is incremented. During the first\nunregistration the associated dpll_pin_registration is freed and for\nothers WARN is fired.\n\nFix this by updating the logic to return `-EEXIST` if a matching\nregistration is found to enforce a strict \"register once\" policy."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:57.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfec0501dba8f4711ef142a6a890e4812b7af88c"
},
{
"url": "https://git.kernel.org/stable/c/236a657422a564859dcd0db7bdb486abb21a721a"
},
{
"url": "https://git.kernel.org/stable/c/f3ddbaaaaf4d0633b40482f471753f9c71294a4a"
}
],
"title": "dpll: Prevent duplicate registrations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23129",
"datePublished": "2026-02-14T15:09:57.574Z",
"dateReserved": "2026-01-13T15:37:45.971Z",
"dateUpdated": "2026-02-14T15:09:57.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23144 (GCVE-0-2026-23144)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-14 15:36
VLAI?
EPSS
Title
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c951cd3b89010c7a4751b9d4ea074007e44851e6 , < db7dfe78fc81bdd2b532d77f340fe453f2360426
(git)
Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 43964644348f6b1add3055c4a6cae8f77d892a6e (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 5651c0c391c0029541794f9c4c9597faecfd401f (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 78b4eb99751ebd37ceade78810bf94de80f7fb3a (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 9814cc832b88bd040fc2a1817c2b5469d0f7e862 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db7dfe78fc81bdd2b532d77f340fe453f2360426",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "43964644348f6b1add3055c4a6cae8f77d892a6e",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "5651c0c391c0029541794f9c4c9597faecfd401f",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "78b4eb99751ebd37ceade78810bf94de80f7fb3a",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "9814cc832b88bd040fc2a1817c2b5469d0f7e862",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: cleanup attrs subdirs on context dir setup failure\n\nWhen a context DAMON sysfs directory setup is failed after setup of attrs/\ndirectory, subdirectories of attrs/ directory are not cleaned up. As a\nresult, DAMON sysfs interface is nearly broken until the system reboots,\nand the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:09.518Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db7dfe78fc81bdd2b532d77f340fe453f2360426"
},
{
"url": "https://git.kernel.org/stable/c/43964644348f6b1add3055c4a6cae8f77d892a6e"
},
{
"url": "https://git.kernel.org/stable/c/5651c0c391c0029541794f9c4c9597faecfd401f"
},
{
"url": "https://git.kernel.org/stable/c/78b4eb99751ebd37ceade78810bf94de80f7fb3a"
},
{
"url": "https://git.kernel.org/stable/c/9814cc832b88bd040fc2a1817c2b5469d0f7e862"
}
],
"title": "mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23144",
"datePublished": "2026-02-14T15:36:09.518Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-02-14T15:36:09.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71203 (GCVE-0-2025-71203)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
riscv: Sanitize syscall table indexing under speculation
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: Sanitize syscall table indexing under speculation
The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f0bddf50586da81360627a772be0e355b62f071e , < c45848936ebdb4fcab92f8c39510db83c16d0239
(git)
Affected: f0bddf50586da81360627a772be0e355b62f071e , < 8b44e753795107a22ba31495686e83f4aca48f36 (git) Affected: f0bddf50586da81360627a772be0e355b62f071e , < 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/traps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c45848936ebdb4fcab92f8c39510db83c16d0239",
"status": "affected",
"version": "f0bddf50586da81360627a772be0e355b62f071e",
"versionType": "git"
},
{
"lessThan": "8b44e753795107a22ba31495686e83f4aca48f36",
"status": "affected",
"version": "f0bddf50586da81360627a772be0e355b62f071e",
"versionType": "git"
},
{
"lessThan": "25fd7ee7bf58ac3ec7be3c9f82ceff153451946c",
"status": "affected",
"version": "f0bddf50586da81360627a772be0e355b62f071e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/traps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sanitize syscall table indexing under speculation\n\nThe syscall number is a user-controlled value used to index into the\nsyscall table. Use array_index_nospec() to clamp this value after the\nbounds check to prevent speculative out-of-bounds access and subsequent\ndata leakage via cache side channels."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:40.050Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c45848936ebdb4fcab92f8c39510db83c16d0239"
},
{
"url": "https://git.kernel.org/stable/c/8b44e753795107a22ba31495686e83f4aca48f36"
},
{
"url": "https://git.kernel.org/stable/c/25fd7ee7bf58ac3ec7be3c9f82ceff153451946c"
}
],
"title": "riscv: Sanitize syscall table indexing under speculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71203",
"datePublished": "2026-02-14T16:27:02.513Z",
"dateReserved": "2026-01-31T11:36:51.194Z",
"dateUpdated": "2026-02-16T08:58:40.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23146 (GCVE-0-2026-23146)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a40f94f7caa8d3421b64f63ac31bc0f24c890f39 , < b0a900939e7e4866d9b90e9112514b72c451e873
(git)
Affected: 9e5a0f5777162e503400c70c6ed25fbbe2d38799 , < ccc683f597ceb28deb966427ae948e5ac739a909 (git) Affected: 80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 , < 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779 (git) Affected: 02e1bcdfdf769974e7e9fa285e295cd9852e2a38 , < 186d147cf7689ba1f9b3ddb753ab634a84940cc9 (git) Affected: 281782d2c6730241e300d630bb9f200d831ede71 , < 53e54cb31e667fca05b1808b990eac0807d1dab0 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 03e8c90c62233382042b7bd0fa8b8900552fdb62 (git) Affected: 5df5dafc171b90d0b8d51547a82657cd5a1986c7 , < 0c3cd7a0b862c37acbee6d9502107146cc944398 (git) Affected: 1dcf08fcff5ca529de6dc0395091f28854f4e54a (git) Affected: 8e5aff600539e5faea294d9612cca50220e602b8 (git) Affected: db7509fa110dd9b11134b75894677f30353b2c51 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0a900939e7e4866d9b90e9112514b72c451e873",
"status": "affected",
"version": "a40f94f7caa8d3421b64f63ac31bc0f24c890f39",
"versionType": "git"
},
{
"lessThan": "ccc683f597ceb28deb966427ae948e5ac739a909",
"status": "affected",
"version": "9e5a0f5777162e503400c70c6ed25fbbe2d38799",
"versionType": "git"
},
{
"lessThan": "937a573423ce5a96fdb1fd425dc6b8d8d4ab5779",
"status": "affected",
"version": "80f14e9de6a43a0bd8194cad1003a3e6dcbc3984",
"versionType": "git"
},
{
"lessThan": "186d147cf7689ba1f9b3ddb753ab634a84940cc9",
"status": "affected",
"version": "02e1bcdfdf769974e7e9fa285e295cd9852e2a38",
"versionType": "git"
},
{
"lessThan": "53e54cb31e667fca05b1808b990eac0807d1dab0",
"status": "affected",
"version": "281782d2c6730241e300d630bb9f200d831ede71",
"versionType": "git"
},
{
"lessThan": "03e8c90c62233382042b7bd0fa8b8900552fdb62",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"lessThan": "0c3cd7a0b862c37acbee6d9502107146cc944398",
"status": "affected",
"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7",
"versionType": "git"
},
{
"status": "affected",
"version": "1dcf08fcff5ca529de6dc0395091f28854f4e54a",
"versionType": "git"
},
{
"status": "affected",
"version": "8e5aff600539e5faea294d9612cca50220e602b8",
"versionType": "git"
},
{
"status": "affected",
"version": "db7509fa110dd9b11134b75894677f30353b2c51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_ldisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto-\u003eopen() to initialize\nhu-\u003epriv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu-\u003epriv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto-\u003edequeue() accesses hu-\u003epriv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(\u0026hu-\u003ewrite_work)\n proto-\u003eopen(hu)\n // initializes hu-\u003epriv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto-\u003edequeue(hu)\n // accesses hu-\u003epriv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto-\u003eopen()\nsucceeds, ensuring hu-\u003epriv is initialized before any work can be\nscheduled."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:16.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"
},
{
"url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"
},
{
"url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"
},
{
"url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"
},
{
"url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"
},
{
"url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"
},
{
"url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"
}
],
"title": "Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23146",
"datePublished": "2026-02-14T16:01:16.169Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-02-14T16:01:16.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23179 (GCVE-0-2026-23179)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
When the socket is closed while in TCP_LISTEN a callback is run to
flush all outstanding packets, which in turns calls
nvmet_tcp_listen_data_ready() with the sk_callback_lock held.
