| Fixing_vulnerabilities |
| 0 |
| url |
VCID-11nd-2f5c-ybe1 |
| vulnerability_id |
VCID-11nd-2f5c-ybe1 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31613
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-11nd-2f5c-ybe1 |
|
| 1 |
| url |
VCID-22zu-qy6y-aub1 |
| vulnerability_id |
VCID-22zu-qy6y-aub1 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31578
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-22zu-qy6y-aub1 |
|
| 2 |
| url |
VCID-25at-2je8-2ufj |
| vulnerability_id |
VCID-25at-2je8-2ufj |
| summary |
In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ] |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31579
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-25at-2je8-2ufj |
|
| 3 |
| url |
VCID-2cky-e16g-yqgf |
| vulnerability_id |
VCID-2cky-e16g-yqgf |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic. ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When aggregate memory allocations exceed this limit, ct_vm_map() tries to access beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count remain unchanged. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31602
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2cky-e16g-yqgf |
|
| 4 |
| url |
VCID-2dp8-mmkf-w7dx |
| vulnerability_id |
VCID-2dp8-mmkf-w7dx |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "trusted" size of the buffer. Without this check, uninitialized heap values might be slowly leaked to the client. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31612
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dp8-mmkf-w7dx |
|
| 5 |
| url |
VCID-31cj-5nhu-4qa9 |
| vulnerability_id |
VCID-31cj-5nhu-4qa9 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadget: aspeed_udc: validate endpoint index for ast udc") for the aspeed driver. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31615
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-31cj-5nhu-4qa9 |
|
| 6 |
|
| 7 |
| url |
VCID-3qmn-b1w4-jkg4 |
| vulnerability_id |
VCID-3qmn-b1w4-jkg4 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31605
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3qmn-b1w4-jkg4 |
|
| 8 |
| url |
VCID-3r34-452w-skc2 |
| vulnerability_id |
VCID-3r34-452w-skc2 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as allowing userspace to manipulate and/or run a vCPU while its state is being synchronized would at best corrupt vCPU state, and at worst crash the host kernel. Opportunistically assert that vcpu->mutex is held when synchronizing its VMSA (the SEV-ES path already locks vCPUs). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31591
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3r34-452w-skc2 |
|
| 9 |
| url |
VCID-46pr-2cfb-mbhn |
| vulnerability_id |
VCID-46pr-2cfb-mbhn |
| summary |
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31629
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-46pr-2cfb-mbhn |
|
| 10 |
| url |
VCID-4e1f-qvnx-87fc |
| vulnerability_id |
VCID-4e1f-qvnx-87fc |
| summary |
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock Take and hold kvm->lock for before checking sev_guest() in sev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock is held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't rollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add to a not-yet-initialized sev->regions_list, e.g. triggering a #GP Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83 Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00 RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256 RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000 RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000 R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000 R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000 FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0 Call Trace: <TASK> kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371 kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363 __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f34e9f7e9a9 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9 RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007 RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8 </TASK> with a syzlang reproducer that looks like: syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async) ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async) r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) close(r0) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async) ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async) ioctl$KVM_RUN(r5, 0xae80, 0x0) Opportunistically use guard() to avoid having to define a new error label and goto usage. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31592
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4e1f-qvnx-87fc |
|
| 11 |
| url |
VCID-4v3t-8s2w-rfbg |
| vulnerability_id |
VCID-4v3t-8s2w-rfbg |
| summary |
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use scratch field in MMIO fragment to hold small write values When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a scratch field in the MMIO fragment if the size of the data payload is 8 bytes or less, i.e. can fit in a single chunk, instead of pointing the fragment directly at the source value. This fixes a class of use-after-free bugs that occur when the emulator initiates a write using an on-stack, local variable as the source, the write splits a page boundary, *and* both pages are MMIO pages. Because KVM's ABI only allows for physically contiguous MMIO requests, accesses that split MMIO pages are separated into two fragments, and are sent to userspace one at a time. When KVM attempts to complete userspace MMIO in response to KVM_RUN after the first fragment, KVM will detect the second fragment and generate a second userspace exit, and reference the on-stack variable. The issue is most visible if the second KVM_RUN is performed by a separate task, in which case the stack of the initiating task can show up as truly freed data. ================================================================== BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420 Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984 CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xbe/0xfd print_address_description.constprop.0+0x19/0x170 __kasan_report.cold+0x6c/0x84 kasan_report+0x3a/0x50 check_memory_region+0xfd/0x1f0 memcpy+0x20/0x60 complete_emulated_mmio+0x305/0x420 kvm_arch_vcpu_ioctl_run+0x63f/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscall_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x42477d Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720 The buggy address belongs to the page: page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== The bug can also be reproduced with a targeted KVM-Unit-Test by hacking KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by overwrite the data value with garbage. Limit the use of the scratch fields to 8-byte or smaller accesses, and to just writes, as larger accesses and reads are not affected thanks to implementation details in the emulator, but add a sanity check to ensure those details don't change in the future. Specifically, KVM never uses on-stack variables for accesses larger that 8 bytes, e.g. uses an operand in the emulator context, and *al ---truncated--- |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31588
