Vulnerability-Lookup

WID-SEC-W-2026-0614

Vulnerability from csaf_certbund - Published: 2026-03-04 23:00 - Updated: 2026-05-20 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service-Bedingung führen oder eine Speicherbeschädigung verursachen können.

Betroffene Betriebssysteme: - Linux

CVE-2025-71238

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23231

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23232

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23233

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23234

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23235

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23236

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23237

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-23238

Affected products

Known affected 12 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
IBM QRadar SIEM <7.5.0 UP15 IF02 IBM / QRadar SIEM		<7.5.0 UP15 IF02
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Microsoft Azure Linux azl3 Microsoft / Azure Linux	`cpe:/o:microsoft:azure_linux:azl3`	azl3
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

References

79 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lore.kernel.org/linux-cve-announce/	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://msrc.microsoft.com/update-guide/	external
https://msrc.microsoft.com/update-guide/	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-…	external
https://linux.oracle.com/errata/ELSA-2026-50160.html	external
https://linux.oracle.com/errata/ELSA-2026-6053.html	external
https://access.redhat.com/errata/RHSA-2026:6053	external
https://access.redhat.com/errata/RHSA-2026:6572	external
https://access.redhat.com/errata/RHSA-2026:6570	external
https://access.redhat.com/errata/RHSA-2026:6571	external
https://access.redhat.com/errata/RHSA-2026:6954	external
https://access.redhat.com/errata/RHSA-2026:6940	external
https://linux.oracle.com/errata/ELSA-2026-6571.html	external
https://linux.oracle.com/errata/ELSA-2026-6570.html	external
https://errata.build.resf.org/RLSA-2026:6053	external
https://errata.build.resf.org/RLSA-2026:6571	external
https://errata.build.resf.org/RLSA-2026:6572	external
https://errata.build.resf.org/RLSA-2026:6570	external
https://linux.oracle.com/errata/ELSA-2026-50184.html	external
https://docs.cloud.google.com/support/bulletins#g…	external
https://access.redhat.com/errata/RHSA-2026:8342	external
https://linux.oracle.com/errata/ELSA-2026-50232.html	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:9095	external
https://access.redhat.com/errata/RHSA-2026:9512	external
https://access.redhat.com/errata/RHSA-2026:9515	external
https://access.redhat.com/errata/RHSA-2026:9514	external
https://access.redhat.com/errata/RHSA-2026:9513	external
https://lists.opensuse.org/archives/list/security…	external
https://access.redhat.com/errata/RHSA-2026:9644	external
https://access.redhat.com/errata/RHSA-2026:9643	external
https://access.redhat.com/errata/RHSA-2026:9836	external
https://access.redhat.com/errata/RHSA-2026:9835	external
https://access.redhat.com/errata/RHSA-2026:9870	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:10108	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://www.ibm.com/support/pages/node/7270594	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:10756	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-security-announce…	external
https://access.redhat.com/errata/RHSA-2026:13664	external
https://access.redhat.com/errata/RHSA-2026:13932	external
https://access.redhat.com/errata/RHSA-2026:14165	external
https://ubuntu.com/security/notices/USN-8245-1	external
https://ubuntu.com/security/notices/USN-8244-1	external
https://ubuntu.com/security/notices/USN-8254-1	external
https://ubuntu.com/security/notices/USN-8257-1	external
https://ubuntu.com/security/notices/USN-8258-1	external
https://ubuntu.com/security/notices/USN-8260-1	external
https://ubuntu.com/security/notices/USN-8254-2	external
https://ubuntu.com/security/notices/USN-8254-3	external
https://access.redhat.com/errata/RHSA-2026:19875	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service-Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0614 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0614.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0614 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0614"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-71238",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030437-CVE-2025-71238-76bc@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23231",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23231-1a96@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23232",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23232-b24d@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23233",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23233-4413@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23234",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23234-5cef@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23235",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23235-3b8d@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23236",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23236-b419@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23237",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23237-f6fb@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23238",
        "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2026-03-05",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2026-03-10",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6162 vom 2026-03-13",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00072.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6163 vom 2026-03-13",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00071.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4498 vom 2026-03-13",
        "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00002.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4499 vom 2026-03-13",
        "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00003.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2026-114 vom 2026-03-19",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-114.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50160 vom 2026-03-24",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50160.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6053 vom 2026-03-31",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6053.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6053 vom 2026-03-30",
        "url": "https://access.redhat.com/errata/RHSA-2026:6053"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6572 vom 2026-04-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:6572"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6570 vom 2026-04-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:6570"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6571 vom 2026-04-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:6571"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6954 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:6954"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6940 vom 2026-04-08",
        "url": "https://access.redhat.com/errata/RHSA-2026:6940"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6571 vom 2026-04-08",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6571.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-6570 vom 2026-04-08",
        "url": "https://linux.oracle.com/errata/ELSA-2026-6570.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6053 vom 2026-04-09",
        "url": "https://errata.build.resf.org/RLSA-2026:6053"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6571 vom 2026-04-11",
        "url": "https://errata.build.resf.org/RLSA-2026:6571"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6572 vom 2026-04-11",
        "url": "https://errata.build.resf.org/RLSA-2026:6572"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:6570 vom 2026-04-11",
        "url": "https://errata.build.resf.org/RLSA-2026:6570"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50184 vom 2026-04-10",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50184.html"
      },
      {
        "category": "external",
        "summary": "Google Cloud Platform Security Bulletin GCP-2026-020 vom 2026-04-14",
        "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-020"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:8342 vom 2026-04-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:8342"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50232 vom 2026-04-17",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50232.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21114-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025429.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21123-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025421.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21129-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025416.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21131-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025414.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9095 vom 2026-04-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:9095"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9512 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9512"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9515 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9515"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9514 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9514"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9513 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9513"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20572-1 vom 2026-04-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/STWYWECAV6YINBQYRNTOUWNIHBOUY3YT/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9644 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9644"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9643 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9643"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9836 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9836"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9835 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9835"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:9870 vom 2026-04-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:9870"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21237-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025557.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21230-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025560.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10108 vom 2026-04-24",
        "url": "https://access.redhat.com/errata/RHSA-2026:10108"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1573-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025596.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21241-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025595.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7270594 vom 2026-04-23",
        "url": "https://www.ibm.com/support/pages/node/7270594"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21255-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025583.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10756 vom 2026-04-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:10756"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21352-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025751.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21361-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025743.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1643-1 vom 2026-04-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025762.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4561 vom 2026-05-02",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1661-1 vom 2026-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025787.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6243 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00154.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6238 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00148.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13664 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13664"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13932 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:13932"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14165 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14165"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8245-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8245-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8244-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8244-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8254-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8257-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8257-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8258-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8258-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8260-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8260-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-2 vom 2026-05-11",
        "url": "https://ubuntu.com/security/notices/USN-8254-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-3 vom 2026-05-19",
        "url": "https://ubuntu.com/security/notices/USN-8254-3"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19875 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19875"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:56:03.172+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0614",
      "initial_release_date": "2026-03-04T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-04T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-10T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-03-12T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-03-15T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-03-19T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-03-23T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-03-30T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2026-04-06T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-07T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-08T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-04-09T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-04-12T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation und Oracle Linux aufgenommen"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Google aufgenommen"
        },
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-16T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-04-19T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-20T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-21T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat und openSUSE aufgenommen"
        },
        {
          "date": "2026-04-22T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat und SUSE aufgenommen"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Red Hat, SUSE und IBM aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Debian und SUSE aufgenommen"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "28",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "29",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "30",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "30"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP15 IF02",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP15 IF02",
                  "product_id": "T053291"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP15 IF02",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP15 IF02",
                  "product_id": "T053291-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up15_if02"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "azl3",
                "product": {
                  "name": "Microsoft Azure Linux azl3",
                  "product_id": "T049210",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_linux:azl3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T051452",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-71238",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2025-71238"
    },
    {
      "cve": "CVE-2026-23231",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23231"
    },
    {
      "cve": "CVE-2026-23232",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23232"
    },
    {
      "cve": "CVE-2026-23233",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23233"
    },
    {
      "cve": "CVE-2026-23234",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23234"
    },
    {
      "cve": "CVE-2026-23235",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23235"
    },
    {
      "cve": "CVE-2026-23236",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23236"
    },
    {
      "cve": "CVE-2026-23237",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23237"
    },
    {
      "cve": "CVE-2026-23238",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T053291",
          "T027843",
          "398363",
          "T049210",
          "T004914",
          "1607324",
          "T051452",
          "T032255"
        ]
      },
      "release_date": "2026-03-04T23:00:00.000+00:00",
      "title": "CVE-2026-23238"
    }
  ]
}