So we need to check if we are in TCP_LISTEN before attempting
to get the sk_callback_lock() to avoid a deadlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
675b453e024154dd547921c6e6d5b58747ba7e0e , < 6e0c7503a5803d568d56a9f9bca662cd94a14908
(git)
Affected: 675b453e024154dd547921c6e6d5b58747ba7e0e , < 1c90f930e7b410dd2d75a2a19a85e19c64e98ad5 (git) Affected: 675b453e024154dd547921c6e6d5b58747ba7e0e , < 2fa8961d3a6a1c2395d8d560ffed2c782681bade (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e0c7503a5803d568d56a9f9bca662cd94a14908",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
},
{
"lessThan": "1c90f930e7b410dd2d75a2a19a85e19c64e98ad5",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
},
{
"lessThan": "2fa8961d3a6a1c2395d8d560ffed2c782681bade",
"status": "affected",
"version": "675b453e024154dd547921c6e6d5b58747ba7e0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()\n\nWhen the socket is closed while in TCP_LISTEN a callback is run to\nflush all outstanding packets, which in turns calls\nnvmet_tcp_listen_data_ready() with the sk_callback_lock held.\nSo we need to check if we are in TCP_LISTEN before attempting\nto get the sk_callback_lock() to avoid a deadlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:52.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e0c7503a5803d568d56a9f9bca662cd94a14908"
},
{
"url": "https://git.kernel.org/stable/c/1c90f930e7b410dd2d75a2a19a85e19c64e98ad5"
},
{
"url": "https://git.kernel.org/stable/c/2fa8961d3a6a1c2395d8d560ffed2c782681bade"
}
],
"title": "nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23179",
"datePublished": "2026-02-14T16:27:10.778Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-16T08:58:52.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23181 (GCVE-0-2026-23181)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
btrfs: sync read disk super and set block size
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: sync read disk super and set block size
When the user performs a btrfs mount, the block device is not set
correctly. The user sets the block size of the block device to 0x4000
by executing the BLKBSZSET command.
Since the block size change also changes the mapping->flags value, this
further affects the result of the mapping_min_folio_order() calculation.
Let's analyze the following two scenarios:
Scenario 1: Without executing the BLKBSZSET command, the block size is
0x1000, and mapping_min_folio_order() returns 0;
Scenario 2: After executing the BLKBSZSET command, the block size is
0x4000, and mapping_min_folio_order() returns 2.
do_read_cache_folio() allocates a folio before the BLKBSZSET command
is executed. This results in the allocated folio having an order value
of 0. Later, after BLKBSZSET is executed, the block size increases to
0x4000, and the mapping_min_folio_order() calculation result becomes 2.
This leads to two undesirable consequences:
1. filemap_add_folio() triggers a VM_BUG_ON_FOLIO(folio_order(folio) <
mapping_min_folio_order(mapping)) assertion.
2. The syzbot report [1] shows a null pointer dereference in
create_empty_buffers() due to a buffer head allocation failure.
Synchronization should be established based on the inode between the
BLKBSZSET command and read cache page to prevent inconsistencies in
block size or mapping flags before and after folio allocation.
[1]
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:create_empty_buffers+0x4d/0x480 fs/buffer.c:1694
Call Trace:
folio_create_buffers+0x109/0x150 fs/buffer.c:1802
block_read_full_folio+0x14c/0x850 fs/buffer.c:2403
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
do_read_cache_page mm/filemap.c:4162 [inline]
read_cache_page_gfp+0x29/0x120 mm/filemap.c:4195
btrfs_read_disk_super+0x192/0x500 fs/btrfs/volumes.c:1367
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ccb3c75d57039adb3170ae54a0d470e359705984",
"status": "affected",
"version": "3c20917120ce61f2a123ca0810293872f4c6b5a4",
"versionType": "git"
},
{
"lessThan": "3f29d661e5686f3aa14e6f11537ff5c49846f2e2",
"status": "affected",
"version": "3c20917120ce61f2a123ca0810293872f4c6b5a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: sync read disk super and set block size\n\nWhen the user performs a btrfs mount, the block device is not set\ncorrectly. The user sets the block size of the block device to 0x4000\nby executing the BLKBSZSET command.\nSince the block size change also changes the mapping-\u003eflags value, this\nfurther affects the result of the mapping_min_folio_order() calculation.\n\nLet\u0027s analyze the following two scenarios:\n\nScenario 1: Without executing the BLKBSZSET command, the block size is\n0x1000, and mapping_min_folio_order() returns 0;\n\nScenario 2: After executing the BLKBSZSET command, the block size is\n0x4000, and mapping_min_folio_order() returns 2.\n\ndo_read_cache_folio() allocates a folio before the BLKBSZSET command\nis executed. This results in the allocated folio having an order value\nof 0. Later, after BLKBSZSET is executed, the block size increases to\n0x4000, and the mapping_min_folio_order() calculation result becomes 2.\n\nThis leads to two undesirable consequences:\n\n1. filemap_add_folio() triggers a VM_BUG_ON_FOLIO(folio_order(folio) \u003c\nmapping_min_folio_order(mapping)) assertion.\n\n2. The syzbot report [1] shows a null pointer dereference in\ncreate_empty_buffers() due to a buffer head allocation failure.\n\nSynchronization should be established based on the inode between the\nBLKBSZSET command and read cache page to prevent inconsistencies in\nblock size or mapping flags before and after folio allocation.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:create_empty_buffers+0x4d/0x480 fs/buffer.c:1694\nCall Trace:\n folio_create_buffers+0x109/0x150 fs/buffer.c:1802\n block_read_full_folio+0x14c/0x850 fs/buffer.c:2403\n filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496\n do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096\n do_read_cache_page mm/filemap.c:4162 [inline]\n read_cache_page_gfp+0x29/0x120 mm/filemap.c:4195\n btrfs_read_disk_super+0x192/0x500 fs/btrfs/volumes.c:1367"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:53.981Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ccb3c75d57039adb3170ae54a0d470e359705984"
},
{
"url": "https://git.kernel.org/stable/c/3f29d661e5686f3aa14e6f11537ff5c49846f2e2"
}
],
"title": "btrfs: sync read disk super and set block size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23181",
"datePublished": "2026-02-14T16:27:12.137Z",
"dateReserved": "2026-01-13T15:37:45.984Z",
"dateUpdated": "2026-02-16T08:58:53.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71224 (GCVE-0-2025-71224)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only
present after JOIN_OCB.
RX may run before JOIN_OCB is executed, in which case the OCB interface
is not operational. Skip RX peer handling when the interface is not
joined to avoid warnings in the RX path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
239281f803e2efdb77d906ef296086b6917e5d71 , < fcc768760df08337525cde28e8460e36f9855af8
(git)
Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < 8fd1c63e016893b7f6c1cf799410da4eaa98c090 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < 536447521b3b9be1975c7f1db9054bdf2ab779cb (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < e0bd226804f8e0098711042c93d64f3b720b36c0 (git) Affected: 239281f803e2efdb77d906ef296086b6917e5d71 , < ff4071c60018a668249dc6a2df7d16330543540e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fcc768760df08337525cde28e8460e36f9855af8",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "8fd1c63e016893b7f6c1cf799410da4eaa98c090",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "536447521b3b9be1975c7f1db9054bdf2ab779cb",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "e0bd226804f8e0098711042c93d64f3b720b36c0",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
},
{
"lessThan": "ff4071c60018a668249dc6a2df7d16330543540e",
"status": "affected",
"version": "239281f803e2efdb77d906ef296086b6917e5d71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: ocb: skip rx_no_sta when interface is not joined\n\nieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only\npresent after JOIN_OCB.\n\nRX may run before JOIN_OCB is executed, in which case the OCB interface\nis not operational. Skip RX peer handling when the interface is not\njoined to avoid warnings in the RX path."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:47.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fcc768760df08337525cde28e8460e36f9855af8"
},
{
"url": "https://git.kernel.org/stable/c/b04c75366a5471ae2dd7f4c33b7f1e2c08b9b32d"
},
{
"url": "https://git.kernel.org/stable/c/8fd1c63e016893b7f6c1cf799410da4eaa98c090"
},
{
"url": "https://git.kernel.org/stable/c/ffe1e19c3b0e5b9eb9e04fad4bce7d1dc407fd77"
},
{
"url": "https://git.kernel.org/stable/c/536447521b3b9be1975c7f1db9054bdf2ab779cb"
},
{
"url": "https://git.kernel.org/stable/c/e0bd226804f8e0098711042c93d64f3b720b36c0"
},
{
"url": "https://git.kernel.org/stable/c/ff4071c60018a668249dc6a2df7d16330543540e"
}
],
"title": "wifi: mac80211: ocb: skip rx_no_sta when interface is not joined",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71224",
"datePublished": "2026-02-14T16:27:06.752Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-02-16T08:58:47.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23111 (GCVE-0-2026-23111)
Vulnerability from cvelistv5 – Published: 2026-02-13 13:29 – Updated: 2026-02-13 13:29
VLAI?
