Vulnerability-Lookup

WID-SEC-W-2026-0774

Vulnerability from csaf_certbund - Published: 2026-03-17 23:00 - Updated: 2026-05-20 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.

Betroffene Betriebssysteme: - Linux

CVE-2025-71265

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2025-71266

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2025-71267

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23242

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23243

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23244

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23245

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23246

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23247

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

CVE-2026-23248

Affected products

Known affected 8 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—

References

51 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lore.kernel.org/linux-cve-announce/	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-…	external
https://docs.cloud.google.com/container-optimized…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-security-announce…	external
https://access.redhat.com/errata/RHSA-2026:13936	external
https://access.redhat.com/errata/RHSA-2026:14339	external
https://access.redhat.com/errata/RHSA-2026:14137	external
https://access.redhat.com/errata/RHSA-2026:15883	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://linux.oracle.com/errata/ELSA-2026-50261.html	external
https://linux.oracle.com/errata/ELSA-2026-50260.html	external
https://access.redhat.com/errata/RHSA-2026:18134	external
https://access.redhat.com/errata/RHSA-2026:19521	external
https://access.redhat.com/errata/RHSA-2026:18587	external
https://access.redhat.com/errata/RHSA-2026:19875	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service- Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0774 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0774.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0774 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0774"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-71265",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031813-CVE-2025-71265-00ce@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-71266",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71266-d35d@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-71267",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71267-2a56@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23242",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2026-23242-a8b5@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23243",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2026-23243-b88e@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23244",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23244-9738@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23245",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23245-ac26@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23246",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23246-d29e@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23247",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23247-07b3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23248",
        "url": "https://lore.kernel.org/linux-cve-announce/2026031818-CVE-2026-23248-d0e1@gregkh/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2026-115 vom 2026-04-01",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-115.html"
      },
      {
        "category": "external",
        "summary": "Container-Optimized OS release notes vom 2026-04-14",
        "url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#April_13_2026"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1342-1 vom 2026-04-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025348.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21123-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025421.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21129-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025416.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21131-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025414.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21114-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025429.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20572-1 vom 2026-04-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/STWYWECAV6YINBQYRNTOUWNIHBOUY3YT/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21230-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025560.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21237-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025557.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1557-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025570.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1574-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025600.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1575-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025599.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21255-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025583.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1563-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025575.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1573-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025596.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21241-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025595.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1606-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025614.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21352-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025751.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21361-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025743.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1643-1 vom 2026-04-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025762.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.15-2026-100 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-2026-100.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1668-1 vom 2026-05-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025791.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4561 vom 2026-05-02",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6243 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00154.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1661-1 vom 2026-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025787.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6238 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00148.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13936 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:13936"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14339 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14339"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14137 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14137"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:15883 vom 2026-05-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:15883"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1777-1 vom 2026-05-08",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025950.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50261 vom 2026-05-12",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50261.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50260 vom 2026-05-12",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50260.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18134 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:18134"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19521 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19521"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18587 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:18587"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19875 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19875"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:56:27.068+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0774",
      "initial_release_date": "2026-03-17T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-17T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-18T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-12809, EUVD-2026-12810, EUVD-2026-12811, EUVD-2026-12804, EUVD-2026-12805, EUVD-2026-12808, EUVD-2026-12801, EUVD-2025-208821, EUVD-2025-208819, EUVD-2025-208818"
        },
        {
          "date": "2026-04-01T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-19T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-21T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-22T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-29T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von SUSE und Debian aufgenommen"
        },
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat und SUSE aufgenommen"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "20"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T051879",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-71265",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2025-71265"
    },
    {
      "cve": "CVE-2025-71266",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2025-71266"
    },
    {
      "cve": "CVE-2025-71267",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2025-71267"
    },
    {
      "cve": "CVE-2026-23242",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23242"
    },
    {
      "cve": "CVE-2026-23243",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23243"
    },
    {
      "cve": "CVE-2026-23244",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23244"
    },
    {
      "cve": "CVE-2026-23245",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23245"
    },
    {
      "cve": "CVE-2026-23246",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23246"
    },
    {
      "cve": "CVE-2026-23247",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23247"
    },
    {
      "cve": "CVE-2026-23248",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T051879",
          "67646",
          "T027843",
          "398363",
          "T004914",
          "1607324"
        ]
      },
      "release_date": "2026-03-17T23:00:00.000+00:00",
      "title": "CVE-2026-23248"
    }
  ]
}