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4v3t-8s2w-rfbg |
|
| 12 |
| url |
VCID-5vkh-dbsm-vbgu |
| vulnerability_id |
VCID-5vkh-dbsm-vbgu |
| summary |
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on all probe errors (e.g. when descriptor parsing fails). Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31604
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vkh-dbsm-vbgu |
|
| 13 |
| url |
VCID-656s-tkaz-m7bj |
| vulnerability_id |
VCID-656s-tkaz-m7bj |
| summary |
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU Reject synchronizing vCPU state to its associated VMSA if the vCPU has already been launched, i.e. if the VMSA has already been encrypted. On a host with SNP enabled, accessing guest-private memory generates an RMP #PF and panics the host. BUG: unable to handle page fault for address: ff1276cbfdf36000 #PF: supervisor write access in kernel mode #PF: error_code(0x80000003) - RMP violation PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163 SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f] Oops: Oops: 0003 [#1] SMP NOPTI CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023 RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd] Call Trace: <TASK> snp_launch_update_vmsa+0x19d/0x290 [kvm_amd] snp_launch_finish+0xb6/0x380 [kvm_amd] sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd] kvm_arch_vm_ioctl+0x837/0xcf0 [kvm] kvm_vm_ioctl+0x3fd/0xcc0 [kvm] __x64_sys_ioctl+0xa3/0x100 x64_sys_call+0xfe0/0x2350 do_syscall_64+0x81/0x10f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7ffff673287d </TASK> Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM: Provide support to launch and run an SEV-ES guest"), but has only been actively dangerous for the host since SNP support was added. With SEV-ES, KVM would "just" clobber guest state, which is totally fine from a host kernel perspective since userspace can clobber guest state any time before sev_launch_update_vmsa(). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31593
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-656s-tkaz-m7bj |
|
| 14 |
|
| 15 |
| url |
VCID-878n-d9ss-rugc |
| vulnerability_id |
VCID-878n-d9ss-rugc |
| summary |
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap. Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path"). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31616
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-878n-d9ss-rugc |
|
| 16 |
| url |
VCID-8v51-tdqe-tbcp |
| vulnerability_id |
VCID-8v51-tdqe-tbcp |
| summary |
In the Linux kernel, the following vulnerability has been resolved: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the pointer to access blkcg->online_pin, resulting in a use-after-free: BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385) Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385) ** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410") I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh (The race window is narrow. To make it easily reproducible, inject a msleep(100) between css_put() and blkcg_unpin_online() in cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.) Fix this by moving blkcg_unpin_online() before css_put(), so the cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() accesses it. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31586
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8v51-tdqe-tbcp |
|
| 17 |
| url |
VCID-9bru-3rtm-sfey |
| vulnerability_id |
VCID-9bru-3rtm-sfey |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 A malicious USB device with the TASCAM US-144MKII device id can have a configuration containing bInterfaceNumber=1 but no interface 0. USB configuration descriptors are not required to assign interface numbers sequentially, so usb_ifnum_to_if(dev, 0) returns will NULL, which will then be dereferenced directly. Fix this up by checking the return value properly. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31620
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9bru-3rtm-sfey |
|
| 18 |
| url |
VCID-9rrq-d3g4-jyfy |
| vulnerability_id |
VCID-9rrq-d3g4-jyfy |
| summary |
In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() smbd_send_batch_flush() already calls smbd_free_send_io(), so we should not call it again after smbd_post_send() moved it to the batch list. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31609
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9rrq-d3g4-jyfy |
|
| 19 |
| url |
VCID-9wsp-xbm7-yfb9 |
| vulnerability_id |
VCID-9wsp-xbm7-yfb9 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31606
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wsp-xbm7-yfb9 |
|
| 20 |
|
| 21 |
| url |
VCID-cc41-mkuk-2fgu |
| vulnerability_id |
VCID-cc41-mkuk-2fgu |
| summary |
In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio function pointer before dropping the lock on the mapping. That lets us make filemap_free_folio() static as this was the only caller outside filemap.c. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31589
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cc41-mkuk-2fgu |
|
| 22 |
| url |
VCID-dq8r-defv-hbg6 |
| vulnerability_id |
VCID-dq8r-defv-hbg6 |
| summary |
kernel: nvme: memory corruption via unprivileged user passthrough |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6238 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03058 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02981 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02742 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02754 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03063 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02996 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02785 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02789 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02809 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.0278 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02761 |
| published_at |
2026-04-12T12:55:00Z |
|
| 11 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.02757 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6238 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:deb/debian/linux@6.19.11-1 |
| purl |
pkg:deb/debian/linux@6.19.11-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g77-qwuy-nkg8 |
|