CVE-2025-71238 (GCVE-0-2025-71238)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-11 21:57

Title

scsi: qla2xxx: Fix bsg_done() causing double free

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/057a5bdc481e58ab8…
https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5…
https://git.kernel.org/stable/c/27ac9679c43a09e54…
https://git.kernel.org/stable/c/74e7458537cd9349c…
https://git.kernel.org/stable/c/871f6236da96c4a97…
https://git.kernel.org/stable/c/31f33b856d2324d86…
https://git.kernel.org/stable/c/708003e1bc857dd01…
https://git.kernel.org/stable/c/c2c68225b1456f4d0…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 057a5bdc481e58ab853117254867ffb22caf9f6e (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 27ac9679c43a09e54e2d9aae9980ada045b428e0 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 74e7458537cd9349cf019862e51491f670871707 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 871f6236da96c4a9712b8a29d7f555f767a47e95 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 31f33b856d2324d86bcaef295f4d210477a1c018 (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < 708003e1bc857dd014d4c44278d7d77c26f91b1c (git) Affected: 1b81e7f3019d632a707e07927e946ffbbc102910 , < c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 (git)
Linux	Linux	Affected: 5.7 Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_bsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "057a5bdc481e58ab853117254867ffb22caf9f6e",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "27ac9679c43a09e54e2d9aae9980ada045b428e0",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "74e7458537cd9349cf019862e51491f670871707",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "871f6236da96c4a9712b8a29d7f555f767a47e95",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "31f33b856d2324d86bcaef295f4d210477a1c018",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "708003e1bc857dd014d4c44278d7d77c26f91b1c",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            },
            {
              "lessThan": "c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0",
              "status": "affected",
              "version": "1b81e7f3019d632a707e07927e946ffbbc102910",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/qla2xxx/qla_bsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix bsg_done() causing double free\n\nKernel panic observed on system,\n\n[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000\n[5353358.825194] #PF: supervisor write access in kernel mode\n[5353358.825195] #PF: error_code(0x0002) - not-present page\n[5353358.825196] PGD 100006067 P4D 0\n[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G        W    L    -------  ---  5.14.0-503.34.1.el9_5.x86_64 #1\n[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025\n[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10\n[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246\n[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000\n[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000\n[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000\n[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090\n[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000\n[5353358.825218] FS:  00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000\n[5353358.825219] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0\n[5353358.825221] PKRU: 55555554\n[5353358.825222] Call Trace:\n[5353358.825223]  \u003cTASK\u003e\n[5353358.825224]  ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825229]  ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825232]  ? sg_copy_buffer+0xc8/0x110\n[5353358.825236]  ? __die_body.cold+0x8/0xd\n[5353358.825238]  ? page_fault_oops+0x134/0x170\n[5353358.825242]  ? kernelmode_fixup_or_oops+0x84/0x110\n[5353358.825244]  ? exc_page_fault+0xa8/0x150\n[5353358.825247]  ? asm_exc_page_fault+0x22/0x30\n[5353358.825252]  ? memcpy_erms+0x6/0x10\n[5353358.825253]  sg_copy_buffer+0xc8/0x110\n[5353358.825259]  qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]\n[5353358.825317]  qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]\n\nMost routines in qla_bsg.c call bsg_done() only for success cases.\nHowever a few invoke it for failure case as well leading to a double\nfree. Validate before calling bsg_done()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:57:00.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720"
        },
        {
          "url": "https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707"
        },
        {
          "url": "https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95"
        },
        {
          "url": "https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018"
        },
        {
          "url": "https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0"
        }
      ],
      "title": "scsi: qla2xxx: Fix bsg_done() causing double free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71238",
    "datePublished": "2026-03-04T14:36:36.579Z",
    "dateReserved": "2026-02-18T14:25:13.845Z",
    "dateUpdated": "2026-05-11T21:57:00.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23231 (GCVE-0-2026-23231)