EPSS
Title
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 , < 8c760ba4e36c750379d13569f23f5a6e185333f5
(git)
Affected: d60be2da67d172aecf866302c91ea11533eca4d9 , < b9b6573421de51829f7ec1cce76d85f5f6fbbd7f (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 42c574c1504aa089a0a142e4c13859327570473d (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 1444ff890b4653add12f734ffeffc173d42862dd (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 8b68a45f9722f2babe9e7bad00aa74638addf081 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < f41c5d151078c5348271ffaf8e7410d96f2d82f8 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c760ba4e36c750379d13569f23f5a6e185333f5",
"status": "affected",
"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
"versionType": "git"
},
{
"lessThan": "b9b6573421de51829f7ec1cce76d85f5f6fbbd7f",
"status": "affected",
"version": "d60be2da67d172aecf866302c91ea11533eca4d9",
"versionType": "git"
},
{
"lessThan": "42c574c1504aa089a0a142e4c13859327570473d",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "1444ff890b4653add12f734ffeffc173d42862dd",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "8b68a45f9722f2babe9e7bad00aa74638addf081",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "f41c5d151078c5348271ffaf8e7410d96f2d82f8",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"status": "affected",
"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
"versionType": "git"
},
{
"status": "affected",
"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
"versionType": "git"
},
{
"status": "affected",
"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
"versionType": "git"
},
{
"status": "affected",
"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T13:29:55.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
},
{
"url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
},
{
"url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
},
{
"url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
},
{
"url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
},
{
"url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
}
],
"title": "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23111",
"datePublished": "2026-02-13T13:29:55.895Z",
"dateReserved": "2026-01-13T15:37:45.968Z",
"dateUpdated": "2026-02-13T13:29:55.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23176 (GCVE-0-2026-23176)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
toshiba_haps_add() leaks the haps object allocated by it if it returns
an error after allocating that object successfully.
toshiba_haps_remove() does not free the object pointed to by
toshiba_haps before clearing that pointer, so it becomes unreachable
allocated memory.
Address these memory leaks by using devm_kzalloc() for allocating
the memory in question.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
23d0ba0c908ac10139f0351023c64198d7fc1409 , < 17f37c4cdf42a9e4915216b9e130fc8baef4cc64
(git)
Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < 5bce10f0f9435afaae3fc4df9a52b01d9b3853dc (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < f2093e87ddec13e7a920f326c078a5f765ba89c3 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < ca9ff71c15bc8e48529c2033294a519a7749b272 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < bf0474356875d005d420f8c6b9ac168566e72e87 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < f93ae43780b759a70734be9bc82c1adcf7f33208 (git) Affected: 23d0ba0c908ac10139f0351023c64198d7fc1409 , < 128497456756e1b952bd5a912cd073836465109d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/toshiba_haps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17f37c4cdf42a9e4915216b9e130fc8baef4cc64",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "5bce10f0f9435afaae3fc4df9a52b01d9b3853dc",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "f2093e87ddec13e7a920f326c078a5f765ba89c3",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "ca9ff71c15bc8e48529c2033294a519a7749b272",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "bf0474356875d005d420f8c6b9ac168566e72e87",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "f93ae43780b759a70734be9bc82c1adcf7f33208",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
},
{
"lessThan": "128497456756e1b952bd5a912cd073836465109d",
"status": "affected",
"version": "23d0ba0c908ac10139f0351023c64198d7fc1409",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/toshiba_haps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: toshiba_haps: Fix memory leaks in add/remove routines\n\ntoshiba_haps_add() leaks the haps object allocated by it if it returns\nan error after allocating that object successfully.\n\ntoshiba_haps_remove() does not free the object pointed to by\ntoshiba_haps before clearing that pointer, so it becomes unreachable\nallocated memory.\n\nAddress these memory leaks by using devm_kzalloc() for allocating\nthe memory in question."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:08.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17f37c4cdf42a9e4915216b9e130fc8baef4cc64"
},
{
"url": "https://git.kernel.org/stable/c/5bce10f0f9435afaae3fc4df9a52b01d9b3853dc"
},
{
"url": "https://git.kernel.org/stable/c/f2093e87ddec13e7a920f326c078a5f765ba89c3"
},
{
"url": "https://git.kernel.org/stable/c/ca9ff71c15bc8e48529c2033294a519a7749b272"
},
{
"url": "https://git.kernel.org/stable/c/bf0474356875d005d420f8c6b9ac168566e72e87"
},
{
"url": "https://git.kernel.org/stable/c/f93ae43780b759a70734be9bc82c1adcf7f33208"
},
{
"url": "https://git.kernel.org/stable/c/128497456756e1b952bd5a912cd073836465109d"
}
],
"title": "platform/x86: toshiba_haps: Fix memory leaks in add/remove routines",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23176",
"datePublished": "2026-02-14T16:27:08.764Z",
"dateReserved": "2026-01-13T15:37:45.983Z",
"dateUpdated": "2026-02-14T16:27:08.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23126 (GCVE-0-2026-23126)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
netdevsim: fix a race issue related to the operation on bpf_bound_progs list
Summary
In the Linux kernel, the following vulnerability has been resolved:
netdevsim: fix a race issue related to the operation on bpf_bound_progs list
The netdevsim driver lacks a protection mechanism for operations on the
bpf_bound_progs list. When the nsim_bpf_create_prog() performs
list_add_tail, it is possible that nsim_bpf_destroy_prog() is
simultaneously performs list_del. Concurrent operations on the list may
lead to list corruption and trigger a kernel crash as follows:
[ 417.290971] kernel BUG at lib/list_debug.c:62!