CVE-2025-71265 (GCVE-0-2025-71265)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 21:57

Title

fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata

Summary

In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop. This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/6f07a590616ff5f57…
https://git.kernel.org/stable/c/a89bc96d5abd8a4a8…
https://git.kernel.org/stable/c/af839013c70a24779…
https://git.kernel.org/stable/c/78b61f7eac37a6328…
https://git.kernel.org/stable/c/c0b43c45d45f59e7f…
https://git.kernel.org/stable/c/3c3a6e951b9b53dab…
https://git.kernel.org/stable/c/4b90f16e4bb5607fb…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 6f07a590616ff5f57f7c041d98e463fad9e9f763 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < a89bc96d5abd8a4a8d5d911884ea347efcdf460b (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < af839013c70a24779f9d1afb1575952009312d38 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 78b61f7eac37a63284774b147f38dd0be6cad43c (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < c0b43c45d45f59e7faad48675a50231a210c379b (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 3c3a6e951b9b53dab2ac460a655313cf04c4a10a (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 4b90f16e4bb5607fb35e7802eb67874038da4640 (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/attrib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f07a590616ff5f57f7c041d98e463fad9e9f763",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "a89bc96d5abd8a4a8d5d911884ea347efcdf460b",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "af839013c70a24779f9d1afb1575952009312d38",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "78b61f7eac37a63284774b147f38dd0be6cad43c",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "c0b43c45d45f59e7faad48675a50231a210c379b",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "3c3a6e951b9b53dab2ac460a655313cf04c4a10a",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "4b90f16e4bb5607fb35e7802eb67874038da4640",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/attrib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an attribute header\nindicates an empty run list, while directory entries reference it as\ncontaining actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way\nto represent an empty run list, and run_unpack() correctly handles this by\nchecking if evcn + 1 equals svcn and returning early without parsing any run\ndata. However, this creates a problem when there is metadata inconsistency,\nwhere the attribute header claims to be empty (evcn=-1) but the caller\nexpects to read actual data. When run_unpack() immediately returns success\nupon seeing this condition, it leaves the runs_tree uninitialized with\nrun-\u003eruns as a NULL. The calling function attr_load_runs_range() assumes\nthat a successful return means that the runs were loaded and sets clen to 0,\nexpecting the next run_lookup_entry() call to succeed. Because runs_tree\nremains uninitialized, run_lookup_entry() continues to fail, and the loop\nincrements vcn by zero (vcn += 0), leading to an infinite loop.\n\nThis patch adds a retry counter to detect when run_lookup_entry() fails\nconsecutively after attr_load_runs_vcn(). If the run is still not found on\nthe second attempt, it indicates corrupted metadata and returns -EINVAL,\npreventing the Denial-of-Service (DoS) vulnerability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:57:03.198Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763"
        },
        {
          "url": "https://git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460b"
        },
        {
          "url": "https://git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640"
        }
      ],
      "title": "fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71265",
    "datePublished": "2026-03-18T10:05:01.779Z",
    "dateReserved": "2026-03-17T09:08:18.457Z",
    "dateUpdated": "2026-05-11T21:57:03.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71266 (GCVE-0-2025-71266)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 21:57