| 1 |
| vulnerability |
VCID-1s77-djzb-xffp |
|
| 2 |
| vulnerability |
VCID-4jvb-unxd-3qg3 |
|
| 3 |
| vulnerability |
VCID-5ahq-saw1-suf1 |
|
| 4 |
| vulnerability |
VCID-94k1-ja9w-2fd2 |
|
| 5 |
| vulnerability |
VCID-brte-gqy3-r3ax |
|
| 6 |
| vulnerability |
VCID-c7xf-x7d5-87gn |
|
| 7 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 8 |
| vulnerability |
VCID-fvvb-p7r7-zkbk |
|
| 9 |
| vulnerability |
VCID-gbkk-anun-a3ce |
|
| 10 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 11 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 12 |
| vulnerability |
VCID-p4by-fm53-yybk |
|
| 13 |
| vulnerability |
VCID-pmn9-t8by-myhb |
|
| 14 |
| vulnerability |
VCID-qsdm-cyzs-aufy |
|
| 15 |
| vulnerability |
VCID-texr-5weq-v3dw |
|
| 16 |
| vulnerability |
VCID-v813-y477-vkhn |
|
| 17 |
| vulnerability |
VCID-vzkt-5648-ukh7 |
|
| 18 |
| vulnerability |
VCID-yqcj-27j2-tqb8 |
|
| 19 |
| vulnerability |
VCID-zh73-s87g-vfff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.11-1 |
|
| 3 |
|
| 4 |
| url |
pkg:deb/debian/linux@6.19.13-1 |
| purl |
pkg:deb/debian/linux@6.19.13-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11nd-2f5c-ybe1 |
|
| 1 |
| vulnerability |
VCID-22zu-qy6y-aub1 |
|
| 2 |
| vulnerability |
VCID-25at-2je8-2ufj |
|
| 3 |
| vulnerability |
VCID-2cky-e16g-yqgf |
|
| 4 |
| vulnerability |
VCID-2dp8-mmkf-w7dx |
|
| 5 |
| vulnerability |
VCID-31cj-5nhu-4qa9 |
|
| 6 |
| vulnerability |
VCID-3mhu-519z-pbck |
|
| 7 |
| vulnerability |
VCID-3qmn-b1w4-jkg4 |
|
| 8 |
| vulnerability |
VCID-3r34-452w-skc2 |
|
| 9 |
| vulnerability |
VCID-46pr-2cfb-mbhn |
|
| 10 |
| vulnerability |
VCID-4e1f-qvnx-87fc |
|
| 11 |
| vulnerability |
VCID-4v3t-8s2w-rfbg |
|
| 12 |
| vulnerability |
VCID-5vkh-dbsm-vbgu |
|
| 13 |
| vulnerability |
VCID-656s-tkaz-m7bj |
|
| 14 |
| vulnerability |
VCID-6vtw-v3u5-buce |
|
| 15 |
| vulnerability |
VCID-878n-d9ss-rugc |
|
| 16 |
| vulnerability |
VCID-8v51-tdqe-tbcp |
|
| 17 |
| vulnerability |
VCID-9bru-3rtm-sfey |
|
| 18 |
| vulnerability |
VCID-9rrq-d3g4-jyfy |
|
| 19 |
| vulnerability |
VCID-9wsp-xbm7-yfb9 |
|
| 20 |
| vulnerability |
VCID-a454-61sh-j7ay |
|
| 21 |
| vulnerability |
VCID-cc41-mkuk-2fgu |
|
| 22 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 23 |
| vulnerability |
VCID-dqu3-2d1w-bked |
|
| 24 |
| vulnerability |
VCID-dwp4-mc1w-4bcw |
|
| 25 |
| vulnerability |
VCID-emnd-q69n-a3fe |
|
| 26 |
| vulnerability |
VCID-euxu-gjpw-8yhs |
|
| 27 |
| vulnerability |
VCID-f5xb-v8j6-nye2 |
|
| 28 |
| vulnerability |
VCID-fhfz-6h5m-hbed |
|
| 29 |
| vulnerability |
VCID-g9zj-fsa9-vkca |
|
| 30 |
| vulnerability |
VCID-gr5a-eqvx-n3ha |
|
| 31 |
| vulnerability |
VCID-hbnp-yx9t-bbfj |
|
| 32 |
| vulnerability |
VCID-hhxy-swz4-eqfy |
|
| 33 |
| vulnerability |
VCID-jset-t9qq-xfah |
|
| 34 |
| vulnerability |
VCID-jyxp-bjx8-kfbd |
|
| 35 |
| vulnerability |
VCID-ka1g-skuq-gqcs |
|
| 36 |
| vulnerability |
VCID-kvq6-38sd-77h7 |
|
| 37 |
| vulnerability |
VCID-kw1q-k8cm-j7dj |
|
| 38 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 39 |
| vulnerability |
VCID-n99v-8wyx-a3cr |
|
| 40 |
| vulnerability |
VCID-nw2n-9b59-gbdm |
|
| 41 |
| vulnerability |
VCID-p1xn-hbgr-efby |
|
| 42 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 43 |
| vulnerability |
VCID-pest-xjma-sfbn |
|
| 44 |
| vulnerability |
VCID-pgrh-f1dv-27dh |
|
| 45 |
| vulnerability |
VCID-pj46-9jp7-33ha |
|
| 46 |
| vulnerability |
VCID-r4kz-m7m8-c3b2 |
|
| 47 |
| vulnerability |
VCID-ruxz-24k9-sbcf |
|
| 48 |
| vulnerability |
VCID-sqkd-cwbk-tkec |
|
| 49 |
| vulnerability |
VCID-szq9-t587-83h2 |
|
| 50 |
| vulnerability |
VCID-tafy-p8yj-ukdv |
|
| 51 |
| vulnerability |
VCID-than-1kz8-yucx |
|
| 52 |
| vulnerability |
VCID-tz5h-hd3e-rbbv |
|
| 53 |
| vulnerability |
VCID-uvrh-s5dy-puc5 |
|
| 54 |
| vulnerability |
VCID-uyug-vjrw-87h6 |
|
| 55 |
| vulnerability |
VCID-uzrt-axb3-qfcs |
|
| 56 |
| vulnerability |
VCID-vx8c-nssy-ubaj |
|
| 57 |
| vulnerability |
VCID-vzyy-16xe-qkgm |
|
| 58 |
| vulnerability |
VCID-w8d1-9zry-wydv |
|
| 59 |
| vulnerability |
VCID-wvu1-rfc1-zya9 |
|
| 60 |
| vulnerability |
VCID-x9wt-jmne-vudk |
|
| 61 |
| vulnerability |
VCID-y54q-e569-p7cx |
|
| 62 |
| vulnerability |
VCID-yahm-29wh-z3e9 |
|
| 63 |
| vulnerability |
VCID-yj9c-fda5-57g2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.13-1 |
|
| 5 |
|
| 6 |
|
|
| aliases |
CVE-2023-6238
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
6.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dq8r-defv-hbg6 |
|
| 23 |
| url |
VCID-dqu3-2d1w-bked |
| vulnerability_id |
VCID-dqu3-2d1w-bked |
| summary |
In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31624
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dqu3-2d1w-bked |
|
| 24 |
| url |
VCID-dwp4-mc1w-4bcw |
| vulnerability_id |
VCID-dwp4-mc1w-4bcw |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of the security descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The out-of-band bytes will then be masked to the low 9 bits and applied as the file's POSIX mode, probably not something that is good to have happen. Fix this up by forcing the SID to actually carry a third sub-authority before reading it at all. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31611
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dwp4-mc1w-4bcw |
|
| 25 |
|
| 26 |
| url |
VCID-euxu-gjpw-8yhs |
| vulnerability_id |
VCID-euxu-gjpw-8yhs |
| summary |
In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the freed URB pointer. Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31582
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-euxu-gjpw-8yhs |
|
| 27 |
| url |
VCID-f5xb-v8j6-nye2 |
| vulnerability_id |
VCID-f5xb-v8j6-nye2 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region. KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets. This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31607
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f5xb-v8j6-nye2 |
|
| 28 |
| url |
VCID-fhfz-6h5m-hbed |
| vulnerability_id |
VCID-fhfz-6h5m-hbed |
| summary |
In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index(). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31575
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fhfz-6h5m-hbed |
|
| 29 |
| url |
VCID-g9zj-fsa9-vkca |
| vulnerability_id |
VCID-g9zj-fsa9-vkca |
| summary |
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely. The same underflow occurs in the datagram index checks against block_len - opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb. Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined. Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31617
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9zj-fsa9-vkca |
|
| 30 |
| url |
VCID-gr5a-eqvx-n3ha |
| vulnerability_id |
VCID-gr5a-eqvx-n3ha |
| summary |
In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31580