[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 417.291007] Workqueue: events bpf_prog_free_deferred
[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0
[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8
[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246
[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000
[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180
[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003
[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20
[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000
[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000
[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0
[ 417.291088] PKRU: 55555554
[ 417.291091] Call Trace:
[ 417.291096] <TASK>
[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]
[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80
[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0
[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0
[ 417.291178] process_one_work+0x18a/0x3a0
[ 417.291188] worker_thread+0x27b/0x3a0
[ 417.291197] ? __pfx_worker_thread+0x10/0x10
[ 417.291207] kthread+0xe5/0x120
[ 417.291214] ? __pfx_kthread+0x10/0x10
[ 417.291221] ret_from_fork+0x31/0x50
[ 417.291230] ? __pfx_kthread+0x10/0x10
[ 417.291236] ret_from_fork_asm+0x1a/0x30
[ 417.291246] </TASK>
Add a mutex lock, to prevent simultaneous addition and deletion operations
on the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
31d3ad832948c75139b0e5b653912f7898a1d5d5 , < 3f560cfc7706029294132482fff5d1bc7884b70d
(git)
Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < f1f9cfd2f46a73b7de2982d01be822eac3a0efaa (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < d77379ca82efcb2fe563359cc795027d680410db (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < 68462ecc40ea8f780fb3c74ebfddd05506bb731b (git) Affected: 31d3ad832948c75139b0e5b653912f7898a1d5d5 , < b97d5eedf4976cc94321243be83b39efe81a0e15 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/netdevsim/bpf.c",
"drivers/net/netdevsim/dev.c",
"drivers/net/netdevsim/netdevsim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f560cfc7706029294132482fff5d1bc7884b70d",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "f1f9cfd2f46a73b7de2982d01be822eac3a0efaa",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "d77379ca82efcb2fe563359cc795027d680410db",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "68462ecc40ea8f780fb3c74ebfddd05506bb731b",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
},
{
"lessThan": "b97d5eedf4976cc94321243be83b39efe81a0e15",
"status": "affected",
"version": "31d3ad832948c75139b0e5b653912f7898a1d5d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/netdevsim/bpf.c",
"drivers/net/netdevsim/dev.c",
"drivers/net/netdevsim/netdevsim.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix a race issue related to the operation on bpf_bound_progs list\n\nThe netdevsim driver lacks a protection mechanism for operations on the\nbpf_bound_progs list. When the nsim_bpf_create_prog() performs\nlist_add_tail, it is possible that nsim_bpf_destroy_prog() is\nsimultaneously performs list_del. Concurrent operations on the list may\nlead to list corruption and trigger a kernel crash as follows:\n\n[ 417.290971] kernel BUG at lib/list_debug.c:62!\n[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1\n[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 417.291007] Workqueue: events bpf_prog_free_deferred\n[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0\n[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8\n[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246\n[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000\n[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180\n[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003\n[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20\n[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000\n[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000\n[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0\n[ 417.291088] PKRU: 55555554\n[ 417.291091] Call Trace:\n[ 417.291096] \u003cTASK\u003e\n[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]\n[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80\n[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0\n[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0\n[ 417.291178] process_one_work+0x18a/0x3a0\n[ 417.291188] worker_thread+0x27b/0x3a0\n[ 417.291197] ? __pfx_worker_thread+0x10/0x10\n[ 417.291207] kthread+0xe5/0x120\n[ 417.291214] ? __pfx_kthread+0x10/0x10\n[ 417.291221] ret_from_fork+0x31/0x50\n[ 417.291230] ? __pfx_kthread+0x10/0x10\n[ 417.291236] ret_from_fork_asm+0x1a/0x30\n[ 417.291246] \u003c/TASK\u003e\n\nAdd a mutex lock, to prevent simultaneous addition and deletion operations\non the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:55.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f560cfc7706029294132482fff5d1bc7884b70d"
},
{
"url": "https://git.kernel.org/stable/c/f1f9cfd2f46a73b7de2982d01be822eac3a0efaa"
},
{
"url": "https://git.kernel.org/stable/c/d77379ca82efcb2fe563359cc795027d680410db"
},
{
"url": "https://git.kernel.org/stable/c/68462ecc40ea8f780fb3c74ebfddd05506bb731b"
},
{
"url": "https://git.kernel.org/stable/c/b97d5eedf4976cc94321243be83b39efe81a0e15"
}
],
"title": "netdevsim: fix a race issue related to the operation on bpf_bound_progs list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23126",
"datePublished": "2026-02-14T15:09:55.552Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:55.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23200 (GCVE-0-2026-23200)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6
route. [0]
Commit f72514b3c569 ("ipv6: clear RA flags when adding a static
route") introduced logic to clear RTF_ADDRCONF from existing routes
when a static route with the same nexthop is added. However, this
causes a problem when the existing route has a gateway.
When RTF_ADDRCONF is cleared from a route that has a gateway, that
route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns
true. The issue is that this route was never added to the
fib6_siblings list.
This leads to a mismatch between the following counts:
- The sibling count computed by iterating fib6_next chain, which
includes the newly ECMP-eligible route
- The actual siblings in fib6_siblings list, which does not include
that route
When a subsequent ECMP route is added, fib6_add_rt2node() hits
BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the
counts don't match.
Fix this by only clearing RTF_ADDRCONF when the existing route does
not have a gateway. Routes without a gateway cannot qualify for ECMP
anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing
RTF_ADDRCONF on them is safe and matches the original intent of the
commit.
[0]:
kernel BUG at net/ipv6/ip6_fib.c:1217!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217
[...]
Call Trace:
<TASK>
fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532
__ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946
ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571
inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577
sock_do_ioctl+0xdc/0x300 net/socket.c:1245
sock_ioctl+0x576/0x790 net/socket.c:1366
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb2b0caa8ca93cbe39177516669bf699c74f7041 , < 50b7c7a255858a85c4636a1e990ca04591153dca
(git)
Affected: 03f642caab84bbfd138e74f671bb436186ea7e82 , < d8143c54ceeba232dc8a13aa0afa14a44b371d93 (git) Affected: 3e5b25da0b4109a3e063759735e6ec4236ea5a05 , < b8ad2d53f706aeea833d23d45c0758398fede580 (git) Affected: f72514b3c5698e4b900b25345e09f9ed33123de6 , < bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 (git) Affected: 61d88ea0f30c88e4ea98793594943aed8f1fc9ab (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50b7c7a255858a85c4636a1e990ca04591153dca",
"status": "affected",
"version": "cb2b0caa8ca93cbe39177516669bf699c74f7041",
"versionType": "git"
},
{
"lessThan": "d8143c54ceeba232dc8a13aa0afa14a44b371d93",
"status": "affected",
"version": "03f642caab84bbfd138e74f671bb436186ea7e82",
"versionType": "git"
},
{
"lessThan": "b8ad2d53f706aeea833d23d45c0758398fede580",
"status": "affected",
"version": "3e5b25da0b4109a3e063759735e6ec4236ea5a05",
"versionType": "git"
},
{
"lessThan": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
"status": "affected",
"version": "f72514b3c5698e4b900b25345e09f9ed33123de6",
"versionType": "git"
},
{
"status": "affected",
"version": "61d88ea0f30c88e4ea98793594943aed8f1fc9ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.6.124",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.70",
"status": "affected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF\n\nsyzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6\nroute. [0]\n\nCommit f72514b3c569 (\"ipv6: clear RA flags when adding a static\nroute\") introduced logic to clear RTF_ADDRCONF from existing routes\nwhen a static route with the same nexthop is added. However, this\ncauses a problem when the existing route has a gateway.\n\nWhen RTF_ADDRCONF is cleared from a route that has a gateway, that\nroute becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns\ntrue. The issue is that this route was never added to the\nfib6_siblings list.\n\nThis leads to a mismatch between the following counts:\n\n- The sibling count computed by iterating fib6_next chain, which\n includes the newly ECMP-eligible route\n\n- The actual siblings in fib6_siblings list, which does not include\n that route\n\nWhen a subsequent ECMP route is added, fib6_add_rt2node() hits\nBUG_ON(sibling-\u003efib6_nsiblings != rt-\u003efib6_nsiblings) because the\ncounts don\u0027t match.\n\nFix this by only clearing RTF_ADDRCONF when the existing route does\nnot have a gateway. Routes without a gateway cannot qualify for ECMP\nanyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing\nRTF_ADDRCONF on them is safe and matches the original intent of the\ncommit.\n\n[0]:\nkernel BUG at net/ipv6/ip6_fib.c:1217!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946\n ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571\n inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577\n sock_do_ioctl+0xdc/0x300 net/socket.c:1245\n sock_ioctl+0x576/0x790 net/socket.c:1366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:25.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50b7c7a255858a85c4636a1e990ca04591153dca"
},
{
"url": "https://git.kernel.org/stable/c/d8143c54ceeba232dc8a13aa0afa14a44b371d93"
},
{
"url": "https://git.kernel.org/stable/c/b8ad2d53f706aeea833d23d45c0758398fede580"
},
{
"url": "https://git.kernel.org/stable/c/bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25"
}
],
"title": "ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23200",
"datePublished": "2026-02-14T16:27:25.025Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:25.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23189 (GCVE-0-2026-23189)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
ceph: fix NULL pointer dereference in ceph_mds_auth_match()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix NULL pointer dereference in ceph_mds_auth_match()
The CephFS kernel client has regression starting from 6.18-rc1.
We have issue in ceph_mds_auth_match() if fs_name == NULL:
const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
/ fsname mismatch, try next one */
return 0;
}
Patrick Donnelly suggested that: In summary, we should definitely start
decoding `fs_name` from the MDSMap and do strict authorizations checks
against it. Note that the `-o mds_namespace=foo` should only be used for
selecting the file system to mount and nothing else. It's possible
no mds_namespace is specified but the kernel will mount the only
file system that exists which may have name "foo".
This patch reworks ceph_mdsmap_decode() and namespace_equals() with
the goal of supporting the suggested concept. Now struct ceph_mdsmap
contains m_fs_name field that receives copy of extracted FS name
by ceph_extract_encoded_string(). For the case of "old" CephFS file
systems, it is used "cephfs" name.