Title

fs: ntfs3: check return value of indx_find to avoid infinite loop

Summary

In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash. This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/14c3188afbedfd517…
https://git.kernel.org/stable/c/435d34719db0e130f…
https://git.kernel.org/stable/c/68e32694be231c1cd…
https://git.kernel.org/stable/c/398e768d1accd1f56…
https://git.kernel.org/stable/c/b0ea441f44ce64fa5…
https://git.kernel.org/stable/c/0ad7a1be44479503d…
https://git.kernel.org/stable/c/1732053c8a6b360e2…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 14c3188afbedfd5178bbabb8002487ea14b37b56 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 435d34719db0e130f6f0c621d67ed524cc1a7d10 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 68e32694be231c1cdb99b7637a657314e88e1a96 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 398e768d1accd1f5645492ab996005d7aa84a5b0 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < b0ea441f44ce64fa514a415d4a9e6e2b06e7946c (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 0ad7a1be44479503dbe5c699759861ef5b8bd70c (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 1732053c8a6b360e2d5afb1b34fe9779398b072c (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/index.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14c3188afbedfd5178bbabb8002487ea14b37b56",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "435d34719db0e130f6f0c621d67ed524cc1a7d10",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "68e32694be231c1cdb99b7637a657314e88e1a96",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "398e768d1accd1f5645492ab996005d7aa84a5b0",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "b0ea441f44ce64fa514a415d4a9e6e2b06e7946c",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "0ad7a1be44479503dbe5c699759861ef5b8bd70c",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "1732053c8a6b360e2d5afb1b34fe9779398b072c",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/index.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory\u0027s INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd-\u003enodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:57:04.405Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14c3188afbedfd5178bbabb8002487ea14b37b56"
        },
        {
          "url": "https://git.kernel.org/stable/c/435d34719db0e130f6f0c621d67ed524cc1a7d10"
        },
        {
          "url": "https://git.kernel.org/stable/c/68e32694be231c1cdb99b7637a657314e88e1a96"
        },
        {
          "url": "https://git.kernel.org/stable/c/398e768d1accd1f5645492ab996005d7aa84a5b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0ea441f44ce64fa514a415d4a9e6e2b06e7946c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ad7a1be44479503dbe5c699759861ef5b8bd70c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1732053c8a6b360e2d5afb1b34fe9779398b072c"
        }
      ],
      "title": "fs: ntfs3: check return value of indx_find to avoid infinite loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71266",
    "datePublished": "2026-03-18T10:05:02.997Z",
    "dateReserved": "2026-03-17T09:08:18.457Z",
    "dateUpdated": "2026-05-11T21:57:04.405Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71267 (GCVE-0-2025-71267)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 21:57

Title

fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST

Summary

In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/9267d99fade76d44d…
https://git.kernel.org/stable/c/976e6a7c51fabf150…
https://git.kernel.org/stable/c/8d8c70b57dbeda3eb…
https://git.kernel.org/stable/c/7ef219656febf5ae0…
https://git.kernel.org/stable/c/9779a6eaaabdf47aa…
https://git.kernel.org/stable/c/fd508939dbca5ecee…
https://git.kernel.org/stable/c/06909b2549d631a47…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 9267d99fade76d44d4a133599524031fe684156e (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 976e6a7c51fabf150478decbe8ef5d9a26039b7c (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 8d8c70b57dbeda3eb165c0940b97e85373ca9354 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 7ef219656febf5ae06ae56b1fce47ebd05f92b68 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 9779a6eaaabdf47aa57910d352b398ad742e6a5f (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < fd508939dbca5eceefb2d0c2564beb15469572f2 (git) Affected: be71b5cba2e6485e8959da7a9f9a44461a1bb074 , < 06909b2549d631a47fcda249d34be26f7ca1711d (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/attrlist.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9267d99fade76d44d4a133599524031fe684156e",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "976e6a7c51fabf150478decbe8ef5d9a26039b7c",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "8d8c70b57dbeda3eb165c0940b97e85373ca9354",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "7ef219656febf5ae06ae56b1fce47ebd05f92b68",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "9779a6eaaabdf47aa57910d352b398ad742e6a5f",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "fd508939dbca5eceefb2d0c2564beb15469572f2",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            },
            {
              "lessThan": "06909b2549d631a47fcda249d34be26f7ca1711d",
              "status": "affected",
              "version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/attrlist.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni-\u003eattr_list.size is zero, but ni-\u003eattr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:57:05.561Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e"
        },
        {
          "url": "https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68"
        },
        {
          "url": "https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d"
        }
      ],
      "title": "fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71267",
    "datePublished": "2026-03-18T10:05:04.008Z",
    "dateReserved": "2026-03-17T09:08:18.457Z",
    "dateUpdated": "2026-05-11T21:57:05.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23242 (GCVE-0-2026-23242)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