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gr5a-eqvx-n3ha |
|
| 31 |
| url |
VCID-hbnp-yx9t-bbfj |
| vulnerability_id |
VCID-hbnp-yx9t-bbfj |
| summary |
In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctly before attempting to process the raw event. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31625
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hbnp-yx9t-bbfj |
|
| 32 |
| url |
VCID-hhxy-swz4-eqfy |
| vulnerability_id |
VCID-hhxy-swz4-eqfy |
| summary |
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to perform later. This leads to an oops when .allow_link fails or when .drop_link is performed. The following is an example oops of the former case: Unable to handle kernel paging request at virtual address dead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pci_epc_remove_epf+0x78/0xe0 (P) pci_primary_epc_epf_link+0x88/0xa8 configfs_symlink+0x1f4/0x5a0 vfs_symlink+0x134/0x1d8 do_symlinkat+0x88/0x138 __arm64_sys_symlinkat+0x74/0xe0 [...] Remove the helper, and drop pci_epc_put(). EPC device refcounting is tied to the configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31594
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hhxy-swz4-eqfy |
|
| 33 |
| url |
VCID-jset-t9qq-xfah |
| vulnerability_id |
VCID-jset-t9qq-xfah |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live. This could happen if mechListMIC [3] overrunse the enclosing SEQUENCE. decode_negotiation_token() then sets conn->use_spnego = false because both the negTokenInit and negTokenTarg grammars failed. The cleanup at the bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; } so the kfree is skipped, causing the mechToken to never be freed. This codepath is reachable pre-authentication, so untrusted clients can cause slow memory leaks on a server without even being properly authenticated. Fix this up by not checking check for use_spnego, as it's not required, so the memory will always be properly freed. At the same time, always free the memory in ksmbd_conn_free() incase some other failure path forgot to free it. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31610
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jset-t9qq-xfah |
|
| 34 |
| url |
VCID-jyxp-bjx8-kfbd |
| vulnerability_id |
VCID-jyxp-bjx8-kfbd |
| summary |
In the Linux kernel, the following vulnerability has been resolved: arm64: mm: Handle invalid large leaf mappings correctly It has been possible for a long time to mark ptes in the linear map as invalid. This is done for secretmem, kfence, realm dma memory un/share, and others, by simply clearing the PTE_VALID bit. But until commit a166563e7ec37 ("arm64: mm: support large block mapping when rodata=full") large leaf mappings were never made invalid in this way. It turns out various parts of the code base are not equipped to handle invalid large leaf mappings (in the way they are currently encoded) and I've observed a kernel panic while booting a realm guest on a BBML2_NOABORT system as a result: [ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers [ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000 [ 15.513762] Mem abort info: [ 15.527245] ESR = 0x0000000096000046 [ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits [ 15.572146] SET = 0, FnV = 0 [ 15.592141] EA = 0, S1PTW = 0 [ 15.612694] FSC = 0x06: level 2 translation fault [ 15.640644] Data abort info: [ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 [ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000 [ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704 [ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP [ 15.886394] Modules linked in: [ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT [ 15.935258] Hardware name: linux,dummy-virt (DT) [ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c [ 16.006163] lr : swiotlb_bounce+0xf4/0x158 [ 16.024145] sp : ffff80008000b8f0 [ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000 [ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000 [ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0 [ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc [ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974 [ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018 [ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000 [ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000 [ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000 [ 16.349071] Call trace: [ 16.360143] __pi_memcpy_generic+0x128/0x22c (P) [ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4 [ 16.400282] swiotlb_map+0x5c/0x228 [ 16.415984] dma_map_phys+0x244/0x2b8 [ 16.432199] dma_map_page_attrs+0x44/0x58 [ 16.449782] virtqueue_map_page_attrs+0x38/0x44 [ 16.469596] virtqueue_map_single_attrs+0xc0/0x130 [ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc [ 16.510355] try_fill_recv+0x2a4/0x584 [ 16.526989] virtnet_open+0xd4/0x238 [ 16.542775] __dev_open+0x110/0x24c [ 16.558280] __dev_change_flags+0x194/0x20c [ 16.576879] netif_change_flags+0x24/0x6c [ 16.594489] dev_change_flags+0x48/0x7c [ 16.611462] ip_auto_config+0x258/0x1114 [ 16.628727] do_one_initcall+0x80/0x1c8 [ 16.645590] kernel_init_freeable+0x208/0x2f0 [ 16.664917] kernel_init+0x24/0x1e0 [ 16.680295] ret_from_fork+0x10/0x20 [ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c) [ 16.723106] ---[ end trace 0000000000000000 ]--- [ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000 ---truncated--- |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31600
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jyxp-bjx8-kfbd |
|
| 35 |
| url |
VCID-ka1g-skuq-gqcs |
| vulnerability_id |
VCID-ka1g-skuq-gqcs |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dio_end_io_write ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and ocfs2_file_ip_alloc_sem_key. Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock B Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock A Deadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode) Since ip_alloc_sem is to protect allocation changes, which is unrelated with operations in ocfs2_del_inode_from_orphan. So move ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31598
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ka1g-skuq-gqcs |
|
| 36 |
|
| 37 |
| url |
VCID-kw1q-k8cm-j7dj |
| vulnerability_id |
VCID-kw1q-k8cm-j7dj |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ocfs2: handle invalid dinode in ocfs2_group_extend [BUG] kernel BUG at fs/ocfs2/resize.c:308! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308 Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe Call Trace: ... ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... [CAUSE] ocfs2_group_extend() assumes that the global bitmap inode block returned from ocfs2_inode_lock() has already been validated and BUG_ONs when the signature is not a dinode. That assumption is too strong for crafted filesystems because the JBD2-managed buffer path can bypass structural validation and return an invalid dinode to the resize ioctl. [FIX] Validate the dinode explicitly in ocfs2_group_extend(). If the global bitmap buffer does not contain a valid dinode, report filesystem corruption with ocfs2_error() and fail the resize operation instead of crashing the kernel. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31596