[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),
get rid of a series of strlen() calls in ceph_namespace_match(),
drop changes to namespace_equals() body to avoid treating empty
mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()
as namespace_equals() isn't an equivalent substitution there ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07640d34a781bb2e39020a39137073c03c4aa932 , < c6f8326f26bd20d648d9a55afd68148d1b6afe28
(git)
Affected: 22c73d52a6d05c5a2053385c0d6cd9984732799d , < 57b36ffc8881dd455d875f85c105901974af2130 (git) Affected: 22c73d52a6d05c5a2053385c0d6cd9984732799d , < 7987cce375ac8ce98e170a77aa2399f2cf6eb99f (git) Affected: ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/mds_client.c",
"fs/ceph/mdsmap.c",
"fs/ceph/mdsmap.h",
"fs/ceph/super.h",
"include/linux/ceph/ceph_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6f8326f26bd20d648d9a55afd68148d1b6afe28",
"status": "affected",
"version": "07640d34a781bb2e39020a39137073c03c4aa932",
"versionType": "git"
},
{
"lessThan": "57b36ffc8881dd455d875f85c105901974af2130",
"status": "affected",
"version": "22c73d52a6d05c5a2053385c0d6cd9984732799d",
"versionType": "git"
},
{
"lessThan": "7987cce375ac8ce98e170a77aa2399f2cf6eb99f",
"status": "affected",
"version": "22c73d52a6d05c5a2053385c0d6cd9984732799d",
"versionType": "git"
},
{
"status": "affected",
"version": "ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/mds_client.c",
"fs/ceph/mdsmap.c",
"fs/ceph/mdsmap.h",
"fs/ceph/super.h",
"include/linux/ceph/ceph_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n const char fs_name = mdsc-\u003efsc-\u003emount_options-\u003emds_namespace;\n ...\n if (auth-\u003ematch.fs_name \u0026\u0026 strcmp(auth-\u003ematch.fs_name, fs_name)) {\n / fsname mismatch, try next one */\n return 0;\n }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It\u0027s possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n get rid of a series of strlen() calls in ceph_namespace_match(),\n drop changes to namespace_equals() body to avoid treating empty\n mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n as namespace_equals() isn\u0027t an equivalent substitution there ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:17.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"
},
{
"url": "https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"
},
{
"url": "https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"
}
],
"title": "ceph: fix NULL pointer dereference in ceph_mds_auth_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23189",
"datePublished": "2026-02-14T16:27:17.549Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-02-14T16:27:17.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23207 (GCVE-0-2026-23207)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
spi: tegra210-quad: Protect curr_xfer check in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Protect curr_xfer check in IRQ handler
Now that all other accesses to curr_xfer are done under the lock,
protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the
spinlock. Without this protection, the following race can occur:
CPU0 (ISR thread) CPU1 (timeout path)
---------------- -------------------
if (!tqspi->curr_xfer)
// sees non-NULL
spin_lock()
tqspi->curr_xfer = NULL
spin_unlock()
handle_*_xfer()
spin_lock()
t = tqspi->curr_xfer // NULL!
... t->len ... // NULL dereference!
With this patch, all curr_xfer accesses are now properly synchronized.
Although all accesses to curr_xfer are done under the lock, in
tegra_qspi_isr_thread() it checks for NULL, releases the lock and
reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().
There is a potential for an update in between, which could cause a NULL
pointer dereference.
To handle this, add a NULL check inside the handlers after acquiring
the lock. This ensures that if the timeout path has already cleared
curr_xfer, the handler will safely return without dereferencing the
NULL pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01bbf25c767219b14c3235bfa85906b8d2cb8fbc , < 2ac3a105e51496147c0e44e49466eecfcc532d57
(git)
Affected: b4e002d8a7cee3b1d70efad0e222567f92a73000 , < edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e (git) Affected: 88db8bb7ed1bb474618acdf05ebd4f0758d244e2 (git) Affected: 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) Affected: c934e40246da2c5726d14e94719c514e30840df8 (git) Affected: 551060efb156c50fe33799038ba8145418cfdeef (git) Affected: bb0c58be84f907285af45657c1d4847b960a12bf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2ac3a105e51496147c0e44e49466eecfcc532d57",
"status": "affected",
"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"versionType": "git"
},
{
"lessThan": "edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e",
"status": "affected",
"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"versionType": "git"
},
{
"status": "affected",
"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"versionType": "git"
},
{
"status": "affected",
"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"versionType": "git"
},
{
"status": "affected",
"version": "c934e40246da2c5726d14e94719c514e30840df8",
"versionType": "git"
},
{
"status": "affected",
"version": "551060efb156c50fe33799038ba8145418cfdeef",
"versionType": "git"
},
{
"status": "affected",
"version": "bb0c58be84f907285af45657c1d4847b960a12bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.10",
"status": "affected",
"version": "6.18.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer check in IRQ handler\n\nNow that all other accesses to curr_xfer are done under the lock,\nprotect the curr_xfer NULL check in tegra_qspi_isr_thread() with the\nspinlock. Without this protection, the following race can occur:\n\n CPU0 (ISR thread) CPU1 (timeout path)\n ---------------- -------------------\n if (!tqspi-\u003ecurr_xfer)\n // sees non-NULL\n spin_lock()\n tqspi-\u003ecurr_xfer = NULL\n spin_unlock()\n handle_*_xfer()\n spin_lock()\n t = tqspi-\u003ecurr_xfer // NULL!\n ... t-\u003elen ... // NULL dereference!\n\nWith this patch, all curr_xfer accesses are now properly synchronized.\n\nAlthough all accesses to curr_xfer are done under the lock, in\ntegra_qspi_isr_thread() it checks for NULL, releases the lock and\nreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().\nThere is a potential for an update in between, which could cause a NULL\npointer dereference.\n\nTo handle this, add a NULL check inside the handlers after acquiring\nthe lock. This ensures that if the timeout path has already cleared\ncurr_xfer, the handler will safely return without dereferencing the\nNULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:29.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57"
},
{
"url": "https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e"
}
],
"title": "spi: tegra210-quad: Protect curr_xfer check in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23207",
"datePublished": "2026-02-14T16:27:29.762Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:29.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71221 (GCVE-0-2025-71221)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Add proper locking in mmp_pdma_residue() to prevent use-after-free when
accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet
on another CPU is freeing completed descriptors:
CPU 0 CPU 1
----- -----
mmp_pdma_tx_status()
mmp_pdma_residue()
-> NO LOCK held
list_for_each_entry(sw, ..)
DMA interrupt
dma_do_tasklet()
-> spin_lock(&desc_lock)
list_move(sw->node, ...)
spin_unlock(&desc_lock)
| dma_pool_free(sw) <- FREED!
-> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with
multiple threads (threads_per_chan > 1).