Vulnerability from cvelistv5 – Published: 2026-03-04 12:58 – Updated: 2026-05-11 22:02

Title

netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/2a6586ecfa4ce1413…
https://git.kernel.org/stable/c/7017745068a906890…
https://git.kernel.org/stable/c/f3fe58ce37926a101…
https://git.kernel.org/stable/c/dbd0af8083dd201f0…
https://git.kernel.org/stable/c/2f9a4ffeb763aec82…
https://git.kernel.org/stable/c/71e99ee20fc3f6625…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2a6586ecfa4ce1413daaafee250d2590e05f1a33 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 7017745068a9068904e1e7a1b170a5785647cc81 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < f3fe58ce37926a10115ede527d59b91bcc05400a (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < dbd0af8083dd201f07c49110b2ee93710abdff28 (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b (git) Affected: 91c7b38dc9f0de4f7f444b796d14476bc12df7bc , < 71e99ee20fc3f662555118cf1159443250647533 (git)
Linux	Linux	Affected: 3.16 Unaffected: 0 , < 3.16 (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a6586ecfa4ce1413daaafee250d2590e05f1a33",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            },
            {
              "lessThan": "7017745068a9068904e1e7a1b170a5785647cc81",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            },
            {
              "lessThan": "f3fe58ce37926a10115ede527d59b91bcc05400a",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            },
            {
              "lessThan": "dbd0af8083dd201f07c49110b2ee93710abdff28",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            },
            {
              "lessThan": "2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            },
            {
              "lessThan": "71e99ee20fc3f662555118cf1159443250647533",
              "status": "affected",
              "version": "91c7b38dc9f0de4f7f444b796d14476bc12df7bc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n    under rcu_read_lock(). A concurrent dump can still be walking\n    the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n    installs the IPv4 hook before IPv6 registration fails.  Packets\n    entering nft_do_chain() via the transient IPv4 hook can still be\n    dereferencing chain-\u003eblob_gen_X when the error path frees the\n    chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:51.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33"
        },
        {
          "url": "https://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533"
        }
      ],
      "title": "netfilter: nf_tables: fix use-after-free in nf_tables_addchain()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23231",
    "datePublished": "2026-03-04T12:58:42.029Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:51.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23232 (GCVE-0-2026-23232)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-11 22:02

Title

Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()"

Summary

In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()" This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a. Original patch may cause below deadlock, revert it. write remount - write_begin - lock_page --- lock A - prepare_write_begin - f2fs_map_lock - f2fs_enable_checkpoint - down_write(cp_enable_rwsem) --- lock B - sync_inode_sb - writepages - lock_page --- lock A - down_read(cp_enable_rwsem) --- lock A

Severity

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/b6382273801bc7c77…
https://git.kernel.org/stable/c/3996b70209f145bfc…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 196c81fdd438f7ac429d5639090a9816abb9760a , < b6382273801bc7c778545dd8004c9a9d750b4f62 (git) Affected: 196c81fdd438f7ac429d5639090a9816abb9760a , < 3996b70209f145bfcf2afc7d05dd92c27b233b48 (git)
Linux	Linux	Affected: 6.19 Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c",
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b6382273801bc7c778545dd8004c9a9d750b4f62",
              "status": "affected",
              "version": "196c81fdd438f7ac429d5639090a9816abb9760a",
              "versionType": "git"
            },
            {
              "lessThan": "3996b70209f145bfcf2afc7d05dd92c27b233b48",
              "status": "affected",
              "version": "196c81fdd438f7ac429d5639090a9816abb9760a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c",
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: block cache/dio write during f2fs_enable_checkpoint()\"\n\nThis reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a.\n\nOriginal patch may cause below deadlock, revert it.\n\nwrite\t\t\t\tremount\n- write_begin\n - lock_page  --- lock A\n - prepare_write_begin\n  - f2fs_map_lock\n\t\t\t\t- f2fs_enable_checkpoint\n\t\t\t\t - down_write(cp_enable_rwsem)  --- lock B\n\t\t\t\t - sync_inode_sb\n\t\t\t\t  - writepages\n\t\t\t\t   - lock_page\t\t\t--- lock A\n   - down_read(cp_enable_rwsem)  --- lock A"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:52.855Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b6382273801bc7c778545dd8004c9a9d750b4f62"
        },
        {
          "url": "https://git.kernel.org/stable/c/3996b70209f145bfcf2afc7d05dd92c27b233b48"
        }
      ],
      "title": "Revert \"f2fs: block cache/dio write during f2fs_enable_checkpoint()\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23232",
    "datePublished": "2026-03-04T14:36:37.323Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:52.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23233 (GCVE-0-2026-23233)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-23 16:04