RDMA/siw: Fix potential NULL pointer dereference in header processing

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/ab61841633d10e56a…
https://git.kernel.org/stable/c/8564dcc12fbb372d9…
https://git.kernel.org/stable/c/ab957056192d6bd06…
https://git.kernel.org/stable/c/ffba40b6766356748…
https://git.kernel.org/stable/c/87b7a036d2c73d5bb…
https://git.kernel.org/stable/c/714c99e1dc8f85f44…
https://git.kernel.org/stable/c/ce025f7f5d0705961…
https://git.kernel.org/stable/c/14ab3da122bd18920…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ab61841633d10e56a58c1493a262f0d02dba2f5e (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 8564dcc12fbb372d984ab45768cae9335777b274 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ab957056192d6bd068b3759cb2077d859cca01f0 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ffba40b67663567481fa8a1ed5d2da36897c175d (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 87b7a036d2c73d5bb3ae2d47dee23de465db3355 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 714c99e1dc8f85f446e05be02ba83972e981a817 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < ce025f7f5d070596194315eb2e4e89d568b8a755 (git) Affected: 8b6a361b8c482f22ac99c3273285ff16b23fba91 , < 14ab3da122bd18920ad57428f6cf4fade8385142 (git)
Linux	Linux	Affected: 5.3 Unaffected: 0 , < 5.3 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw_qp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab61841633d10e56a58c1493a262f0d02dba2f5e",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "8564dcc12fbb372d984ab45768cae9335777b274",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "ab957056192d6bd068b3759cb2077d859cca01f0",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "ffba40b67663567481fa8a1ed5d2da36897c175d",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "87b7a036d2c73d5bb3ae2d47dee23de465db3355",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "714c99e1dc8f85f446e05be02ba83972e981a817",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "ce025f7f5d070596194315eb2e4e89d568b8a755",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            },
            {
              "lessThan": "14ab3da122bd18920ad57428f6cf4fade8385142",
              "status": "affected",
              "version": "8b6a361b8c482f22ac99c3273285ff16b23fba91",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw_qp_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix potential NULL pointer dereference in header processing\n\nIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),\nqp-\u003erx_fpdu can be NULL. The error path in siw_tcp_rx_data()\ndereferences qp-\u003erx_fpdu-\u003emore_ddp_segs without checking, which\nmay lead to a NULL pointer deref. Only check more_ddp_segs when\nrx_fpdu is present.\n\nKASAN splat:\n[  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]\n[  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:04.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab61841633d10e56a58c1493a262f0d02dba2f5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8564dcc12fbb372d984ab45768cae9335777b274"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab957056192d6bd068b3759cb2077d859cca01f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffba40b67663567481fa8a1ed5d2da36897c175d"
        },
        {
          "url": "https://git.kernel.org/stable/c/87b7a036d2c73d5bb3ae2d47dee23de465db3355"
        },
        {
          "url": "https://git.kernel.org/stable/c/714c99e1dc8f85f446e05be02ba83972e981a817"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce025f7f5d070596194315eb2e4e89d568b8a755"
        },
        {
          "url": "https://git.kernel.org/stable/c/14ab3da122bd18920ad57428f6cf4fade8385142"
        }
      ],
      "title": "RDMA/siw: Fix potential NULL pointer dereference in header processing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23242",
    "datePublished": "2026-03-18T10:05:05.108Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:04.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23243 (GCVE-0-2026-23243)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

RDMA/umad: Reject negative data_len in ib_umad_write

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/1371ef6b1ecf3676b…
https://git.kernel.org/stable/c/362e45fd9069ffa15…
https://git.kernel.org/stable/c/6eb2919474ca105c5…
https://git.kernel.org/stable/c/a6a3e4af10993cb9e…
https://git.kernel.org/stable/c/9c80d688f402539df…
https://git.kernel.org/stable/c/205955f29c26330b1…
https://git.kernel.org/stable/c/52ab82cc5cf8ada5c…
https://git.kernel.org/stable/c/5551b02fdbfd85a32…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 1371ef6b1ecf3676b8942f5dfb3634fb0648128e (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 362e45fd9069ffa1523f9f1633b606ebf72060d7 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 6eb2919474ca105c5b13d19574e25f0ddcf19ca2 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 9c80d688f402539dfc8f336de1380d6b4ee14316 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 205955f29c26330b1dc7fdeadd5bb97c38e26f56 (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b (git) Affected: 2be8e3ee8efd6f99ce454115c29d09750915021a , < 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 (git)
Linux	Linux	Affected: 2.6.24 Unaffected: 0 , < 2.6.24 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/user_mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1371ef6b1ecf3676b8942f5dfb3634fb0648128e",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "362e45fd9069ffa1523f9f1633b606ebf72060d7",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "6eb2919474ca105c5b13d19574e25f0ddcf19ca2",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "9c80d688f402539dfc8f336de1380d6b4ee14316",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "205955f29c26330b1dc7fdeadd5bb97c38e26f56",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            },
            {
              "lessThan": "5551b02fdbfd85a325bb857f3a8f9c9f33397ed2",
              "status": "affected",
              "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/user_mad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[  211.365867] ib_create_send_mad+0xa01/0x11b0\n[  211.365887] ib_umad_write+0x853/0x1c80"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:05.550Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"
        },
        {
          "url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"
        },
        {
          "url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"
        },
        {
          "url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"
        }
      ],
      "title": "RDMA/umad: Reject negative data_len in ib_umad_write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23243",
    "datePublished": "2026-03-18T10:05:05.826Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:05.550Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23244 (GCVE-0-2026-23244)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