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kw1q-k8cm-j7dj |
|
| 38 |
| url |
VCID-n59e-jkf6-13bf |
| vulnerability_id |
VCID-n59e-jkf6-13bf |
| summary |
kernel: ntfs3 local privledge escalation if NTFS character set and remount and umount called simultaneously |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3238 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23708 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23364 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23577 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23567 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23547 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23751 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23531 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23602 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23648 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23664 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23622 |
| published_at |
2026-04-12T12:55:00Z |
|
| 11 |
| value |
0.0008 |
| scoring_system |
epss |
| scoring_elements |
0.23565 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3238 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:deb/debian/linux@6.19.11-1 |
| purl |
pkg:deb/debian/linux@6.19.11-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g77-qwuy-nkg8 |
|
| 1 |
| vulnerability |
VCID-1s77-djzb-xffp |
|
| 2 |
| vulnerability |
VCID-4jvb-unxd-3qg3 |
|
| 3 |
| vulnerability |
VCID-5ahq-saw1-suf1 |
|
| 4 |
| vulnerability |
VCID-94k1-ja9w-2fd2 |
|
| 5 |
| vulnerability |
VCID-brte-gqy3-r3ax |
|
| 6 |
| vulnerability |
VCID-c7xf-x7d5-87gn |
|
| 7 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 8 |
| vulnerability |
VCID-fvvb-p7r7-zkbk |
|
| 9 |
| vulnerability |
VCID-gbkk-anun-a3ce |
|
| 10 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 11 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 12 |
| vulnerability |
VCID-p4by-fm53-yybk |
|
| 13 |
| vulnerability |
VCID-pmn9-t8by-myhb |
|
| 14 |
| vulnerability |
VCID-qsdm-cyzs-aufy |
|
| 15 |
| vulnerability |
VCID-texr-5weq-v3dw |
|
| 16 |
| vulnerability |
VCID-v813-y477-vkhn |
|
| 17 |
| vulnerability |
VCID-vzkt-5648-ukh7 |
|
| 18 |
| vulnerability |
VCID-yqcj-27j2-tqb8 |
|
| 19 |
| vulnerability |
VCID-zh73-s87g-vfff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.11-1 |
|
| 4 |
|
| 5 |
| url |
pkg:deb/debian/linux@6.19.13-1 |
| purl |
pkg:deb/debian/linux@6.19.13-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11nd-2f5c-ybe1 |
|
| 1 |
| vulnerability |
VCID-22zu-qy6y-aub1 |
|
| 2 |
| vulnerability |
VCID-25at-2je8-2ufj |
|
| 3 |
| vulnerability |
VCID-2cky-e16g-yqgf |
|
| 4 |
| vulnerability |
VCID-2dp8-mmkf-w7dx |
|
| 5 |
| vulnerability |
VCID-31cj-5nhu-4qa9 |
|
| 6 |
| vulnerability |
VCID-3mhu-519z-pbck |
|
| 7 |
| vulnerability |
VCID-3qmn-b1w4-jkg4 |
|
| 8 |
| vulnerability |
VCID-3r34-452w-skc2 |
|
| 9 |
| vulnerability |
VCID-46pr-2cfb-mbhn |
|
| 10 |
| vulnerability |
VCID-4e1f-qvnx-87fc |
|
| 11 |
| vulnerability |
VCID-4v3t-8s2w-rfbg |
|
| 12 |
| vulnerability |
VCID-5vkh-dbsm-vbgu |
|
| 13 |
| vulnerability |
VCID-656s-tkaz-m7bj |
|
| 14 |
| vulnerability |
VCID-6vtw-v3u5-buce |
|
| 15 |
| vulnerability |
VCID-878n-d9ss-rugc |
|
| 16 |
| vulnerability |
VCID-8v51-tdqe-tbcp |
|
| 17 |
| vulnerability |
VCID-9bru-3rtm-sfey |
|
| 18 |
| vulnerability |
VCID-9rrq-d3g4-jyfy |
|
| 19 |
| vulnerability |
VCID-9wsp-xbm7-yfb9 |
|
| 20 |
| vulnerability |
VCID-a454-61sh-j7ay |
|
| 21 |
| vulnerability |
VCID-cc41-mkuk-2fgu |
|
| 22 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 23 |
| vulnerability |
VCID-dqu3-2d1w-bked |
|
| 24 |
| vulnerability |
VCID-dwp4-mc1w-4bcw |
|
| 25 |
| vulnerability |
VCID-emnd-q69n-a3fe |
|
| 26 |
| vulnerability |
VCID-euxu-gjpw-8yhs |
|
| 27 |
| vulnerability |
VCID-f5xb-v8j6-nye2 |
|
| 28 |
| vulnerability |
VCID-fhfz-6h5m-hbed |
|
| 29 |
| vulnerability |
VCID-g9zj-fsa9-vkca |
|
| 30 |
| vulnerability |
VCID-gr5a-eqvx-n3ha |
|
| 31 |
| vulnerability |
VCID-hbnp-yx9t-bbfj |
|
| 32 |
| vulnerability |
VCID-hhxy-swz4-eqfy |
|
| 33 |
| vulnerability |
VCID-jset-t9qq-xfah |
|
| 34 |
| vulnerability |
VCID-jyxp-bjx8-kfbd |
|
| 35 |
| vulnerability |
VCID-ka1g-skuq-gqcs |
|
| 36 |
| vulnerability |
VCID-kvq6-38sd-77h7 |
|
| 37 |
| vulnerability |
VCID-kw1q-k8cm-j7dj |
|
| 38 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 39 |
| vulnerability |
VCID-n99v-8wyx-a3cr |
|
| 40 |
| vulnerability |
VCID-nw2n-9b59-gbdm |
|
| 41 |
| vulnerability |
VCID-p1xn-hbgr-efby |
|
| 42 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 43 |
| vulnerability |
VCID-pest-xjma-sfbn |
|
| 44 |
| vulnerability |
VCID-pgrh-f1dv-27dh |
|
| 45 |
| vulnerability |
VCID-pj46-9jp7-33ha |
|
| 46 |
| vulnerability |
VCID-r4kz-m7m8-c3b2 |
|
| 47 |
| vulnerability |
VCID-ruxz-24k9-sbcf |
|
| 48 |
| vulnerability |
VCID-sqkd-cwbk-tkec |
|
| 49 |
| vulnerability |
VCID-szq9-t587-83h2 |
|
| 50 |
| vulnerability |
VCID-tafy-p8yj-ukdv |
|
| 51 |
| vulnerability |
VCID-than-1kz8-yucx |
|
| 52 |
| vulnerability |
VCID-tz5h-hd3e-rbbv |
|
| 53 |
| vulnerability |
VCID-uvrh-s5dy-puc5 |
|
| 54 |
| vulnerability |
VCID-uyug-vjrw-87h6 |
|
| 55 |
| vulnerability |
VCID-uzrt-axb3-qfcs |
|
| 56 |
| vulnerability |
VCID-vx8c-nssy-ubaj |
|
| 57 |
| vulnerability |
VCID-vzyy-16xe-qkgm |
|
| 58 |
| vulnerability |
VCID-w8d1-9zry-wydv |
|
| 59 |
| vulnerability |
VCID-wvu1-rfc1-zya9 |
|
| 60 |
| vulnerability |
VCID-x9wt-jmne-vudk |
|
| 61 |
| vulnerability |
VCID-y54q-e569-p7cx |
|
| 62 |
| vulnerability |
VCID-yahm-29wh-z3e9 |
|
| 63 |
| vulnerability |
VCID-yj9c-fda5-57g2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.13-1 |
|
| 6 |
|
| 7 |
|
|
| aliases |
CVE-2022-3238
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
7.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n59e-jkf6-13bf |
|
| 39 |
| url |
VCID-n99v-8wyx-a3cr |
| vulnerability_id |
VCID-n99v-8wyx-a3cr |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31581
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n99v-8wyx-a3cr |
|
| 40 |
| url |
VCID-nw2n-9b59-gbdm |
| vulnerability_id |
VCID-nw2n-9b59-gbdm |
| summary |