Title

f2fs: fix to avoid mapping wrong physical block for swapfile

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Using F2FS filesystem (ext4 is unaffected) 2 Swapfile size is less than F2FS section size (2MB) 3 Swapfile has fragmented physical layout (multiple non-contiguous extents) 4 Kernel version is 6.6+ (6.1 is unaffected) The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the first extent of a small swapfile (< 2MB) is not aligned to section boundaries, the function incorrectly treats it as the last extent, failing to map subsequent extents. This results in incorrect swap_extent creation where only the first extent is mapped, causing subsequent swap writes to overwrite wrong physical locations (other files' data). Steps to Reproduce 1 Setup a device with F2FS-formatted userdata partition 2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng 3 Run swap stress test: (Android devices) adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 --swap 0" Log: 1 Ftrace shows in kernel 6.6, only first extent is mapped during second f2fs_map_blocks call in check_swap_activate(): stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start blkaddr=0x43143, len=0x1 (Only 4KB mapped, not the full swapfile) 2 in kernel 6.1, both extents are correctly mapped: stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start blkaddr=0x13cd4, len=0x1 stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start blkaddr=0x60c84b, len=0xff The problematic code is in check_swap_activate(): if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || nr_pblocks % blks_per_sec || !f2fs_valid_pinned_area(sbi, pblock)) { bool last_extent = false; not_aligned++; nr_pblocks = roundup(nr_pblocks, blks_per_sec); if (cur_lblock + nr_pblocks > sis->max) nr_pblocks -= blks_per_sec; /* this extent is last one */ if (!nr_pblocks) { nr_pblocks = last_lblock - cur_lblock; last_extent = true; } ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); if (ret) { if (ret == -ENOENT) ret = -EINVAL; goto out; } if (!last_extent) goto retry; } When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The code then incorrectly assumes this is the last extent, sets nr_pblocks = last_lblock - cur_lblock (entire swapfile), and performs migration. After migration, it doesn't retry mapping, so subsequent extents are never processed. " In order to fix this issue, we need to lookup block mapping info after we migrate all blocks in the tail of swapfile.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/d4534a7f6c92baaf7…
https://git.kernel.org/stable/c/1ff415eef513bf12d…
https://git.kernel.org/stable/c/fee27b69dde1a0590…
https://git.kernel.org/stable/c/607cb9d83838d2cd9…
https://git.kernel.org/stable/c/5c145c03188bc9ba1…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 40d76c393cca83938b11eb7ca8983aa3cd0ed69b , < d4534a7f6c92baaf7e12a45fc6e37332cafafc33 (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 1ff415eef513bf12deb058fc50d57788c46c48e6 (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < fee27b69dde1a05908b350eea42937af2387c4fe (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 607cb9d83838d2cd9f0406c2403ed61aadf0edff (git) Affected: 9703d69d9d153bb230711d0d577454552aeb13d4 , < 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 (git) Affected: 6.6.33 , < 6.6.127 (semver)
Linux	Linux	Affected: 6.9 Unaffected: 0 , < 6.9 (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d4534a7f6c92baaf7e12a45fc6e37332cafafc33",
              "status": "affected",
              "version": "40d76c393cca83938b11eb7ca8983aa3cd0ed69b",
              "versionType": "git"
            },
            {
              "lessThan": "1ff415eef513bf12deb058fc50d57788c46c48e6",
              "status": "affected",
              "version": "9703d69d9d153bb230711d0d577454552aeb13d4",
              "versionType": "git"
            },
            {
              "lessThan": "fee27b69dde1a05908b350eea42937af2387c4fe",
              "status": "affected",
              "version": "9703d69d9d153bb230711d0d577454552aeb13d4",
              "versionType": "git"
            },
            {
              "lessThan": "607cb9d83838d2cd9f0406c2403ed61aadf0edff",
              "status": "affected",
              "version": "9703d69d9d153bb230711d0d577454552aeb13d4",
              "versionType": "git"
            },
            {
              "lessThan": "5c145c03188bc9ba1c29e0bc4d527a5978fc47f9",
              "status": "affected",
              "version": "9703d69d9d153bb230711d0d577454552aeb13d4",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.127",
              "status": "affected",
              "version": "6.6.33",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "6.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid mapping wrong physical block for swapfile\n\nXiaolong Guo reported a f2fs bug in bugzilla [1]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951\n\nQuoted:\n\n\"When using stress-ng\u0027s swap stress test on F2FS filesystem with kernel 6.6+,\nthe system experiences data corruption leading to either:\n1 dm-verity corruption errors and device reboot\n2 F2FS node corruption errors and boot hangs\n\nThe issue occurs specifically when:\n1 Using F2FS filesystem (ext4 is unaffected)\n2 Swapfile size is less than F2FS section size (2MB)\n3 Swapfile has fragmented physical layout (multiple non-contiguous extents)\n4 Kernel version is 6.6+ (6.1 is unaffected)\n\nThe root cause is in check_swap_activate() function in fs/f2fs/data.c. When the\nfirst extent of a small swapfile (\u003c 2MB) is not aligned to section boundaries,\nthe function incorrectly treats it as the last extent, failing to map\nsubsequent extents. This results in incorrect swap_extent creation where only\nthe first extent is mapped, causing subsequent swap writes to overwrite wrong\nphysical locations (other files\u0027 data).\n\nSteps to Reproduce\n1 Setup a device with F2FS-formatted userdata partition\n2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng\n3 Run swap stress test: (Android devices)\nadb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60\n--swap 0\"\n\nLog:\n1 Ftrace shows in kernel 6.6, only first extent is mapped during second\nf2fs_map_blocks call in check_swap_activate():\nstress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start\nblkaddr=0x43143, len=0x1\n(Only 4KB mapped, not the full swapfile)\n2 in kernel 6.1, both extents are correctly mapped:\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start\nblkaddr=0x13cd4, len=0x1\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start\nblkaddr=0x60c84b, len=0xff\n\nThe problematic code is in check_swap_activate():\nif ((pblock - SM_I(sbi)-\u003emain_blkaddr) % blks_per_sec ||\n    nr_pblocks % blks_per_sec ||\n    !f2fs_valid_pinned_area(sbi, pblock)) {\n    bool last_extent = false;\n\n    not_aligned++;\n\n    nr_pblocks = roundup(nr_pblocks, blks_per_sec);\n    if (cur_lblock + nr_pblocks \u003e sis-\u003emax)\n        nr_pblocks -= blks_per_sec;\n\n    /* this extent is last one */\n    if (!nr_pblocks) {\n        nr_pblocks = last_lblock - cur_lblock;\n        last_extent = true;\n    }\n\n    ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);\n    if (ret) {\n        if (ret == -ENOENT)\n            ret = -EINVAL;\n        goto out;\n    }\n\n    if (!last_extent)\n        goto retry;\n}\n\nWhen the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)\nexceeds sis-\u003emax, we subtract blks_per_sec resulting in nr_pblocks = 0. The\ncode then incorrectly assumes this is the last extent, sets nr_pblocks =\nlast_lblock - cur_lblock (entire swapfile), and performs migration. After\nmigration, it doesn\u0027t retry mapping, so subsequent extents are never processed.\n\"\n\nIn order to fix this issue, we need to lookup block mapping info after\nwe migrate all blocks in the tail of swapfile."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:19.799Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d4534a7f6c92baaf7e12a45fc6e37332cafafc33"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ff415eef513bf12deb058fc50d57788c46c48e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fee27b69dde1a05908b350eea42937af2387c4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/607cb9d83838d2cd9f0406c2403ed61aadf0edff"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c145c03188bc9ba1c29e0bc4d527a5978fc47f9"
        }
      ],
      "title": "f2fs: fix to avoid mapping wrong physical block for swapfile",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23233",
    "datePublished": "2026-03-04T14:36:38.076Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-23T16:04:19.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23234 (GCVE-0-2026-23234)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-11 22:02