nvme: fix memory allocation in nvme_pr_read_keys()

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme: fix memory allocation in nvme_pr_read_keys() nvme_pr_read_keys() takes num_keys from userspace and uses it to calculate the allocation size for rse via struct_size(). The upper limit is PR_KEYS_MAX (64K). A malicious or buggy userspace can pass a large num_keys value that results in a 4MB allocation attempt at most, causing a warning in the page allocator when the order exceeds MAX_PAGE_ORDER. To fix this, use kvzalloc() instead of kzalloc(). This bug has the same reasoning and fix with the patch below: https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/ Warning log: WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272 Modules linked in: CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216 Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d RSP: 0018:ffffc90000fcf450 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0 RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0 RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001 R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000 R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620 FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0 Call Trace: <TASK> alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486 alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557 ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598 __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629 __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245 blkdev_pr_read_keys block/ioctl.c:456 [inline] blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730 blkdev_ioctl+0x299/0x700 block/ioctl.c:786 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583 x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fb893d3108d Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d RDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001 </TASK>

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/e42ff5abbd1492755…
https://git.kernel.org/stable/c/15fb6d627484ee39e…
https://git.kernel.org/stable/c/5a501379a010690ae…
https://git.kernel.org/stable/c/baef52d80093bd686…
https://git.kernel.org/stable/c/c3320153769f05fd7…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 5fd96a4e15de8442915a912233d800c56f49001d , < e42ff5abbd14927553b624c0e06d24df76156fe6 (git) Affected: 5fd96a4e15de8442915a912233d800c56f49001d , < 15fb6d627484ee39ed73e202ef4720e1fa5c898e (git) Affected: 5fd96a4e15de8442915a912233d800c56f49001d , < 5a501379a010690ae9ae88bef62a1bae1aca32e6 (git) Affected: 5fd96a4e15de8442915a912233d800c56f49001d , < baef52d80093bd686e70b3cb7e0512a40ae76705 (git) Affected: 5fd96a4e15de8442915a912233d800c56f49001d , < c3320153769f05fd7fe9d840cb555dd3080ae424 (git)
Linux	Linux	Affected: 6.5 Unaffected: 0 , < 6.5 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e42ff5abbd14927553b624c0e06d24df76156fe6",
              "status": "affected",
              "version": "5fd96a4e15de8442915a912233d800c56f49001d",
              "versionType": "git"
            },
            {
              "lessThan": "15fb6d627484ee39ed73e202ef4720e1fa5c898e",
              "status": "affected",
              "version": "5fd96a4e15de8442915a912233d800c56f49001d",
              "versionType": "git"
            },
            {
              "lessThan": "5a501379a010690ae9ae88bef62a1bae1aca32e6",
              "status": "affected",
              "version": "5fd96a4e15de8442915a912233d800c56f49001d",
              "versionType": "git"
            },
            {
              "lessThan": "baef52d80093bd686e70b3cb7e0512a40ae76705",
              "status": "affected",
              "version": "5fd96a4e15de8442915a912233d800c56f49001d",
              "versionType": "git"
            },
            {
              "lessThan": "c3320153769f05fd7fe9d840cb555dd3080ae424",
              "status": "affected",
              "version": "5fd96a4e15de8442915a912233d800c56f49001d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix memory allocation in nvme_pr_read_keys()\n\nnvme_pr_read_keys() takes num_keys from userspace and uses it to\ncalculate the allocation size for rse via struct_size(). The upper\nlimit is PR_KEYS_MAX (64K).\n\nA malicious or buggy userspace can pass a large num_keys value that\nresults in a 4MB allocation attempt at most, causing a warning in\nthe page allocator when the order exceeds MAX_PAGE_ORDER.\n\nTo fix this, use kvzalloc() instead of kzalloc().\n\nThis bug has the same reasoning and fix with the patch below:\nhttps://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/\n\nWarning log:\nWARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272\nModules linked in:\nCPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216\nCode: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 \u003c0f\u003e 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d\nRSP: 0018:ffffc90000fcf450 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0\nRDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0\nRBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001\nR10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000\nR13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620\nFS:  0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486\n alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557\n ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598\n __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245\n blkdev_pr_read_keys block/ioctl.c:456 [inline]\n blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730\n blkdev_ioctl+0x299/0x700 block/ioctl.c:786\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583\n x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fb893d3108d\nCode: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d\nRDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003\nRBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:06.676Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e42ff5abbd14927553b624c0e06d24df76156fe6"
        },
        {
          "url": "https://git.kernel.org/stable/c/15fb6d627484ee39ed73e202ef4720e1fa5c898e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a501379a010690ae9ae88bef62a1bae1aca32e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/baef52d80093bd686e70b3cb7e0512a40ae76705"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3320153769f05fd7fe9d840cb555dd3080ae424"
        }
      ],
      "title": "nvme: fix memory allocation in nvme_pr_read_keys()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23244",
    "datePublished": "2026-03-18T10:05:06.534Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:06.676Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23245 (GCVE-0-2026-23245)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