In the Linux kernel, the following vulnerability has been resolved: vfio/xe: Reorganize the init to decouple migration from reset Attempting to issue reset on VF devices that don't support migration leads to the following: BUG: unable to handle page fault for address: 00000000000011f8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy) Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe] Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89 RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202 RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800 R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0 FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0 PKRU: 55555554 Call Trace: <TASK> xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci] pci_dev_restore+0x3b/0x80 pci_reset_function+0x109/0x140 reset_store+0x5c/0xb0 dev_attr_store+0x17/0x40 sysfs_kf_write+0x72/0x90 kernfs_fop_write_iter+0x161/0x1f0 vfs_write+0x261/0x440 ksys_write+0x69/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x259/0x26e0 do_syscall_64+0xcb/0x1500 ? __fput+0x1a2/0x2d0 ? fput_close_sync+0x3d/0xa0 ? __x64_sys_close+0x3e/0x90 ? x64_sys_call+0x1b7c/0x26e0 ? do_syscall_64+0x109/0x1500 ? __task_pid_nr_ns+0x68/0x100 ? __do_sys_getpid+0x1d/0x30 ? x64_sys_call+0x10b5/0x26e0 ? do_syscall_64+0x109/0x1500 ? putname+0x41/0x90 ? do_faccessat+0x1e8/0x300 ? __x64_sys_access+0x1c/0x30 ? x64_sys_call+0x1822/0x26e0 ? do_syscall_64+0x109/0x1500 ? tick_program_event+0x43/0xa0 ? hrtimer_interrupt+0x126/0x260 ? irqentry_exit+0xb2/0x710 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7877d5f1c5a4 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4 RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009 RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9 R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0 </TASK> This is caused by the fact that some of the xe_vfio_pci_core_device members needed for handling reset are only initialized as part of migration init. Fix the problem by reorganizing the code to decouple VF init from migration init. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31601
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nw2n-9b59-gbdm |
|
| 41 |
| url |
VCID-p1xn-hbgr-efby |
| vulnerability_id |
VCID-p1xn-hbgr-efby |
| summary |
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map() assumes i_assoc_inode is already initialized when copying dirty pages to the shadow map during GC. If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before any btree operation has occurred on the DAT inode, i_assoc_inode is NULL leading to a general protection fault. Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always initialized before any GC operation can use it. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31577
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p1xn-hbgr-efby |
|
| 42 |
| url |
VCID-p3vt-v7gj-gqbc |
| vulnerability_id |
VCID-p3vt-v7gj-gqbc |
| summary |
kernel: io_uring: check if iowq is killed before queuing |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-56709 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09479 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09275 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09424 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.11039 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10939 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10993 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10994 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10962 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10803 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10863 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10977 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-56709 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:deb/debian/linux@6.19.11-1 |
| purl |
pkg:deb/debian/linux@6.19.11-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1g77-qwuy-nkg8 |
|
| 1 |
| vulnerability |
VCID-1s77-djzb-xffp |
|
| 2 |
| vulnerability |
VCID-4jvb-unxd-3qg3 |
|
| 3 |
| vulnerability |
VCID-5ahq-saw1-suf1 |
|
| 4 |
| vulnerability |
VCID-94k1-ja9w-2fd2 |
|
| 5 |
| vulnerability |
VCID-brte-gqy3-r3ax |
|
| 6 |
| vulnerability |
VCID-c7xf-x7d5-87gn |
|
| 7 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 8 |
| vulnerability |
VCID-fvvb-p7r7-zkbk |
|
| 9 |
| vulnerability |
VCID-gbkk-anun-a3ce |
|
| 10 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 11 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 12 |
| vulnerability |
VCID-p4by-fm53-yybk |
|
| 13 |
| vulnerability |
VCID-pmn9-t8by-myhb |
|
| 14 |
| vulnerability |
VCID-qsdm-cyzs-aufy |
|
| 15 |
| vulnerability |
VCID-texr-5weq-v3dw |
|
| 16 |
| vulnerability |
VCID-v813-y477-vkhn |
|
| 17 |
| vulnerability |
VCID-vzkt-5648-ukh7 |
|
| 18 |
| vulnerability |
VCID-yqcj-27j2-tqb8 |
|
| 19 |
| vulnerability |
VCID-zh73-s87g-vfff |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.11-1 |
|
| 3 |
|
| 4 |
| url |
pkg:deb/debian/linux@6.19.13-1 |
| purl |
pkg:deb/debian/linux@6.19.13-1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11nd-2f5c-ybe1 |
|
| 1 |
| vulnerability |
VCID-22zu-qy6y-aub1 |
|
| 2 |
| vulnerability |
VCID-25at-2je8-2ufj |
|
| 3 |
| vulnerability |
VCID-2cky-e16g-yqgf |
|
| 4 |
| vulnerability |
VCID-2dp8-mmkf-w7dx |
|
| 5 |
| vulnerability |
VCID-31cj-5nhu-4qa9 |
|
| 6 |
| vulnerability |
VCID-3mhu-519z-pbck |
|
| 7 |
| vulnerability |
VCID-3qmn-b1w4-jkg4 |
|
| 8 |
| vulnerability |
VCID-3r34-452w-skc2 |
|
| 9 |
| vulnerability |
VCID-46pr-2cfb-mbhn |
|
| 10 |
| vulnerability |
VCID-4e1f-qvnx-87fc |
|
| 11 |
| vulnerability |
VCID-4v3t-8s2w-rfbg |
|
| 12 |
| vulnerability |
VCID-5vkh-dbsm-vbgu |
|
| 13 |
| vulnerability |
VCID-656s-tkaz-m7bj |
|
| 14 |
| vulnerability |
VCID-6vtw-v3u5-buce |
|
| 15 |
| vulnerability |
VCID-878n-d9ss-rugc |
|
| 16 |
| vulnerability |
VCID-8v51-tdqe-tbcp |
|
| 17 |
| vulnerability |
VCID-9bru-3rtm-sfey |
|
| 18 |
| vulnerability |
VCID-9rrq-d3g4-jyfy |
|
| 19 |
| vulnerability |
VCID-9wsp-xbm7-yfb9 |
|
| 20 |
| vulnerability |
VCID-a454-61sh-j7ay |
|
| 21 |
| vulnerability |
VCID-cc41-mkuk-2fgu |
|
| 22 |
| vulnerability |
VCID-dq8r-defv-hbg6 |
|
| 23 |
| vulnerability |
VCID-dqu3-2d1w-bked |
|
| 24 |
| vulnerability |
VCID-dwp4-mc1w-4bcw |
|
| 25 |
| vulnerability |
VCID-emnd-q69n-a3fe |
|
| 26 |
| vulnerability |
VCID-euxu-gjpw-8yhs |
|
| 27 |
| vulnerability |
VCID-f5xb-v8j6-nye2 |
|
| 28 |
| vulnerability |
VCID-fhfz-6h5m-hbed |
|
| 29 |
| vulnerability |
VCID-g9zj-fsa9-vkca |
|
| 30 |
| vulnerability |
VCID-gr5a-eqvx-n3ha |
|
| 31 |
| vulnerability |
VCID-hbnp-yx9t-bbfj |
|
| 32 |
| vulnerability |
VCID-hhxy-swz4-eqfy |
|
| 33 |
| vulnerability |
VCID-jset-t9qq-xfah |
|
| 34 |
| vulnerability |
VCID-jyxp-bjx8-kfbd |
|
| 35 |
| vulnerability |
VCID-ka1g-skuq-gqcs |
|
| 36 |
| vulnerability |
VCID-kvq6-38sd-77h7 |
|
| 37 |
| vulnerability |
VCID-kw1q-k8cm-j7dj |
|
| 38 |
| vulnerability |
VCID-n59e-jkf6-13bf |
|
| 39 |
| vulnerability |
VCID-n99v-8wyx-a3cr |
|
| 40 |
| vulnerability |