Title

f2fs: fix to avoid UAF in f2fs_write_end_io()

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/0fb58aff0dafd6837…
https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e…
https://git.kernel.org/stable/c/505e1c0530db6152c…
https://git.kernel.org/stable/c/acc2c97fc0005846e…
https://git.kernel.org/stable/c/cf4a9e1bc8129eb63…
https://git.kernel.org/stable/c/995030be4ce6338c6…
https://git.kernel.org/stable/c/a42f99be8a16b32a0…
https://git.kernel.org/stable/c/ce2739e482bce8d2c…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 0fb58aff0dafd6837cc91f4154f3ed6e020358fa (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 505e1c0530db6152cab3feef8e3e4da3d3e358c9 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < acc2c97fc0005846e5cf11b5ba3189fef130c9b3 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < 995030be4ce6338c6ff814583c14166446a64008 (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < a42f99be8a16b32a0bb91bb6dda212a6ad61be5d (git) Affected: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff , < ce2739e482bce8d2c014d76c4531c877f382aa54 (git)
Linux	Linux	Affected: 3.13 Unaffected: 0 , < 3.13 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0fb58aff0dafd6837cc91f4154f3ed6e020358fa",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "505e1c0530db6152cab3feef8e3e4da3d3e358c9",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "acc2c97fc0005846e5cf11b5ba3189fef130c9b3",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "995030be4ce6338c6ff814583c14166446a64008",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "a42f99be8a16b32a0bb91bb6dda212a6ad61be5d",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "ce2739e482bce8d2c014d76c4531c877f382aa54",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_write_end_io()\n\nAs syzbot reported an use-after-free issue in f2fs_write_end_io().\n\nIt is caused by below race condition:\n\nloop device\t\t\t\tumount\n- worker_thread\n - loop_process_work\n  - do_req_filebacked\n   - lo_rw_aio\n    - lo_rw_aio_complete\n     - blk_mq_end_request\n      - blk_update_request\n       - f2fs_write_end_io\n        - dec_page_count\n        - folio_end_writeback\n\t\t\t\t\t- kill_f2fs_super\n\t\t\t\t\t - kill_block_super\n\t\t\t\t\t  - f2fs_put_super\n\t\t\t\t\t : free(sbi)\n       : get_pages(, F2FS_WB_CP_DATA)\n         accessed sbi which is freed\n\nIn kill_f2fs_super(), we will drop all page caches of f2fs inodes before\ncall free(sbi), it guarantee that all folios should end its writeback, so\nit should be safe to access sbi before last folio_end_writeback().\n\nLet\u0027s relocate ckpt thread wakeup flow before folio_end_writeback() to\nresolve this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:55.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0fb58aff0dafd6837cc91f4154f3ed6e020358fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/505e1c0530db6152cab3feef8e3e4da3d3e358c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/acc2c97fc0005846e5cf11b5ba3189fef130c9b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42"
        },
        {
          "url": "https://git.kernel.org/stable/c/995030be4ce6338c6ff814583c14166446a64008"
        },
        {
          "url": "https://git.kernel.org/stable/c/a42f99be8a16b32a0bb91bb6dda212a6ad61be5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce2739e482bce8d2c014d76c4531c877f382aa54"
        }
      ],
      "title": "f2fs: fix to avoid UAF in f2fs_write_end_io()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23234",
    "datePublished": "2026-03-04T14:36:38.843Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:55.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23235 (GCVE-0-2026-23235)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-11 22:02