net/sched: act_gate: snapshot parameters with RCU on replace

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/fc98fd8d214693be9…
https://git.kernel.org/stable/c/8b1251bbf0f10ac74…
https://git.kernel.org/stable/c/dfc314d7c767e350f…
https://git.kernel.org/stable/c/035d0d09d5ab3ed3e…
https://git.kernel.org/stable/c/04d75529dc0f9be78…
https://git.kernel.org/stable/c/58b162e318d0243ad…
https://git.kernel.org/stable/c/62413a9c3cb183afb…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: a51c328df3106663879645680609eb49b3ff6444 , < fc98fd8d214693be91253d9a88cdf8e5e143d124 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 8b1251bbf0f10ac745ed74bad4d3b433caa1eeae (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < dfc314d7c767e350f78a46a8f8b134f80e8ad432 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 035d0d09d5ab3ed3e93d18cde2b562a6719eea23 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 04d75529dc0f9be78786162ebab7424af4644df2 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 58b162e318d0243ad2d7d92456c0873f2494c351 (git) Affected: a51c328df3106663879645680609eb49b3ff6444 , < 62413a9c3cb183afb9bb6e94dd68caf4e4145f4c (git)
Linux	Linux	Affected: 5.8 Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.18 , ≤ 6.18.* (semver) Unaffected: 6.19.8 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/tc_act/tc_gate.h",
            "net/sched/act_gate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc98fd8d214693be91253d9a88cdf8e5e143d124",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "8b1251bbf0f10ac745ed74bad4d3b433caa1eeae",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "dfc314d7c767e350f78a46a8f8b134f80e8ad432",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "035d0d09d5ab3ed3e93d18cde2b562a6719eea23",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "04d75529dc0f9be78786162ebab7424af4644df2",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "58b162e318d0243ad2d7d92456c0873f2494c351",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            },
            {
              "lessThan": "62413a9c3cb183afb9bb6e94dd68caf4e4145f4c",
              "status": "affected",
              "version": "a51c328df3106663879645680609eb49b3ff6444",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/tc_act/tc_gate.h",
            "net/sched/act_gate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:07.821Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc98fd8d214693be91253d9a88cdf8e5e143d124"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"
        },
        {
          "url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"
        },
        {
          "url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"
        },
        {
          "url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"
        },
        {
          "url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"
        }
      ],
      "title": "net/sched: act_gate: snapshot parameters with RCU on replace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23245",
    "datePublished": "2026-03-18T10:05:07.406Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:07.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23246 (GCVE-0-2026-23246)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/650981e718e68005c…
https://git.kernel.org/stable/c/bfde158d5d1322c0c…
https://git.kernel.org/stable/c/f35ceec54d48e227f…
https://git.kernel.org/stable/c/d58d71c2167601762…
https://git.kernel.org/stable/c/162d331d833dc73a3…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c , < 650981e718e68005ca2760a6358134b8a98ebea4 (git) Affected: 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c , < bfde158d5d1322c0c2df398a8d1ccce04943be2e (git) Affected: 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c , < f35ceec54d48e227fa46f8f97fd100a77b8eab15 (git) Affected: 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c , < d58d71c2167601762351962b9604808d3be94400 (git) Affected: 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c , < 162d331d833dc73a3e905a24c44dd33732af1fc5 (git)
Linux	Linux	Affected: 6.5 Unaffected: 0 , < 6.5 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/mlme.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "650981e718e68005ca2760a6358134b8a98ebea4",
              "status": "affected",
              "version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c",
              "versionType": "git"
            },
            {
              "lessThan": "bfde158d5d1322c0c2df398a8d1ccce04943be2e",
              "status": "affected",
              "version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c",
              "versionType": "git"
            },
            {
              "lessThan": "f35ceec54d48e227fa46f8f97fd100a77b8eab15",
              "status": "affected",
              "version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c",
              "versionType": "git"
            },
            {
              "lessThan": "d58d71c2167601762351962b9604808d3be94400",
              "status": "affected",
              "version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c",
              "versionType": "git"
            },
            {
              "lessThan": "162d331d833dc73a3e905a24c44dd33732af1fc5",
              "status": "affected",
              "version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/mlme.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\n\nlink_id is taken from the ML Reconfiguration element (control \u0026 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id \u003e= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:08.962Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15"
        },
        {
          "url": "https://git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400"
        },
        {
          "url": "https://git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5"
        }
      ],
      "title": "wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23246",
    "datePublished": "2026-03-18T10:05:08.312Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:08.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23247 (GCVE-0-2026-23247)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-23 16:04