VCID-nw2n-9b59-gbdm |
|
| 41 |
| vulnerability |
VCID-p1xn-hbgr-efby |
|
| 42 |
| vulnerability |
VCID-p3vt-v7gj-gqbc |
|
| 43 |
| vulnerability |
VCID-pest-xjma-sfbn |
|
| 44 |
| vulnerability |
VCID-pgrh-f1dv-27dh |
|
| 45 |
| vulnerability |
VCID-pj46-9jp7-33ha |
|
| 46 |
| vulnerability |
VCID-r4kz-m7m8-c3b2 |
|
| 47 |
| vulnerability |
VCID-ruxz-24k9-sbcf |
|
| 48 |
| vulnerability |
VCID-sqkd-cwbk-tkec |
|
| 49 |
| vulnerability |
VCID-szq9-t587-83h2 |
|
| 50 |
| vulnerability |
VCID-tafy-p8yj-ukdv |
|
| 51 |
| vulnerability |
VCID-than-1kz8-yucx |
|
| 52 |
| vulnerability |
VCID-tz5h-hd3e-rbbv |
|
| 53 |
| vulnerability |
VCID-uvrh-s5dy-puc5 |
|
| 54 |
| vulnerability |
VCID-uyug-vjrw-87h6 |
|
| 55 |
| vulnerability |
VCID-uzrt-axb3-qfcs |
|
| 56 |
| vulnerability |
VCID-vx8c-nssy-ubaj |
|
| 57 |
| vulnerability |
VCID-vzyy-16xe-qkgm |
|
| 58 |
| vulnerability |
VCID-w8d1-9zry-wydv |
|
| 59 |
| vulnerability |
VCID-wvu1-rfc1-zya9 |
|
| 60 |
| vulnerability |
VCID-x9wt-jmne-vudk |
|
| 61 |
| vulnerability |
VCID-y54q-e569-p7cx |
|
| 62 |
| vulnerability |
VCID-yahm-29wh-z3e9 |
|
| 63 |
| vulnerability |
VCID-yj9c-fda5-57g2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:deb/debian/linux@6.19.13-1 |
|
| 5 |
|
| 6 |
|
|
| aliases |
CVE-2024-56709
|
| risk_score |
2.0 |
| exploitability |
0.5 |
| weighted_severity |
4.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p3vt-v7gj-gqbc |
|
| 43 |
| url |
VCID-pest-xjma-sfbn |
| vulnerability_id |
VCID-pest-xjma-sfbn |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31583
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pest-xjma-sfbn |
|
| 44 |
| url |
VCID-pgrh-f1dv-27dh |
| vulnerability_id |
VCID-pgrh-f1dv-27dh |
| summary |
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Disable the delayed work before clearing BAR mappings and doorbells to avoid running the handler after resources have been torn down. Unable to handle kernel paging request at virtual address ffff800083f46004 [...] Internal error: Oops: 0000000096000007 [#1] SMP [...] Call trace: epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) process_one_work+0x154/0x3b0 worker_thread+0x2c8/0x400 kthread+0x148/0x210 ret_from_fork+0x10/0x20 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31595
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pgrh-f1dv-27dh |
|
| 45 |
| url |
VCID-pj46-9jp7-33ha |
| vulnerability_id |
VCID-pj46-9jp7-33ha |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections syzbot reported a general protection fault in vidtv_psi_desc_assign [1]. vidtv_psi_pmt_stream_init() can return NULL on memory allocation failure, but vidtv_channel_pmt_match_sections() does not check for this. When tail is NULL, the subsequent call to vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL pointer offset, causing a general protection fault. Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean up the already-allocated stream chain and return. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629 Call Trace: <TASK> vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline] vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479 vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31599
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pj46-9jp7-33ha |
|
| 46 |
| url |
VCID-r4kz-m7m8-c3b2 |
| vulnerability_id |
VCID-r4kz-m7m8-c3b2 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31627
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r4kz-m7m8-c3b2 |
|
| 47 |
| url |
VCID-ruxz-24k9-sbcf |
| vulnerability_id |
VCID-ruxz-24k9-sbcf |
| summary |
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers. Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx driver. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31623
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ruxz-24k9-sbcf |
|
| 48 |
| url |
VCID-sqkd-cwbk-tkec |
| vulnerability_id |
VCID-sqkd-cwbk-tkec |
| summary |
In the Linux kernel, the following vulnerability has been resolved: staging: sm750fb: fix division by zero in ps_to_hz() ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO causes a division by zero. Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent with other framebuffer drivers. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31603
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sqkd-cwbk-tkec |
|
| 49 |
| url |
VCID-szq9-t587-83h2 |
| vulnerability_id |
VCID-szq9-t587-83h2 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31608
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-szq9-t587-83h2 |
|
| 50 |
|
| 51 |
| url |
VCID-than-1kz8-yucx |
| vulnerability_id |
VCID-than-1kz8-yucx |
| summary |
In the Linux kernel, the following vulnerability has been resolved: bnge: return after auxiliary_device_uninit() in error path When auxiliary_device_add() fails, the error block calls auxiliary_device_uninit() but does not return. The uninit drops the last reference and synchronously runs bnge_aux_dev_release(), which sets bd->auxr_dev = NULL and frees the underlying object. The subsequent bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a good thing to have happen when trying to clean up from an error. Add the missing return, as the auxiliary bus documentation states is a requirement (seems that LLM tools read documentation better than humans do...) |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31621
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-than-1kz8-yucx |
|
| 52 |
| url |
VCID-tz5h-hd3e-rbbv |
| vulnerability_id |
VCID-tz5h-hd3e-rbbv |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31597
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tz5h-hd3e-rbbv |
|
| 53 |
| url |
VCID-uvrh-s5dy-puc5 |
| vulnerability_id |
VCID-uvrh-s5dy-puc5 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm: move component registration to unmanaged version q6apm component registers dais dynamically from ASoC toplology, which are allocated using device managed version apis. Allocating both component and dynamic dais using managed version could lead to incorrect free ordering, dai will be freed while component still holding references to it. Fix this issue by moving component to unmanged version so that the dai pointers are only freeded after the component is removed. ================================================================== BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426 Tainted: [W]=WARN Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024 Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] Call trace: show_stack+0x28/0x7c (C) dump_stack_lvl+0x60/0x80 print_report+0x160/0x4b4 kasan_report+0xac/0xfc __asan_report_load8_noabort+0x20/0x34 snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core] devm_component_release+0x30/0x5c [snd_soc_core] devres_release_all+0x13c/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 