Title

f2fs: fix out-of-bounds access in sysfs attribute read/write

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit integer. However, the sysfs interface allows setting it to a value larger than 255, resulting in an out-of-range update. atgc_age_threshold maps to {struct atgc_management}->age_threshold, which is a 64-bit integer, but its sysfs interface cannot correctly set values larger than UINT_MAX. The root causes are: 1. __sbi_store() treats all default values as unsigned int, which prevents updating integers larger than 4 bytes and causes out-of-bounds writes for integers smaller than 4 bytes. 2. f2fs_sbi_show() also assumes all default values are unsigned int, leading to out-of-bounds reads and incorrect access to integers larger than 4 bytes. This patch introduces {struct f2fs_attr}->size to record the actual size of the integer associated with each sysfs attribute. With this information, sysfs read and write operations can correctly access and update values according to their real data size, avoiding memory corruption and truncation.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/e85a99db9ab85dfc3…
https://git.kernel.org/stable/c/438a405fbad6882df…
https://git.kernel.org/stable/c/6a6c07a9b49e43f0d…
https://git.kernel.org/stable/c/eebd72cff518ac87e…
https://git.kernel.org/stable/c/4ef30b9f1641c9e87…
https://git.kernel.org/stable/c/d4a594dd952df123c…
https://git.kernel.org/stable/c/3a905e183c047577b…
https://git.kernel.org/stable/c/98ea0039dbfdd00e5…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < e85a99db9ab85dfc30d93b0ca0e9156f3127f55a (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 438a405fbad6882df0e34b3e1a16839a71f04240 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 6a6c07a9b49e43f0df42d7118fc76aa555c73d98 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < eebd72cff518ac87e660aefb8a41224bd88c32ce (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 4ef30b9f1641c9e877792df6b049f1cf507d002d (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < d4a594dd952df123cbdcdee9b9640d9d55e4a954 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 3a905e183c047577b154f08a78ac3039e9454703 (git) Affected: b59d0bae6ca30c496f298881616258f9cde0d9c6 , < 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 (git)
Linux	Linux	Affected: 3.12 Unaffected: 0 , < 3.12 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e85a99db9ab85dfc30d93b0ca0e9156f3127f55a",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "438a405fbad6882df0e34b3e1a16839a71f04240",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "6a6c07a9b49e43f0df42d7118fc76aa555c73d98",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "eebd72cff518ac87e660aefb8a41224bd88c32ce",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "4ef30b9f1641c9e877792df6b049f1cf507d002d",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "d4a594dd952df123cbdcdee9b9640d9d55e4a954",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "3a905e183c047577b154f08a78ac3039e9454703",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            },
            {
              "lessThan": "98ea0039dbfdd00e5cc1b9a8afa40434476c0955",
              "status": "affected",
              "version": "b59d0bae6ca30c496f298881616258f9cde0d9c6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix out-of-bounds access in sysfs attribute read/write\n\nSome f2fs sysfs attributes suffer from out-of-bounds memory access and\nincorrect handling of integer values whose size is not 4 bytes.\n\nFor example:\nvm:~# echo 65537 \u003e /sys/fs/f2fs/vde/carve_out\nvm:~# cat /sys/fs/f2fs/vde/carve_out\n65537\nvm:~# echo 4294967297 \u003e /sys/fs/f2fs/vde/atgc_age_threshold\nvm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold\n1\n\ncarve_out maps to {struct f2fs_sb_info}-\u003ecarve_out, which is a 8-bit\ninteger. However, the sysfs interface allows setting it to a value\nlarger than 255, resulting in an out-of-range update.\n\natgc_age_threshold maps to {struct atgc_management}-\u003eage_threshold,\nwhich is a 64-bit integer, but its sysfs interface cannot correctly set\nvalues larger than UINT_MAX.\n\nThe root causes are:\n1. __sbi_store() treats all default values as unsigned int, which\nprevents updating integers larger than 4 bytes and causes out-of-bounds\nwrites for integers smaller than 4 bytes.\n\n2. f2fs_sbi_show() also assumes all default values are unsigned int,\nleading to out-of-bounds reads and incorrect access to integers larger\nthan 4 bytes.\n\nThis patch introduces {struct f2fs_attr}-\u003esize to record the actual size\nof the integer associated with each sysfs attribute. With this\ninformation, sysfs read and write operations can correctly access and\nupdate values according to their real data size, avoiding memory\ncorruption and truncation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:56.280Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e85a99db9ab85dfc30d93b0ca0e9156f3127f55a"
        },
        {
          "url": "https://git.kernel.org/stable/c/438a405fbad6882df0e34b3e1a16839a71f04240"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a6c07a9b49e43f0df42d7118fc76aa555c73d98"
        },
        {
          "url": "https://git.kernel.org/stable/c/eebd72cff518ac87e660aefb8a41224bd88c32ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ef30b9f1641c9e877792df6b049f1cf507d002d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4a594dd952df123cbdcdee9b9640d9d55e4a954"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a905e183c047577b154f08a78ac3039e9454703"
        },
        {
          "url": "https://git.kernel.org/stable/c/98ea0039dbfdd00e5cc1b9a8afa40434476c0955"
        }
      ],
      "title": "f2fs: fix out-of-bounds access in sysfs attribute read/write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23235",
    "datePublished": "2026-03-04T14:36:39.537Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:56.280Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23236 (GCVE-0-2026-23236)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-05-11 22:02