Fix by protecting the chain_running list iteration and descriptor access
with the chan->desc_lock spinlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/mmp_pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f665b3c3d9a168410251f27a5d019b7bf93185c",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
},
{
"lessThan": "a143545855bc2c6e1330f6f57ae375ac44af00a7",
"status": "affected",
"version": "1b38da264674d6a0fe26a63996b8f88b88c3da48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/mmp_pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()\n\nAdd proper locking in mmp_pdma_residue() to prevent use-after-free when\naccessing descriptor list and descriptor contents.\n\nThe race occurs when multiple threads call tx_status() while the tasklet\non another CPU is freeing completed descriptors:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -\u003e NO LOCK held\n list_for_each_entry(sw, ..)\n DMA interrupt\n dma_do_tasklet()\n -\u003e spin_lock(\u0026desc_lock)\n list_move(sw-\u003enode, ...)\n spin_unlock(\u0026desc_lock)\n | dma_pool_free(sw) \u003c- FREED!\n -\u003e access sw-\u003edesc \u003c- UAF!\n\nThis issue can be reproduced when running dmatest on the same channel with\nmultiple threads (threads_per_chan \u003e 1).\n\nFix by protecting the chain_running list iteration and descriptor access\nwith the chan-\u003edesc_lock spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:43.554Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c"
},
{
"url": "https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7"
}
],
"title": "dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71221",
"datePublished": "2026-02-14T16:27:04.631Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-02-16T08:58:43.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23150 (GCVE-0-2026-23150)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():
CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'
local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/sk
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
94f418a206648c9be6fd84d6681d6956b8f8b106 , < ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
(git)
Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 6734ff1ac6beba1d0c22dc9a3dc1849b773b511f (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < f8d002626d434f5fea9085e2557711c16a15cec6 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 61858cbce6ca4bef9ed116c689a4be9520841339 (git) Affected: 94f418a206648c9be6fd84d6681d6956b8f8b106 , < 165c34fb6068ff153e3fc99a932a80a9d5755709 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab660cb8e17aa93426d1e821c2cce60e4b9bc56a",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "6734ff1ac6beba1d0c22dc9a3dc1849b773b511f",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "f8d002626d434f5fea9085e2557711c16a15cec6",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "61858cbce6ca4bef9ed116c689a4be9520841339",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
},
{
"lessThan": "165c34fb6068ff153e3fc99a932a80a9d5755709",
"status": "affected",
"version": "94f418a206648c9be6fd84d6681d6956b8f8b106",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_commands.c",
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { \u0027\n |- pdu = nfc_alloc_send_skb(..., \u0026err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(\u0026local-\u003etx_queue); |\n | \u0027 |\n |- skb_queue_tail(\u0026local-\u003etx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., \u0026err) |\n ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 \u0027..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/\u0027....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:18.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
},
{
"url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
},
{
"url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
},
{
"url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
},
{
"url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
},
{
"url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
},
{
"url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
}
],
"title": "nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23150",
"datePublished": "2026-02-14T16:01:18.968Z",
"dateReserved": "2026-01-13T15:37:45.976Z",
"dateUpdated": "2026-02-14T16:01:18.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23139 (GCVE-0-2026-23139)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
netfilter: nf_conncount: update last_gc only when GC has been performed
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: update last_gc only when GC has been performed
Currently last_gc is being updated everytime a new connection is
tracked, that means that it is updated even if a GC wasn't performed.
With a sufficiently high packet rate, it is possible to always bypass
the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f106694733c66a48740c25bc4e212e9b2ea364ce , < 2c7c71113ed6d3e2f3aca4c088f22283016ff34f
(git)
Affected: be69850b461e7b491d87a22e33ab76fdd04b725e , < c4cde57c8affdcca5bcff53a1047e15d268bdca1 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 9f45588993d7f115280fc726119ca86fba32a811 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 3cd717359e56f82f06cbf8279b47a7d79880c6f3 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 26a82dce2beee39c43c109d9647e16f49cb02a35 (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 8bdafdf4900040a81422056cabe5e00a37bd101a (git) Affected: d265929930e2ffafc744c0ae05fb70acd53be1ee , < 7811ba452402d58628e68faedf38745b3d485e3c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c7c71113ed6d3e2f3aca4c088f22283016ff34f",
"status": "affected",
"version": "f106694733c66a48740c25bc4e212e9b2ea364ce",
"versionType": "git"
},
{
"lessThan": "c4cde57c8affdcca5bcff53a1047e15d268bdca1",
"status": "affected",
"version": "be69850b461e7b491d87a22e33ab76fdd04b725e",
"versionType": "git"
},
{
"lessThan": "9f45588993d7f115280fc726119ca86fba32a811",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "3cd717359e56f82f06cbf8279b47a7d79880c6f3",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "26a82dce2beee39c43c109d9647e16f49cb02a35",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "8bdafdf4900040a81422056cabe5e00a37bd101a",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
},
{
"lessThan": "7811ba452402d58628e68faedf38745b3d485e3c",
"status": "affected",
"version": "d265929930e2ffafc744c0ae05fb70acd53be1ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: update last_gc only when GC has been performed\n\nCurrently last_gc is being updated everytime a new connection is\ntracked, that means that it is updated even if a GC wasn\u0027t performed.\nWith a sufficiently high packet rate, it is possible to always bypass\nthe GC, causing the list to grow infinitely.\n\nUpdate the last_gc value only when a GC has been actually performed."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:24.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c7c71113ed6d3e2f3aca4c088f22283016ff34f"
},
{
"url": "https://git.kernel.org/stable/c/c4cde57c8affdcca5bcff53a1047e15d268bdca1"
},
{
"url": "https://git.kernel.org/stable/c/9f45588993d7f115280fc726119ca86fba32a811"
},
{
"url": "https://git.kernel.org/stable/c/3cd717359e56f82f06cbf8279b47a7d79880c6f3"
},
{
"url": "https://git.kernel.org/stable/c/26a82dce2beee39c43c109d9647e16f49cb02a35"
},
{
"url": "https://git.kernel.org/stable/c/8bdafdf4900040a81422056cabe5e00a37bd101a"
},
{
"url": "https://git.kernel.org/stable/c/7811ba452402d58628e68faedf38745b3d485e3c"
}
],
"title": "netfilter: nf_conncount: update last_gc only when GC has been performed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23139",
"datePublished": "2026-02-14T15:22:24.059Z",
"dateReserved": "2026-01-13T15:37:45.972Z",
"dateUpdated": "2026-02-14T15:22:24.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23143 (GCVE-0-2026-23143)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-02-14 15:36
VLAI?
EPSS
Title
virtio_net: Fix misalignment bug in struct virtnet_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_net: Fix misalignment bug in struct virtnet_info
Use the new TRAILING_OVERLAP() helper to fix a misalignment bug
along with the following warning:
drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
This helper creates a union between a flexible-array member (FAM)
and a set of members that would otherwise follow it (in this case
`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This
overlays the trailing members (rss_hash_key_data) onto the FAM
(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.
The static_assert() ensures this alignment remains.
Notice that due to tail padding in flexible `struct
virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`
(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at
offset 84 in struct virtnet_info) are misaligned by one byte. See
below:
struct virtio_net_rss_config_trailer {
__le16 max_tx_vq; /* 0 2 */
__u8 hash_key_length; /* 2 1 */
__u8 hash_key_data[]; /* 3 0 */
/* size: 4, cachelines: 1, members: 3 */
/* padding: 1 */
/* last cacheline: 4 bytes */
};
struct virtnet_info {
...
struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */
/* XXX last struct has 1 byte of padding */
u8 rss_hash_key_data[40]; /* 84 40 */
...
/* size: 832, cachelines: 13, members: 48 */
/* sum members: 801, holes: 8, sum holes: 31 */
/* paddings: 2, sum paddings: 5 */
};
After changes, those members are correctly aligned at offset 795:
struct virtnet_info {
...
union {
struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */
struct {
unsigned char __offset_to_hash_key_data[3]; /* 792 3 */
u8 rss_hash_key_data[40]; /* 795 40 */
}; /* 792 43 */
}; /* 792 44 */
...
/* size: 840, cachelines: 14, members: 47 */
/* sum members: 801, holes: 8, sum holes: 35 */
/* padding: 4 */
/* paddings: 1, sum paddings: 4 */
/* last cacheline: 8 bytes */
};
As a result, the RSS key passed to the device is shifted by 1
byte: the last byte is cut off, and instead a (possibly
uninitialized) byte is added at the beginning.
As a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also
moved to the end, since it seems those three members should stick
around together. :)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae48108c2310f1dd700e0dbb655c2f1d92ed00fc",
"status": "affected",
"version": "ed3100e90d0d120a045a551b85eb43cf2527e885",
"versionType": "git"
},
{
"lessThan": "4156c3745f06bc197094b9ee97a9584e69ed00bf",
"status": "affected",
"version": "ed3100e90d0d120a045a551b85eb43cf2527e885",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:36:08.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc"
},
{
"url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf"
}
],
"title": "virtio_net: Fix misalignment bug in struct virtnet_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23143",
"datePublished": "2026-02-14T15:36:08.834Z",
"dateReserved": "2026-01-13T15:37:45.973Z",
"dateUpdated": "2026-02-14T15:36:08.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23201 (GCVE-0-2026-23201)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-14 16:27
VLAI?
EPSS
Title
ceph: fix oops due to invalid pointer for kfree() in parse_longname()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix oops due to invalid pointer for kfree() in parse_longname()
This fixes a kernel oops when reading ceph snapshot directories (.snap),
for example by simply running `ls /mnt/my_ceph/.snap`.
The variable str is guarded by __free(kfree), but advanced by one for
skipping the initial '_' in snapshot names. Thus, kfree() is called
with an invalid pointer. This patch removes the need for advancing the
pointer so kfree() is called with correct memory pointer.