Title

tcp: secure_seq: add back ports to TS offset

Summary

In the Linux kernel, the following vulnerability has been resolved: tcp: secure_seq: add back ports to TS offset This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets") tcp_tw_recycle went away in 2017. Zhouyan Deng reported off-path TCP source port leakage via SYN cookie side-channel that can be fixed in multiple ways. One of them is to bring back TCP ports in TS offset randomization. As a bonus, we perform a single siphash() computation to provide both an ISN and a TS offset.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/eae2f14ab2efccdb7…
https://git.kernel.org/stable/c/46e5b0d7cf5582152…
https://git.kernel.org/stable/c/165573e41f2f66ef9…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < eae2f14ab2efccdb7480fae7d42c4b0116ef8805 (git) Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < 46e5b0d7cf55821527adea471ffe52a5afbd9caf (git) Affected: 28ee1b746f493b7c62347d714f58fbf4f70df4f0 , < 165573e41f2f66ef98940cf65f838b2cb575d9d1 (git) Affected: 443fac9f2618b93cbc5ab068dc594530236b3a23 (git) Affected: 4.10.14 , < 4.11 (semver)
Linux	Linux	Affected: 4.11 Unaffected: 0 , < 4.11 (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/secure_seq.h",
            "include/net/tcp.h",
            "net/core/secure_seq.c",
            "net/ipv4/syncookies.c",
            "net/ipv4/tcp_input.c",
            "net/ipv4/tcp_ipv4.c",
            "net/ipv6/syncookies.c",
            "net/ipv6/tcp_ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eae2f14ab2efccdb7480fae7d42c4b0116ef8805",
              "status": "affected",
              "version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
              "versionType": "git"
            },
            {
              "lessThan": "46e5b0d7cf55821527adea471ffe52a5afbd9caf",
              "status": "affected",
              "version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
              "versionType": "git"
            },
            {
              "lessThan": "165573e41f2f66ef98940cf65f838b2cb575d9d1",
              "status": "affected",
              "version": "28ee1b746f493b7c62347d714f58fbf4f70df4f0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "443fac9f2618b93cbc5ab068dc594530236b3a23",
              "versionType": "git"
            },
            {
              "lessThan": "4.11",
              "status": "affected",
              "version": "4.10.14",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/secure_seq.h",
            "include/net/tcp.h",
            "net/core/secure_seq.c",
            "net/ipv4/syncookies.c",
            "net/ipv4/tcp_input.c",
            "net/ipv4/tcp_ipv4.c",
            "net/ipv6/syncookies.c",
            "net/ipv6/tcp_ipv6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.10.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:20.827Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eae2f14ab2efccdb7480fae7d42c4b0116ef8805"
        },
        {
          "url": "https://git.kernel.org/stable/c/46e5b0d7cf55821527adea471ffe52a5afbd9caf"
        },
        {
          "url": "https://git.kernel.org/stable/c/165573e41f2f66ef98940cf65f838b2cb575d9d1"
        }
      ],
      "title": "tcp: secure_seq: add back ports to TS offset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23247",
    "datePublished": "2026-03-18T10:05:09.353Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-23T16:04:20.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23248 (GCVE-0-2026-23248)