Title

fbdev: smscufx: properly copy ioctl memory to kernelspace

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/061cfeb560aa3ddc1…
https://git.kernel.org/stable/c/6167af934f956d3ae…
https://git.kernel.org/stable/c/a0321e6e58facb39f…
https://git.kernel.org/stable/c/0634e8d650993602f…
https://git.kernel.org/stable/c/52917e265aa5f8482…
https://git.kernel.org/stable/c/1c008ad0f0d1c1523…
https://git.kernel.org/stable/c/f1e91bd4efeae48b0…
https://git.kernel.org/stable/c/120adae7b42faa641…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 061cfeb560aa3ddc174153dbe5be9d0b55eb7248 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 6167af934f956d3ae1e06d61f45cd0d1004bbe1a (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < a0321e6e58facb39fe191caa0e52ed9aab6a48fe (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 0634e8d650993602fc5b389ff7ac525f6542e141 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 52917e265aa5f848212f60fc50fc504d8ef12866 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 1c008ad0f0d1c1523902b9cdb08e404129677bfc (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 120adae7b42faa641179270c067864544a50ab69 (git)
Linux	Linux	Affected: 3.2 Unaffected: 0 , < 3.2 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19.3 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/smscufx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "061cfeb560aa3ddc174153dbe5be9d0b55eb7248",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "6167af934f956d3ae1e06d61f45cd0d1004bbe1a",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "a0321e6e58facb39fe191caa0e52ed9aab6a48fe",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "0634e8d650993602fc5b389ff7ac525f6542e141",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "52917e265aa5f848212f60fc50fc504d8ef12866",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "1c008ad0f0d1c1523902b9cdb08e404129677bfc",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "120adae7b42faa641179270c067864544a50ab69",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/smscufx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace.  Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:57.406Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248"
        },
        {
          "url": "https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141"
        },
        {
          "url": "https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02"
        },
        {
          "url": "https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69"
        }
      ],
      "title": "fbdev: smscufx: properly copy ioctl memory to kernelspace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23236",
    "datePublished": "2026-03-04T14:36:40.162Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:57.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23237 (GCVE-0-2026-23237)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:38 – Updated: 2026-05-11 22:02