Allocated by task 77: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x44/0x58 __kasan_kmalloc+0xbc/0xdc __kmalloc_node_track_caller_noprof+0x1f4/0x620 devm_kmalloc+0x7c/0x1c8 snd_soc_register_dai+0x50/0x4f0 [snd_soc_core] soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core] snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core] audioreach_tplg_init+0x124/0x1fc [snd_q6apm] q6apm_audio_probe+0x10/0x1c [snd_q6apm] snd_soc_component_probe+0x5c/0x118 [snd_soc_core] soc_probe_component+0x44c/0xaf0 [snd_soc_core] snd_soc_bind_card+0xad0/0x2370 [snd_soc_core] snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core] devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core] x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100] platform_probe+0xc0/0x188 really_probe+0x188/0x804 __driver_probe_device+0x158/0x358 driver_probe_device+0x60/0x190 __device_attach_driver+0x16c/0x2a8 bus_for_each_drv+0x100/0x194 __device_attach+0x174/0x380 device_initial_probe+0x14/0x20 bus_probe_device+0x124/0x154 deferred_probe_work_func+0x140/0x220 process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 Freed by task 3426: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 __kasan_save_free_info+0x4c/0x80 __kasan_slab_free+0x78/0xa0 kfree+0x100/0x4a4 devres_release_all+0x144/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31587
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uvrh-s5dy-puc5 |
|
| 54 |
|
| 55 |
| url |
VCID-uzrt-axb3-qfcs |
| vulnerability_id |
VCID-uzrt-axb3-qfcs |
| summary |
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function fixes this warning and ensures predictable behavior. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31626
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uzrt-axb3-qfcs |
|
| 56 |
| url |
VCID-vx8c-nssy-ubaj |
| vulnerability_id |
VCID-vx8c-nssy-ubaj |
| summary |
In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31618
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vx8c-nssy-ubaj |
|
| 57 |
| url |
VCID-vzyy-16xe-qkgm |
| vulnerability_id |
VCID-vzyy-16xe-qkgm |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31576
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vzyy-16xe-qkgm |
|
| 58 |
| url |
VCID-w8d1-9zry-wydv |
| vulnerability_id |
VCID-w8d1-9zry-wydv |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work. This creates a race window where the workqueue handler (mtk_venc_worker) may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release path) CPU 1 (workqueue) --------------------- ------------------ fops_vcodec_release() v4l2_m2m_ctx_release() v4l2_m2m_cancel_job() // waits for m2m job "done" mtk_venc_worker() v4l2_m2m_job_finish() // m2m job "done" // BUT worker still running! // post-job_finish access: other ctx dereferences // UAF if ctx already freed // returns (job "done") kfree(ctx) // ctx freed Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle. After v4l2_m2m_job_finish() is called, the m2m framework considers the job complete and v4l2_m2m_ctx_release() returns, but the worker function continues executing and may still access ctx. The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work) The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx fields even after calling v4l2_m2m_job_finish(). This vulnerability was confirmed with KASAN by running an instrumented test module that widens the post-job_finish race window. KASAN detected: BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12 Workqueue: mtk_vcodec_enc_wq mtk_venc_worker Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0 Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190 Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx). This ensures the workqueue handler is both cancelled (if pending) and synchronized (waits for any running handler to complete) before the context is freed. Placement rationale: The fix is placed after v4l2_ctrl_handler_free() and before list_del_init(&ctx->list). At this point, all m2m operations are done (v4l2_m2m_ctx_release() has returned), and we need to ensure the workqueue is synchronized before removing ctx from the list and freeing it. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during device_run() operations. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31584
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w8d1-9zry-wydv |
|
| 59 |
| url |
VCID-wvu1-rfc1-zya9 |
| vulnerability_id |
VCID-wvu1-rfc1-zya9 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value. Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings. Fix this up by properly bounding the index against the array size and printing "unknown" if it's not recognized. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31619
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wvu1-rfc1-zya9 |
|
| 60 |
| url |
VCID-x9wt-jmne-vudk |
| vulnerability_id |
VCID-x9wt-jmne-vudk |
| summary |
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Drop the WARN in sev_pin_memory() on npages overflowing an int, as the WARN is comically trivially to trigger from userspace, e.g. by doing: struct kvm_enc_region range = { .addr = 0, .size = -1ul, }; __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range); Note, the checks in sev_mem_enc_register_region() that presumably exist to verify the incoming address+size are completely worthless, as both "addr" and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater than ULONG_MAX. That wart will be cleaned up in the near future. if (range->addr > ULONG_MAX || range->size > ULONG_MAX) return -EINVAL; Opportunistically add a comment to explain why the code calculates the number of pages the "hard" way, e.g. instead of just shifting @ulen. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31590
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x9wt-jmne-vudk |
|
| 61 |
| url |
VCID-y54q-e569-p7cx |
| vulnerability_id |
VCID-y54q-e569-p7cx |
| summary |
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31622
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y54q-e569-p7cx |
|
| 62 |
| url |
VCID-yahm-29wh-z3e9 |
| vulnerability_id |
VCID-yahm-29wh-z3e9 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31614
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yahm-29wh-z3e9 |
|
| 63 |
| url |
VCID-yj9c-fda5-57g2 |
| vulnerability_id |
VCID-yj9c-fda5-57g2 |
| summary |
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix nfeeds state corruption on start_streaming failure syzbot reported a memory leak in vidtv_psi_service_desc_init [1]. When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream. This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early. Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds. [1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-31585
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yj9c-fda5-57g2 |
|
|
|---|