Steps to reproduce:
1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)
2. Add cephfs mount to fstab
$ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab
3. Reboot the system
$ systemctl reboot
4. Check if it's really mounted
$ mount | grep stuff
5. List snapshots (expected 63 snapshots on my system)
$ ls /mnt/test/stuff/.snap
Now ls hangs forever and the kernel log shows the oops.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bb80f7618832d26f7e395f52f82b1dac76223e5f , < 8c9af7339de419819cfc641d551675d38ff99abf
(git)
Affected: 101841c38346f4ca41dc1802c867da990ffb32eb , < e258ed369c9e04caa7d2fd49785d753ae4034cb6 (git) Affected: 101841c38346f4ca41dc1802c867da990ffb32eb , < bc8dedae022ce3058659c3addef3ec4b41d15e00 (git) Affected: 3145b2b11492d61c512bbc59660bb823bc757f48 (git) Affected: 493479af8af3ab907f49e99323777d498a4fbd2b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c9af7339de419819cfc641d551675d38ff99abf",
"status": "affected",
"version": "bb80f7618832d26f7e395f52f82b1dac76223e5f",
"versionType": "git"
},
{
"lessThan": "e258ed369c9e04caa7d2fd49785d753ae4034cb6",
"status": "affected",
"version": "101841c38346f4ca41dc1802c867da990ffb32eb",
"versionType": "git"
},
{
"lessThan": "bc8dedae022ce3058659c3addef3ec4b41d15e00",
"status": "affected",
"version": "101841c38346f4ca41dc1802c867da990ffb32eb",
"versionType": "git"
},
{
"status": "affected",
"version": "3145b2b11492d61c512bbc59660bb823bc757f48",
"versionType": "git"
},
{
"status": "affected",
"version": "493479af8af3ab907f49e99323777d498a4fbd2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix oops due to invalid pointer for kfree() in parse_longname()\n\nThis fixes a kernel oops when reading ceph snapshot directories (.snap),\nfor example by simply running `ls /mnt/my_ceph/.snap`.\n\nThe variable str is guarded by __free(kfree), but advanced by one for\nskipping the initial \u0027_\u0027 in snapshot names. Thus, kfree() is called\nwith an invalid pointer. This patch removes the need for advancing the\npointer so kfree() is called with correct memory pointer.\n\nSteps to reproduce:\n\n1. Create snapshots on a cephfs volume (I\u0027ve 63 snaps in my testcase)\n\n2. Add cephfs mount to fstab\n$ echo \"samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0\" \u003e\u003e /etc/fstab\n\n3. Reboot the system\n$ systemctl reboot\n\n4. Check if it\u0027s really mounted\n$ mount | grep stuff\n\n5. List snapshots (expected 63 snapshots on my system)\n$ ls /mnt/test/stuff/.snap\n\nNow ls hangs forever and the kernel log shows the oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:27:25.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c9af7339de419819cfc641d551675d38ff99abf"
},
{
"url": "https://git.kernel.org/stable/c/e258ed369c9e04caa7d2fd49785d753ae4034cb6"
},
{
"url": "https://git.kernel.org/stable/c/bc8dedae022ce3058659c3addef3ec4b41d15e00"
}
],
"title": "ceph: fix oops due to invalid pointer for kfree() in parse_longname()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23201",
"datePublished": "2026-02-14T16:27:25.693Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-02-14T16:27:25.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23156 (GCVE-0-2026-23156)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
EPSS
Title
efivarfs: fix error propagation in efivar_entry_get()
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: fix error propagation in efivar_entry_get()
efivar_entry_get() always returns success even if the underlying
__efivar_entry_get() fails, masking errors.
This may result in uninitialized heap memory being copied to userspace
in the efivarfs_file_read() path.
Fix it by returning the error from __efivar_entry_get().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d82e6227ea189c0589e7383a36616ac2a2d248c , < 3960f1754664661a970dc9ebbab44ff93a0b4c42
(git)
Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 510a16f1c5c1690b33504052bc13fbc2772c23f8 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 89b8ca709eeeabcc11ebba64806677873a2787a8 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < e4e15a0a4403c96d9898d8398f0640421df9cb16 (git) Affected: 2d82e6227ea189c0589e7383a36616ac2a2d248c , < 4b22ec1685ce1fc0d862dcda3225d852fb107995 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/vars.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3960f1754664661a970dc9ebbab44ff93a0b4c42",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "510a16f1c5c1690b33504052bc13fbc2772c23f8",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "89b8ca709eeeabcc11ebba64806677873a2787a8",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "e4e15a0a4403c96d9898d8398f0640421df9cb16",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
},
{
"lessThan": "4b22ec1685ce1fc0d862dcda3225d852fb107995",
"status": "affected",
"version": "2d82e6227ea189c0589e7383a36616ac2a2d248c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/vars.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.123",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.69",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: fix error propagation in efivar_entry_get()\n\nefivar_entry_get() always returns success even if the underlying\n__efivar_entry_get() fails, masking errors.\n\nThis may result in uninitialized heap memory being copied to userspace\nin the efivarfs_file_read() path.\n\nFix it by returning the error from __efivar_entry_get()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T16:01:23.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3960f1754664661a970dc9ebbab44ff93a0b4c42"
},
{
"url": "https://git.kernel.org/stable/c/510a16f1c5c1690b33504052bc13fbc2772c23f8"
},
{
"url": "https://git.kernel.org/stable/c/89b8ca709eeeabcc11ebba64806677873a2787a8"
},
{
"url": "https://git.kernel.org/stable/c/e4e15a0a4403c96d9898d8398f0640421df9cb16"
},
{
"url": "https://git.kernel.org/stable/c/4b22ec1685ce1fc0d862dcda3225d852fb107995"
}
],
"title": "efivarfs: fix error propagation in efivar_entry_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23156",
"datePublished": "2026-02-14T16:01:23.215Z",
"dateReserved": "2026-01-13T15:37:45.978Z",
"dateUpdated": "2026-02-14T16:01:23.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71201 (GCVE-0-2025-71201)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:22 – Updated: 2026-02-14 15:22
VLAI?
EPSS
Title
netfs: Fix early read unlock of page with EOF in middle
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix early read unlock of page with EOF in middle
The read result collection for buffered reads seems to run ahead of the
completion of subrequests under some circumstances, as can be seen in the
following log snippet:
9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0
...
netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0
...
netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2
netfs_folio: i=157f3 ix=00004-00004 read-done
netfs_folio: i=157f3 ix=00004-00004 read-unlock
netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2
netfs_folio: i=157f3 ix=00005-00005 read-done
netfs_folio: i=157f3 ix=00005-00005 read-unlock
...
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8
...
netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0
netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0
The 'cto=5fb2' indicates the collected file pos we've collected results to
so far - but we still have 0x4e more bytes to go - so we shouldn't have
collected folio ix=00005 yet. The 'ZERO' subreq that clears the tail
happens after we unlock the folio, allowing the application to see the
uncleared tail through mmap.
The problem is that netfs_read_unlock_folios() will unlock a folio in which
the amount of read results collected hits EOF position - but the ZERO
subreq lies beyond that and so happens after.
Fix this by changing the end check to always be the end of the folio and
never the end of the file.
In the future, I should look at clearing to the end of the folio here rather
than adding a ZERO subreq to do this. On the other hand, the ZERO subreq can
run in parallel with an async READ subreq. Further, the ZERO subreq may still
be necessary to, say, handle extents in a ceph file that don't have any
backing store and are thus implicitly all zeros.
This can be reproduced by creating a file, the size of which doesn't align
to a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something
like:
xfs_io -c "mmap -r 0 0x6000" -c "madvise -d 0 0x6000" \
-c "mread -v 0 0x6000" /xfstest.test/x
The last 0x4e bytes should all be 00, but if the tail hasn't been cleared
yet, you may see rubbish there. This can be reproduced with kafs by
modifying the kernel to disable the call to netfs_read_subreq_progress()
and to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.
Reproduction can be made easier by inserting an mdelay(100) in
netfs_issue_read() for the ZERO-subreq case.