Title

platform/x86: classmate-laptop: Add missing NULL pointer checks

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev) call in in cmpc_accel_sensitivity_store_v4() returns NULL which leads to a NULL pointer dereference going forward. Moreover, sysfs attributes using the input device are added before initializing that device by cmpc_add_acpi_notify_device() and if one of them is accessed before running that function, a NULL pointer dereference will occur. For example, cmpc_accel_sensitivity_attr_v4 is added before calling cmpc_add_acpi_notify_device() and if it is read prematurely, the dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4() returns NULL which leads to a NULL pointer dereference going forward. Fix this by adding NULL pointer checks in all of the relevant places.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/993708fc18d0d0919…
https://git.kernel.org/stable/c/af673209d43b46257…
https://git.kernel.org/stable/c/eb214804f03c829de…
https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05…
https://git.kernel.org/stable/c/da6e06a5fdbabea38…
https://git.kernel.org/stable/c/97528b1622b8f1295…
https://git.kernel.org/stable/c/fe747d7112283f471…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < 993708fc18d0d0919db438361b4e8c1f980a8d1b (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < af673209d43b46257540997aba042b90ef3258c0 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < eb214804f03c829decf10998e9b7dd26f4c8ab9e (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < 9cf4b9b8ad09d6e05307abc4e951cabdff4be652 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < da6e06a5fdbabea3870d18c227734b5dea5b3be6 (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < 97528b1622b8f129574d29a571c32a3c85eafa3c (git) Affected: 529aa8cb0a59367d08883f818e8c47028e819d0d , < fe747d7112283f47169e9c16e751179a9b38611e (git)
Linux	Linux	Affected: 2.6.33 Unaffected: 0 , < 2.6.33 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/classmate-laptop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "993708fc18d0d0919db438361b4e8c1f980a8d1b",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "af673209d43b46257540997aba042b90ef3258c0",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "eb214804f03c829decf10998e9b7dd26f4c8ab9e",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "9cf4b9b8ad09d6e05307abc4e951cabdff4be652",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "da6e06a5fdbabea3870d18c227734b5dea5b3be6",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "97528b1622b8f129574d29a571c32a3c85eafa3c",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            },
            {
              "lessThan": "fe747d7112283f47169e9c16e751179a9b38611e",
              "status": "affected",
              "version": "529aa8cb0a59367d08883f818e8c47028e819d0d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/classmate-laptop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: classmate-laptop: Add missing NULL pointer checks\n\nIn a few places in the Classmate laptop driver, code using the accel\nobject may run before that object\u0027s address is stored in the driver\ndata of the input device using it.\n\nFor example, cmpc_accel_sensitivity_store_v4() is the \"show\" method\nof cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),\nbefore calling dev_set_drvdata() for inputdev-\u003edev.  If the sysfs\nattribute is accessed prematurely, the dev_get_drvdata(\u0026inputdev-\u003edev)\ncall in in cmpc_accel_sensitivity_store_v4() returns NULL which\nleads to a NULL pointer dereference going forward.\n\nMoreover, sysfs attributes using the input device are added before\ninitializing that device by cmpc_add_acpi_notify_device() and if one\nof them is accessed before running that function, a NULL pointer\ndereference will occur.\n\nFor example, cmpc_accel_sensitivity_attr_v4 is added before calling\ncmpc_add_acpi_notify_device() and if it is read prematurely, the\ndev_get_drvdata(\u0026acpi-\u003edev) call in cmpc_accel_sensitivity_show_v4()\nreturns NULL which leads to a NULL pointer dereference going forward.\n\nFix this by adding NULL pointer checks in all of the relevant places."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:58.604Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/af673209d43b46257540997aba042b90ef3258c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb214804f03c829decf10998e9b7dd26f4c8ab9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05307abc4e951cabdff4be652"
        },
        {
          "url": "https://git.kernel.org/stable/c/da6e06a5fdbabea3870d18c227734b5dea5b3be6"
        },
        {
          "url": "https://git.kernel.org/stable/c/97528b1622b8f129574d29a571c32a3c85eafa3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe747d7112283f47169e9c16e751179a9b38611e"
        }
      ],
      "title": "platform/x86: classmate-laptop: Add missing NULL pointer checks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23237",
    "datePublished": "2026-03-04T14:38:41.815Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-05-11T22:02:58.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23238 (GCVE-0-2026-23238)

Vulnerability from cvelistv5 – Published: 2026-03-04 14:38 – Updated: 2026-05-11 22:02

Title

romfs: check sb_set_blocksize() return value

Summary

In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/a381f0f61b35c8894…
https://git.kernel.org/stable/c/f2521ab1f63a8c244…
https://git.kernel.org/stable/c/2c5829cd8fbbc9156…
https://git.kernel.org/stable/c/cbd9931e645682206…
https://git.kernel.org/stable/c/9b203b8ddd7359270…
https://git.kernel.org/stable/c/4b71ad7676564a94e…
https://git.kernel.org/stable/c/ab7ad7abb3660c58f…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a381f0f61b35c8894b0bd0d6acef2d8f9b08b244 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2521ab1f63a8c244f06a080319e5ff9a2e1bd95 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c5829cd8fbbc91568c520b666898f57cdcb8cf6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cbd9931e6456822067725354d83446c5bb813030 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9b203b8ddd7359270e8a694d0584743555128e2c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4b71ad7676564a94ec5f7d18298f51e8ae53db73 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.251 , ≤ 5.10.* (semver) Unaffected: 5.15.201 , ≤ 5.15.* (semver) Unaffected: 6.1.164 , ≤ 6.1.* (semver) Unaffected: 6.6.127 , ≤ 6.6.* (semver) Unaffected: 6.12.74 , ≤ 6.12.* (semver) Unaffected: 6.18.13 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/romfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a381f0f61b35c8894b0bd0d6acef2d8f9b08b244",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f2521ab1f63a8c244f06a080319e5ff9a2e1bd95",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2c5829cd8fbbc91568c520b666898f57cdcb8cf6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "cbd9931e6456822067725354d83446c5bb813030",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9b203b8ddd7359270e8a694d0584743555128e2c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4b71ad7676564a94ec5f7d18298f51e8ae53db73",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/romfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nromfs: check sb_set_blocksize() return value\n\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice\u0027s configuration.\n\nThis can be triggered by setting a loop device\u0027s block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\n\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device\u0027s logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\n\nThe superblock\u0027s block size remains at the device\u0027s logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\n\n    kernel BUG at fs/buffer.c:1582!\n    BUG_ON(size \u003e PAGE_SIZE);\n\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:02:59.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0"
        }
      ],
      "title": "romfs: check sb_set_blocksize() return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23238",
    "datePublished": "2026-03-04T14:38:42.477Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:02:59.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0614

CVE-2025-71238 (GCVE-0-2025-71238)

CVE-2026-23231 (GCVE-0-2026-23231)

CVE-2026-23232 (GCVE-0-2026-23232)

CVE-2026-23233 (GCVE-0-2026-23233)

CVE-2026-23234 (GCVE-0-2026-23234)

CVE-2026-23235 (GCVE-0-2026-23235)

CVE-2026-23236 (GCVE-0-2026-23236)

CVE-2026-23237 (GCVE-0-2026-23237)

CVE-2026-23238 (GCVE-0-2026-23238)

Tags

Sightings

Nomenclature