Vulnerability from cvelistv5 – Published: 2026-03-18 10:05 – Updated: 2026-05-11 22:03

Title

perf/core: Fix refcount bug and potential UAF in perf_mmap

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix refcount bug and potential UAF in perf_mmap Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap. The issue is caused by a race condition between a failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection). In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range(). If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning. Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/c27dea9f50ed525fa…
https://git.kernel.org/stable/c/ac7ecb65af170a7fc…
https://git.kernel.org/stable/c/77de62ad3de396781…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b709eb872e19a19607bbb6d2975bc264d59735cf , < c27dea9f50ed525facb62ef647dddc4722456e07 (git) Affected: b709eb872e19a19607bbb6d2975bc264d59735cf , < ac7ecb65af170a7fc193e7bd8be15dac84ec6a56 (git) Affected: b709eb872e19a19607bbb6d2975bc264d59735cf , < 77de62ad3de3967818c3dbe656b7336ebee461d2 (git)
Linux	Linux	Affected: 6.14 Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c27dea9f50ed525facb62ef647dddc4722456e07",
              "status": "affected",
              "version": "b709eb872e19a19607bbb6d2975bc264d59735cf",
              "versionType": "git"
            },
            {
              "lessThan": "ac7ecb65af170a7fc193e7bd8be15dac84ec6a56",
              "status": "affected",
              "version": "b709eb872e19a19607bbb6d2975bc264d59735cf",
              "versionType": "git"
            },
            {
              "lessThan": "77de62ad3de3967818c3dbe656b7336ebee461d2",
              "status": "affected",
              "version": "b709eb872e19a19607bbb6d2975bc264d59735cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix refcount bug and potential UAF in perf_mmap\n\nSyzkaller reported a refcount_t: addition on 0; use-after-free warning\nin perf_mmap.\n\nThe issue is caused by a race condition between a failing mmap() setup\nand a concurrent mmap() on a dependent event (e.g., using output\nredirection).\n\nIn perf_mmap(), the ring_buffer (rb) is allocated and assigned to\nevent-\u003erb with the mmap_mutex held. The mutex is then released to\nperform map_range().\n\nIf map_range() fails, perf_mmap_close() is called to clean up.\nHowever, since the mutex was dropped, another thread attaching to\nthis event (via inherited events or output redirection) can acquire\nthe mutex, observe the valid event-\u003erb pointer, and attempt to\nincrement its reference count. If the cleanup path has already\ndropped the reference count to zero, this results in a\nuse-after-free or refcount saturation warning.\n\nFix this by extending the scope of mmap_mutex to cover the\nmap_range() call. This ensures that the ring buffer initialization\nand mapping (or cleanup on failure) happens atomically effectively,\npreventing other threads from accessing a half-initialized or\ndying ring buffer."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:11.269Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c27dea9f50ed525facb62ef647dddc4722456e07"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac7ecb65af170a7fc193e7bd8be15dac84ec6a56"
        },
        {
          "url": "https://git.kernel.org/stable/c/77de62ad3de3967818c3dbe656b7336ebee461d2"
        }
      ],
      "title": "perf/core: Fix refcount bug and potential UAF in perf_mmap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23248",
    "datePublished": "2026-03-18T10:05:10.070Z",
    "dateReserved": "2026-01-13T15:37:45.989Z",
    "dateUpdated": "2026-05-11T22:03:11.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0774

CVE-2025-71265 (GCVE-0-2025-71265)

CVE-2025-71266 (GCVE-0-2025-71266)

CVE-2025-71267 (GCVE-0-2025-71267)

CVE-2026-23242 (GCVE-0-2026-23242)

CVE-2026-23243 (GCVE-0-2026-23243)

CVE-2026-23244 (GCVE-0-2026-23244)

CVE-2026-23245 (GCVE-0-2026-23245)

CVE-2026-23246 (GCVE-0-2026-23246)

CVE-2026-23247 (GCVE-0-2026-23247)

CVE-2026-23248 (GCVE-0-2026-23248)

Tags

Sightings

Nomenclature