AFS and CIFS are normally unlikely to show this as they dispatch READ ops
asynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is
completely synchronous, so the ZERO-subreq will always happen after. It isn't
seen all the time, though, because the collection may be done in a worker
thread.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/netfs/read_collect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b5482c0e5ee740b35a70759d3582477aea8e8e4",
"status": "affected",
"version": "e2d46f2ec332533816417b60933954173f602121",
"versionType": "git"
},
{
"lessThan": "570ad253a3455a520f03c2136af8714bc780186d",
"status": "affected",
"version": "e2d46f2ec332533816417b60933954173f602121",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/netfs/read_collect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix early read unlock of page with EOF in middle\n\nThe read result collection for buffered reads seems to run ahead of the\ncompletion of subrequests under some circumstances, as can be seen in the\nfollowing log snippet:\n\n 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0\n ...\n netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0\n ...\n netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2\n netfs_folio: i=157f3 ix=00004-00004 read-done\n netfs_folio: i=157f3 ix=00004-00004 read-unlock\n netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2\n netfs_folio: i=157f3 ix=00005-00005 read-done\n netfs_folio: i=157f3 ix=00005-00005 read-unlock\n ...\n netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\n netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c\n netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\n netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8\n ...\n netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0\n netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0\n\nThe \u0027cto=5fb2\u0027 indicates the collected file pos we\u0027ve collected results to\nso far - but we still have 0x4e more bytes to go - so we shouldn\u0027t have\ncollected folio ix=00005 yet. The \u0027ZERO\u0027 subreq that clears the tail\nhappens after we unlock the folio, allowing the application to see the\nuncleared tail through mmap.\n\nThe problem is that netfs_read_unlock_folios() will unlock a folio in which\nthe amount of read results collected hits EOF position - but the ZERO\nsubreq lies beyond that and so happens after.\n\nFix this by changing the end check to always be the end of the folio and\nnever the end of the file.\n\nIn the future, I should look at clearing to the end of the folio here rather\nthan adding a ZERO subreq to do this. On the other hand, the ZERO subreq can\nrun in parallel with an async READ subreq. Further, the ZERO subreq may still\nbe necessary to, say, handle extents in a ceph file that don\u0027t have any\nbacking store and are thus implicitly all zeros.\n\nThis can be reproduced by creating a file, the size of which doesn\u0027t align\nto a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something\nlike:\n\n xfs_io -c \"mmap -r 0 0x6000\" -c \"madvise -d 0 0x6000\" \\\n -c \"mread -v 0 0x6000\" /xfstest.test/x\n\nThe last 0x4e bytes should all be 00, but if the tail hasn\u0027t been cleared\nyet, you may see rubbish there. This can be reproduced with kafs by\nmodifying the kernel to disable the call to netfs_read_subreq_progress()\nand to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.\nReproduction can be made easier by inserting an mdelay(100) in\nnetfs_issue_read() for the ZERO-subreq case.\n\nAFS and CIFS are normally unlikely to show this as they dispatch READ ops\nasynchronously, which allows the ZERO-subreq to finish first. 9P\u0027s READ op is\ncompletely synchronous, so the ZERO-subreq will always happen after. It isn\u0027t\nseen all the time, though, because the collection may be done in a worker\nthread."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:22:21.233Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b5482c0e5ee740b35a70759d3582477aea8e8e4"
},
{
"url": "https://git.kernel.org/stable/c/570ad253a3455a520f03c2136af8714bc780186d"
}
],
"title": "netfs: Fix early read unlock of page with EOF in middle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71201",
"datePublished": "2026-02-14T15:22:21.233Z",
"dateReserved": "2026-01-31T11:36:51.193Z",
"dateUpdated": "2026-02-14T15:22:21.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71220 (GCVE-0-2025-71220)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-02-16 08:58
VLAI?
EPSS
Title
smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2283680a80571ca82d710bc6ecd8f8beac67d63 , < a2c68e256fb7a4ac34154c6e865a1389acca839f
(git)
Affected: 9f297df20d93411c0b4ddad7f88ba04a7cd36e77 , < 2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 04dd114b682a4ccaeba2c2bad049c8b50ce740d8 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < ac18761b530b5dd40f59af8a25902282e5512854 (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < fdda836fcee6fdbcccc24e3679097efb583f581f (git) Affected: e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d , < 7c28f8eef5ac5312794d8a52918076dcd787e53b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2c68e256fb7a4ac34154c6e865a1389acca839f",
"status": "affected",
"version": "f2283680a80571ca82d710bc6ecd8f8beac67d63",
"versionType": "git"
},
{
"lessThan": "2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29",
"status": "affected",
"version": "9f297df20d93411c0b4ddad7f88ba04a7cd36e77",
"versionType": "git"
},
{
"lessThan": "04dd114b682a4ccaeba2c2bad049c8b50ce740d8",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "ac18761b530b5dd40f59af8a25902282e5512854",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "fdda836fcee6fdbcccc24e3679097efb583f581f",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
},
{
"lessThan": "7c28f8eef5ac5312794d8a52918076dcd787e53b",
"status": "affected",
"version": "e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()\n\nWhen ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-16T08:58:42.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2c68e256fb7a4ac34154c6e865a1389acca839f"
},
{
"url": "https://git.kernel.org/stable/c/2b7b4df87fe6f2db6ee45f475de6b37b8b8e5d29"
},
{
"url": "https://git.kernel.org/stable/c/04dd114b682a4ccaeba2c2bad049c8b50ce740d8"
},
{
"url": "https://git.kernel.org/stable/c/ac18761b530b5dd40f59af8a25902282e5512854"
},
{
"url": "https://git.kernel.org/stable/c/fdda836fcee6fdbcccc24e3679097efb583f581f"
},
{
"url": "https://git.kernel.org/stable/c/7c28f8eef5ac5312794d8a52918076dcd787e53b"
}
],
"title": "smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71220",
"datePublished": "2026-02-14T16:27:03.946Z",
"dateReserved": "2026-02-14T16:26:02.969Z",
"dateUpdated": "2026-02-16T08:58:42.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23124 (GCVE-0-2026-23124)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
EPSS
Title
ipv6: annotate data-race in ndisc_router_discovery()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: annotate data-race in ndisc_router_discovery()
syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]
This looks fine, IFLA_INET6_RA_MTU is best effort.
Add READ_ONCE()/WRITE_ONCE() to document the race.
Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.
[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery
read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...
value changed: 0x00000000 -> 0xe5400659
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 4630897eb1a039b5d7b737b8dc9521d9d4b568b5
(git)
Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 2619499169fb1c2ac4974b0f2d87767fb543582b (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < fad8f4ff7928f4d52a062ffdcffa484989c79c47 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 2a2b9d25f801afecf2f83cacce98afa8fd73e3c9 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < e3c1040252e598f7b4e33a42dc7c38519bc22428 (git) Affected: 49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 , < 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4630897eb1a039b5d7b737b8dc9521d9d4b568b5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2619499169fb1c2ac4974b0f2d87767fb543582b",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "fad8f4ff7928f4d52a062ffdcffa484989c79c47",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "2a2b9d25f801afecf2f83cacce98afa8fd73e3c9",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "e3c1040252e598f7b4e33a42dc7c38519bc22428",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
},
{
"lessThan": "9a063f96d87efc3a6cc667f8de096a3d38d74bb5",
"status": "affected",
"version": "49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev-\u003era_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu \u003c IPV6_MIN_MTU || mtu \u003e skb-\u003edev-\u003emtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -\u003e 0xe5400659"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T15:09:54.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4630897eb1a039b5d7b737b8dc9521d9d4b568b5"
},
{
"url": "https://git.kernel.org/stable/c/2619499169fb1c2ac4974b0f2d87767fb543582b"
},
{
"url": "https://git.kernel.org/stable/c/fad8f4ff7928f4d52a062ffdcffa484989c79c47"
},
{
"url": "https://git.kernel.org/stable/c/2a2b9d25f801afecf2f83cacce98afa8fd73e3c9"
},
{
"url": "https://git.kernel.org/stable/c/e3c1040252e598f7b4e33a42dc7c38519bc22428"
},
{
"url": "https://git.kernel.org/stable/c/9a063f96d87efc3a6cc667f8de096a3d38d74bb5"
}
],
"title": "ipv6: annotate data-race in ndisc_router_discovery()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23124",
"datePublished": "2026-02-14T15:09:54.043Z",
"dateReserved": "2026-01-13T15:37:45.970Z",
"dateUpdated": "2026-02-14T15:09:54.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…